Emotet

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. ^[1] The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. ^{[2] [3] [4]} In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement. ^[4] Despite this disruption, Emotet resurfaced in subsequent years with new capabilities, continuing to be regarded as one of the Internet’s most persistent and adaptable threats. ^{[5] [6]}

First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators, sometimes known as Mealybug, updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads. ^[7] Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.

Initial infection of target systems often proceeds through a macro virus in an email attachment. The infected email is a legitimate-appearing reply to an earlier message that was sent by the victim. ^[8]

It has been widely documented that the Emotet authors have used the malware to create a botnet of infected computers to which they sell access in an Infrastructure-as-a-Service (IaaS) model, referred in the cybersecurity community as MaaS (Malware-as-a-Service), Cybercrime-as-a-Service (CaaS), or Crimeware. ^[9] Emotet is known for renting access to infected computers to ransomware operations, such as the Ryuk gang. ^[10]

History

In 2014, Emotet was first identified as a banking Trojan designed to steal banking credentials from infected hosts. Within a year or two, the malware evolved into a more versatile and dangerous threat. It transformed into a loader, allowing operators to download additional malicious payloads onto infected systems, such as the TrickBot banking trojan and Ryuk ransomware. ^[5]

As of September 2019, the Emotet operation ran on top of three separate botnets called Epoch 1, Epoch 2, and Epoch 3. ^[11]

In mid-2020, Emotet re-emerged after a brief hiatus, launching widespread malspam campaigns targeting organizations globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported over 16,000 Emotet-related alerts across federal networks between July and October. ^[5] Emotet leveraged advanced evasion techniques, including polymorphic code, fileless persistence via PowerShell, lateral movement via nearby Wi-Fi networks, and email thread hijacking to increase the success of phishing attacks. ^[5] Campaigns often used malicious Microsoft Word documents with filenames like "form.doc" or "invoice.doc" to deliver the initial payload via PowerShell scripts. ^[12] Later in the year, Emotet operators also used parked domains to distribute malicious code. ^[13]

In January 2021, international action coordinated by Europol and Eurojust allowed investigators to take control of and disrupt the Emotet infrastructure. ^[14] The reported action was accompanied with arrests made in Ukraine. ^[15]

On 14 November 2021, new Emotet samples emerged that were very similar to the previous bot code, but with a different encryption scheme that used elliptic curve cryptography for command and control communications. ^[16] The new Emotet infections were delivered via TrickBot, to computers that were previously infected with TrickBot, and soon began sending malicious spam email messages with macro-laden Microsoft Word and Excel files as payloads. ^[17]

On 3 November 2022, new samples of Emotet emerged attached as a part of XLS files attached within email messages. ^{[18] [ self-published source ]}

In March 2023, Emotet resurfaced after a four-month hiatus with a new spam campaign. Emails spoofed known contacts, addressed recipients by name, and mimicked prior threads. Attached Word documents were inflated to over 500MB using binary padding and included hidden Moby-Dick excerpts to evade detection. If macros were enabled, the document downloaded a ZIP file from a compromised site and executed a large DLL. The malware harvested credentials, sent spam, and installed secondary payloads such as TrickBot or Ryuk. Targets included organizations in Europe, Asia-Pacific, and Latin America. ^[6]

In late 2023, Microsoft and the U.S. National Institute of Standards and Technology (NIST) reported that attackers were using a Windows vulnerability to distribute malware, including Emotet. The technique involved phishing emails with malicious attachments that leveraged a Windows feature known as the App Installer. To reduce the risk of exploitation, Microsoft updated the software to disable the affected functionality by default. ^[19]

Noteworthy infections

• Allentown, Pennsylvania, city located in Pennsylvania, United States (2018) ^{[20] [21]}
• Heise Online, publishing house based in Hanover, Germany (2019) ^[8]
• Kammergericht Berlin, the highest court of the state of Berlin, Germany (2019) ^{[22] [23]}
• Humboldt University of Berlin, university in Berlin, Germany (2019) ^[24]
• Universität Gießen, university in Germany (2019) ^[25]
• Department of Justice of the province of Quebec (2020) ^[26]
• Lithuanian government (2020) ^[27]
• Democratic National Committee, political organization in the United States (2020) ^[5]
• Government entities in France, Japan, and New Zealand (2020) ^[5]

