{
	"id": "b20874ec-16f9-42de-ad59-78d81b36272a",
	"created_at": "2026-04-06T00:07:52.912175Z",
	"updated_at": "2026-04-10T13:12:45.198932Z",
	"deleted_at": null,
	"sha1_hash": "fc2054aa2903b832d21dbdf091f95d6a35db87f5",
	"title": "THREAT ALERT: The Return of Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 430964,
	"plain_text": "THREAT ALERT: The Return of Emotet\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 17:17:42 UTC\r\nThe Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers\r\nof emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for\r\nprotecting against them. \r\nEmotet - What's Happening?\r\nOn Sunday, November 14, at around 9:26 pm UTC, security researcher Luca Ebach (@lucebac) and a team at G\r\nDATA Advanced Analytics GmbH (@gdata_adan) began seeing evidence of a bot attempting to download a DLL\r\nthat the team identified as a potential Emotet vector. \r\nOn November 15, at 12:25 AM UTC, malware research group Cryptolaemus (@Cryptolaemus1) began reporting\r\nobservations of a worldwide malspam campaign containing docm, xlsm, or password protected zip file\r\nattachments that download the Emotet payload. \r\nSince the first Twitter post about this discovery, the team at G DATA and the Cybereason SOC team have seen\r\nmultiple Emotet samples in the wild, particularly between November 21 and 23, confirming that Emotet appears\r\nto be reemerging.  \r\nEmotet Key Observations\r\nSimilar to previous versions of Emotet, the initial infection is done through malicious Office\r\nDocuments such as Word and Excel files. We have also observed password protected archive files\r\nthat contain malicious documents.\r\nA VB macro drops a batch script to C:\\ProgramData\\. This batch script contains powershell\r\ncommands that will download the actual malware as a dll.\r\nrundll32.exe executes the payload with specific parameters. Once executed, the dll attempts to\r\nconnect to several external IP addresses. No additional behavior has been observed after the\r\nconnection attempts\r\nEmotet Analysis\r\nEmotet Initial Infection Sample\r\nOur sample came in the form of a typical Emotet malicious document, a macro enabled template file, 1911.doc,\r\nMD5 - e613de7a49077fb6459a272c93ef35bd:\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 1 of 8\n\nEmotet malicious document\r\nVBA code inside the macro\r\nWhen the sample was executed, the sample created a child process of cmd.exe and then executed a PowerShell\r\none-liner:\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 2 of 8\n\ncmd.exe executes PowerShell code\r\nCleaned up and re-formatted, this PowerShell command is a classic ‘round robin’, where the script iterates\r\nthrough a list of seven comma-separated URLs:\r\ncmd.exe executes PowerShell code\r\nWhen the malware connected with one of the URLs, the sample named the payload randomly and dropped the\r\npayload into the C:\\ProgramData\\ directory:\r\nThe\r\nPowerShell code drops the payload into the C:\\ProgramData directory\r\nAfter the malware verified that the malware had created the path successfully, the malware called rundll32.exe\r\nfrom SysWow64 to execute the payload:\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 3 of 8\n\nPowerShell executes the payload\r\nAs we describe in more detail below, the dropped DLL creates a copy of itself in the user’s \\AppData\\Local\\\r\ndirectory, loads a floating module observed from other Emotet infections, and attempts network connections:\r\nEmotet Execution Tree\r\nEmotet Payload Sample\r\nWe obtained a sample of an Emotet DLL, Loader_90563_1.dll, with an MD5 hash of\r\nbc3532085a0b4febd9eed51aac2180d0. We executed the sample in a lab environment. Like previous Emotet\r\nsamples, the module requires the parameter Control_RunDLL to execute:\r\nEmotet requires the Control_RunDLL rundll32.exe parameter to execute\r\nWhen the sample executed, the sample created a randomly named copy of itself in the \\AppData\\Local\\ directory,\r\nand then used the rundll32 file from the SysWOW64 directory to execute, using the Control_RunDLL\r\nparameter and one or more randomly named parameters:\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 4 of 8\n\nrundll32.exe executes the Emotet malware\r\nThe malware then loaded a floating module, X.dll, into memory. This module has been part of previous Emotet\r\ninfections:\r\nEmotet execution process tree\r\nThe Emotet\r\nmalware loads the module X.dll\r\nThe malware made 20 network callouts over ports 443, 80, 8080, and 7080 to the following IP addresses:\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 5 of 8\n\n103.75.201[.]2\r\n185.184.25[.]237\r\n207.38.84[.]195\r\n51.68.175[.]8\r\n104.251.214[.]46\r\n94.177.248[.]64\r\n138.185.72[.]26\r\n188.93.125[.]116\r\n103.8.26[.]102\r\n178.79.147[.]66\r\n81.0.236[.]93\r\n45.142.114[.]231\r\n210.57.217[.]132\r\n212.237.5[.]209\r\n195.154.133[.]20\r\n66.42.55[.]5\r\n58.227.42[.]236\r\n45.76.176[.]10\r\n45.118.135[.]203\r\n103.8.26[.]103\r\nThe Cybereason SOC team observed no other behavior after the network callouts. The team believes that the\r\nsample tried to connect to one of these hosts as a command and control (C2) server and download the next stage\r\nof the infection.\r\nCybereason Recommendations\r\nCybereason has updated the detection capabilities of the Cybereason platform to identify this malicious behavior.\r\nAdditional recommendations are as follows: \r\nNote: For Cybereason MDR customers, the Cybereason team will continue to monitor and triage the environment\r\nand will help mitigate potential infections.\r\nIn your Cybereason platform, enable Anti-Malware, and then set the Signatures mode option to\r\nPrevent.\r\nIn your Cybereason platform, enable the Fileless Protection feature for Powershell and .NET,\r\ndepending on your server version, and set the options for the Anti-Ransomware feature to Detect\r\nor Prevent for all categories. \r\nIn your Cybereason platform, enable Application Control on all sensors to block the execution of\r\nmalicious files on all endpoints.\r\nIn your edge firewall and other network protection tools, such as your proxy server and secure\r\naccess service edge (SASE), block the listed IP addresses.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom\r\nhunting queries for detecting specific threats - to find out more about threat hunting and Managed\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 6 of 8\n\nDetection and Response with the Cybereason Defense Platform, contact a Cybereason Defender\r\nhere.\r\nFor Cybereason customers: More details available on the NEST including custom threat\r\nhunting queries for detecting this threat.\r\nAbout the Researcher:\r\nDerrick Masters, Senior Security Analyst, Cybereason Global SOC\r\nDerrick Masters is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat\r\nhunting and purple teaming. Derrick's professional certifications include GCFA, GCDA, GPEN, GPYC, and\r\nGSEC.\r\nAbout the Author\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 7 of 8\n\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on\r\nevery continent. Led by cybersecurity experts with experience working for government, the military and multiple\r\nindustry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive\r\nthreats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle\r\nmoves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nhttps://www.cybereason.com/blog/threat-alert-the-return-of-emotet\r\nPage 8 of 8\n\nmalware loads the module X.dll    The Emotet\nThe malware made 20 network callouts over ports 443, 80, 8080, and 7080 to the following IP addresses:\n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-alert-the-return-of-emotet"
	],
	"report_names": [
		"threat-alert-the-return-of-emotet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434072,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc2054aa2903b832d21dbdf091f95d6a35db87f5.pdf",
		"text": "https://archive.orkl.eu/fc2054aa2903b832d21dbdf091f95d6a35db87f5.txt",
		"img": "https://archive.orkl.eu/fc2054aa2903b832d21dbdf091f95d6a35db87f5.jpg"
	}
}