Home / Threat Intelligence bulletins / Emotet Botnet Dropping Cobalt Strike


The recently-revived Emotet malware has been seen dropping Cobalt Strike directly onto victim machines. This marks a change in tactics from previous behaviour when it was used as a loader to drop other malware variants such as the TrickBot spyware. Cobalt Strike is a post-exploitation framework which would give a threat actor direct control over a victim’s machine.


Cobalt Strike is a full framework for post-exploitation activity. It has functionality for a range of different techniques which would be beneficial to an attacker. These include:

– command execution
– key logging
– file transfer
– network proxying
– privilege escalation
– mimikatz
– port scanning
– lateral movement


Cobalt Strike Command and Control (C2) is highly reconfigurable.
The samples seen in use by Emotet use a configuration profile which sets the remote URI to:


This version of jquery does not appear to exist and therefore its appearance in web proxy logs would be a good indicator of malicious activity.

Indicators of Compromise



Threat Landscape

Emotet was one of the biggest botnets in the world until it was taken down by coordinated international law enforcement action at the start of this year. Since November there have been reports that the infrastructure is being rebuilt from scratch by piggybacking off of TrickBot. Their disappearance left a gap in the initial access market and some believe that the ransomware gang, Conti, may have encouraged the Emotet operators to rebuild.

Mitre Methodologies

S0154 – Cobalt Strike
S0266 – TrickBot
S0367 – Emotet

T1566 – Spearphishing Attachment

Further Information

Cryptolaemus on Twitter
C2 profile