References

1. Ikeda, Scott (August 28, 2020). "Emotet Malware Taken Down By Global Law Enforcement". Cpomagazine. Retrieved May 1, 2021.
2. "Emotet's Malpedia entry". Malpedia. January 3, 2020.
3. Ilascu, Ionut (December 24, 2019). "Emotet Reigns in Sandbox's Top Malware Threats of 2019". Bleeping Computer.
4. European Union Agency for Criminal Justice Cooperation (January 27, 2021). "World's most dangerous malware EMOTET disrupted through global action". Eurojust.
5. "DHS warns that Emotet malware is one of the most prevalent threats today". Ars Technica. October 7, 2020. Retrieved April 17, 2025.
6. "Botnet that knows your name and quotes your email is back with new tricks". Ars Technica. March 13, 2023. Retrieved April 18, 2025.
7. Christiaan Beek (December 6, 2017). "Emotet Downloader Trojan Returns in Force". McAfee.
8. Schmidt, Jürgen (June 6, 2019). "Trojaner-Befall: Emotet bei Heise" (in German). Heise Online . Retrieved November 10, 2019.
9. Brandt, Andrew (December 2, 2019). "Emotet's Central Position in the Malware Ecosystem". Sophos . Retrieved September 19, 2019.
10. "North Korean APT(?) and recent Ryuk Ransomware attacks". Kryptos Logic. January 10, 2019.
11. Cimpanu, Catalin (September 16, 2019). "Emotet, today's most dangerous botnet, comes back to life". ZDnet . Retrieved September 19, 2019.
12. "July 2020's Most Wanted Malware: Emotet Strikes Again After Five-Month Absence" (Press release). August 7, 2020.
13. "Emotet uses parked domains to distribute payloads". How To Fix Guide. October 30, 2020. Retrieved January 27, 2021.
14. "World's most dangerous malware EMOTET disrupted through global action". Europol. Retrieved January 27, 2021.
15. Cimpanu, Catalin, Authorities plan to mass-uninstall Emotet from infected hosts on March 25, 2021 , zdnet, January 27, 2021
16. "Emotet botnet returns after law enforcement mass-uninstall operation". The Records. November 15, 2021. Retrieved November 20, 2021.
17. "Emotet Returns". SANS Internet Storm Center. Retrieved November 20, 2021.
18. "Cryptolaemus (@Cryptolaemus1)". Twitter. Retrieved November 7, 2022.
19. "Vulnerability Change Records for CVE-2021-43890". U.S. National Institute of Standards and Technology (NIST). May 29, 2024. Retrieved April 18, 2025.
20. "Malware infection poised to cost $1 million to Allentown, Pa". washingtontimes.com. The Washington Times . Retrieved November 12, 2019.
21. "Emotet malware gang is mass-harvesting millions of email in mysterious campaign". ZDNet . Retrieved November 12, 2019.
22. "Emotet: Trojaner-Angriff auf Berliner Kammergericht". Der Spiegel (in German). October 4, 2019. Retrieved November 12, 2019.
23. "Emotet: Wie ein Trojaner das höchste Gericht Berlins lahmlegte". faz.net (in German). Frankfurter Allgemeine Zeitung . Retrieved November 12, 2019.
24. "Trojaner greift Netzwerk von Humboldt-Universität an". dpa (in German). Heise Online. November 9, 2019. Retrieved November 10, 2019.
25. "Trojaner-Befall: Uni Gießen nutzt Desinfec't für Aufräumarbeiten" (in German). Heise Online. December 19, 2019. Retrieved December 22, 2019.
26. Joncas, Hugo (September 12, 2020). "Les pirates informatiques ont pu voler tous les courriels". Le Journal de Montréal. Retrieved January 27, 2021.
27. "Several institutions affected by email virus in Lithuania – center". baltictimes.com . Retrieved January 27, 2021.