1 malware family

Mealybug

Also known asMealybug

Mealybug is a threat group that researchers have linked to Emotet. The provided content states that Mealybug has been on the security community's radar since 2014. In this context, Emotet is described as first surfacing in 2014 as banking malware targeting credential theft, later evolving into a broader threat-delivery service used to distribute additional malware. The content notes that Emotet was observed in early 2018 using its loader functionality to spread Quakbot and ransomware variants, and that related detection guidance includes monitoring rarely used executables, suspicious registry persistence paths, and cmd.exe launching script interpreters as indicators of compromise. No additional high-confidence aliases, sub-groups, attribution, or nation-state affiliation are provided in the content beyond the alias/name Mealybug.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Banks

MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics6 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

EmotetThe trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However... Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service.1Mar 17, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

splunk researchNews

Sep 24, 2024

Analytics Story: Emotet Malware DHS Report TA18-201A | Splunk Security Content

Linked to Emotet activity; associated with operations involving the Emotet malware, which evolved from banking credential theft into a broader threat-delivery service.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.