Home / Threat Intelligence bulletins / Emotet botnet returns after four-month absence

Target Industry

Indiscriminate targeting.


Severity level: High – Compromise may result in theft of sensitive emails and deployment of additional malware including ransomware.

After abruptly ceasing activity in July 2022, Emotet malware has once again begun spamming mailboxes across the globe in a large-scale phishing campaign. Emotet operates as a botnet, with each infected device spamming vast amounts of emails paired with malicious Word and Excel attachments. Once opened, macros within these attachments download the Emotet Dynamic Link Library (DLL) and load it to the system’s memory.

Once a system has been successfully exploited, the malware will scan for all held emails and exfiltrate them for use in future attacks. Furthermore, Emotet can drop additional payloads such as a Cobalt Strike beacon or TrickBot, which provides an access point for further exploitation, including ransomware attacks.

Previous ransomwares connected with the deployment of Emotet include Hive, RyukQuantum and BlackCat.


Emotet uses a ‘spray and prey’ tactic, meaning that all companies and businesses are potential targets. These emails are sophisticated and specifically designed to deceive their victims, making them harder to detect by untrained staff.

If undetected and denied access by an Endpoint Detection and Response (EDR) solution, Emotet will almost certainly harvest all emails held on the affected system/account, some potentially containing business and customer data. Additional compromise via malware such as Cobalt Strike and Hive is a realistic possibility, thus immediate defensive action is recommended to prevent data encryption, and loss upon initial Emotet detection.

Vulnerability Detection

A comprehensive EDR solution such as Microsoft Defender can provide additional protection against ransomware threats such as Emotet. EDRs can alert system users of potential breaches and stop further progress before the malware can do significant damage.

Once infected, the Emotet malware DLL is downloaded as randomly named folders, located under the filepath: User\AppData\Local\ “Emotet”.

Emotet macros then launch the installed DLL by a legitimate regsvr32.exe command. The above filepath will be present in the regsvr32.exe command line section.

To maintain persistance on an infected system, Emotet will create a key under the following filepath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Similarly to the DLL, this key will have a random name made up of a sequence of muddled letters.

Affected Products


Containment, Mitigations & Remediations

It is recommended that employees receive training on how to spot signs of phishing emails. The main method of initial compromise is phishing, so some in-house training will go a long way to reducing the effectiveness of future campaigns.

As stated above, a main method of reducing the threat of Emotet is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt them if detected.

Indicators of Compromise

Emotet associated hashes:


Emotet associated IPs:

Threat Landscape

The spam distribution of phishing emails is particularly dangerous as it is tricky to provide early warning alerts of which sectors and companies are likely to be targeted, as no specific targeting exists.

Threat Group

The Emotet criminal gang took an unexpected break from malicious activity for four months between 13th July and 2nd November 2022. While there is no direct reporting on why this break occurred, there is a realistic possibility the break was due to them meeting predetermined aims, and now new goals have been set. The group likely receives additional financial benefits from the distribution of third-party ransomware, and this may have been a factor in the group’s return.

Mitre Methodologies

T1087.003 – Account Discovery: Email Account
T1560 – Archived Collection Data
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1110.001 – Brute Force: Password Guessing
T1059 – Command and Scripting Interpreter
T1543.003 – Create or Modify System Process: Windows Service
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1114.001 – Email Collection: Local Email Collection
T1573.002 – Encrypted Channel: Asymmetric Cryptography
T1041 – Exfiltration Over C2 Channel
T1210 – Exploitation of Remote Services
T1040 – Network Sniffing
T1571 – Non-Standard Port
T1027 – Obfuscated Files or Information
T1003.001 – OS Credential Dumping: LSASS Memory
T1566.001 – Phishing: Spearphishing Attachment
T1566.002 – Phishing: Spearphishing Link
T1057 – Process Discovery
T1055.001 – Process Injection: Dynamic-link Library Injection
T1021.002 – Remote Services: SMB/Windows Admin Shares
T1053.005 – Scheduled Task/Job: Scheduled Task
T1552.001 – Unsecured Credentials: Credentials In Files
T1204.001 – User Execution: Malicious Link
T1204.002 – User Execution: Malicious File
T1078.003 – Valid Accounts: Local Accounts
T1047 – Windows Management Instrumentation

Further Information

Kroll – Emotet analysis

Intelligence Terminology Yardstick