Add Your VPN Review

Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.

Emotet Returns in Time for Christmas

Will Ellis
Last Updated on December 31, 2022

Back in January 2021, Emotet dramatically took the ‘L’ when it was blocked by security enforcers. But their victory was short-lived… Now, security researchers say Emotet is returning.

Table of Contents:

Why it’s so Dangerous

Let’s begin with the story according to Europol – Emotet was so dangerous as it was professionally ‘service-for-hire.’ 

Tailored by need. Sold to different types of threat actors… Taking so many possible forms, Emotet could be turned into ransomware, for instance. Or a banking Trojan; any of which could then be installed onto a victim’s device, as a Trojan.

Since 2014, the malware developed into any cyber-attacker’s ad hoc crowbar – with email spamming being its bread and butter entryway. The infrastructure is, indeed, streamlined for initial door opening of enterprise-grade networks. Europol dubbed it ‘world’s most dangerous malware.’

Of course, it grew exponentially through its use in large spam campaigns. How so? Via self-perpetuating malicious attachments: these circulated the malware, infiltrating devices then launched new spam campaigns by installing more payloaders like QakBot (Qbot), ie. ‘loader’ operation attacks.

One evasion technology that Emotet uses is multiply-generating download links for primary loaders.  Making it extra slippery. 

If even one path isn’t blocked or isolated, by a security product, the loader will successfully download. Gaining this reputation for jacking open machines, Emotet naturally became used to develop other devastatingly effective, global malware – infamous names such as Ryuk.

Emotet Malspam Distribution

The typical Emotet attack chain playbook is as follows (Source: PaloAlto):

  1. Word doc infiltrates via email. Macros are enabled.
  2. Once opened, VBScript macro(s) load, executing PowerShell script.
  3. Script downloads primary DLL binary as a loader.
  4. Loader adds further DLL binaries able to self-update.
  5. Last DLL jacks valuable data or breaches more with C2 servers’ help.

New Emotet Variant

Let’s take the thoughts of cyber threat intelligence analyst at San Francisco-based Digital Shadows – Stefano De Blasi. He thinks it’s likely rebuilding its infrastructure using part of a pre-existing Trickbot.

It’s widely thought that the Emotet operators are jacking email chains, in order to redistribute malware… Email hijacking methods are increasingly used by threat actors, for their ‘social engineering’ campaigns.

Social engineering campaigns may take control of a target’s email account. Conversations are, for instance, monitored until an optimal moment arrives for inserting a malicious message into an existing thread. This type of cyberattack is more labour intensive but also yields a greater ROI.

So, this new emotet variant overall uses familiar paths: infected Office or ZIP files contain command-and-control (C2) payloads. Emotet is simply working hand-in-hand with Trickbot, the botnet that actually distributes it. 

For the meanwhile, it will take time for threat actors to strengthen Emotet’s infrastructure. That said, its reputation makes it a hot pathway for many cyberattackers, seeking to scale up their operations.

New Emotet Activity

After the Emotet takedown, the new updated botnet (Epoch4, Epoch5) started stealing emails by spamming and reply-chain attacks.

The reinvented Trojan was first detected on 15 November and, in only 24 hours, managed to double its C2 infrastructure, from 8 active C2s to 14 – according to the team at research project of Bern University of Applied Sciences. Their advice? “Be prepared!” (Another security company tracked over 50 active C2 servers.)

Other than the new Trickbot, Emotet’s famous attack vector seems unchanged. It retains characteristics that make it an ideal ‘door open’ crowbar for ransomware groups.

What to Look Out For

Security teams needn’t diverge from basic cybersecurity practices, for the most part. A few tips on how to protect yourself against Emotet loaders:

  1. Network – polymorphic malware alters their code each time they load. So keep your OS and antivirus updated against known codes.
  2. Macros – restrict use of macros in Office files. Otherwise, old rules apply: avoid opening attachments from unknowns, carefully check headings first. Be especially wary of emails carrying a strong sense of urgency.
  3. Checks – against the Dutch National Police database: As part of its global remediation strategy, the DNP is conducting a criminal investigation of discovered addresses, passwords and usernames. See if your data has been compromised.


Emotet’s returned, and just in time for Christmas. (Is Emotet a virus? The world’s most dangerous.)

This prolific polymorphic adversary poses a significant risk. Emails gateways are the biggest way that it tries to get in, so use the best cybersecurity practices. But it shouldn’t demand a radical shift for blue teams, not yet at least

As always – good user awareness of phishing is crucial: If you restrict macro-use in Office files, this lowers risks from most malware; with multifactor authentications, and monitoring for fake domains, also helping the cause.

Related posts