Emotet
Emotet is a malware family first discovered in 2014 as a banking Trojan that evolved into a highly modular botnet and malware-as-a-service loader used as an initial access platform for cybercriminal operations worldwide. It is widely associated with large-scale malicious email campaigns and has been described as one of the most significant and resilient botnets of the past decade. Emotet primarily infected Microsoft Windows systems through phishing or malspam emails containing malicious attachments or links, especially Word documents that prompted users to enable macros; later reporting also noted delivery via direct URLs and .lnk-based payload delivery. Campaign lures included invoices, shipping notices, package deliveries, and COVID-19-themed messages, and payload hosting often relied on compromised websites.
The malware’s observed capabilities in the provided content include downloading and executing additional payloads via PowerShell, using WMI to execute powershell.exe, dropping an embedded executable at %Temp%\setup.exe, embedding code into other files, exfiltrating data over its command-and-control channel, and Base64-encoding data before transmission to C2. Emotet has also been observed using modules to retrieve passwords stored for the current logged-on user, dropping browser password-grabber modules, and extracting or exfiltrating browser cookies. One report cited command-and-control communications over HTTP to hard-coded IP addresses on ports including 20, 80, 443, 7080, 8443, and 50000, and noted a spamming-module feature that checked infected hosts against spam blocklists such as SpamCop, Spamhaus, and SORBS.
Emotet was heavily used as a delivery mechanism for other malware and follow-on intrusion activity. The content explicitly associates it with delivery of TrickBot, IcedID, Ryuk-associated payloads, banking trojans, stealers, email harvesters, self-propagation components, and ransomware. It is also described as a foothold malware family that helped enable later-stage ransomware operations. Reporting in the content links Emotet distribution or precursor access to broader criminal ecosystems and ransomware activity, including references to Ryuk support, Qbot/QakBot distribution chains, and use as a precursor by actors associated with Royal/BlackSuit activity.
Targeting in the provided material is broad and global rather than sector-specific, with infections affecting computer systems worldwide. The content notes that Emotet infrastructure consisted of several hundred servers globally and supported victim management, propagation, criminal service delivery, and resilience against takedowns. A coordinated international law-enforcement operation involving authorities from multiple countries disrupted the botnet by taking control of its infrastructure and redirecting infected machines to law-enforcement-controlled systems; authorities also identified a database containing email addresses, usernames, and passwords stolen by Emotet and used CERT channels to notify affected parties.
Aliases explicitly provided are Geodo and Heodo. High-confidence indicators and artifacts directly mentioned in the content include the dropped path %Temp%\setup.exe, use of Office macros and phishing emails as infection vectors, use of PowerShell and WMI in execution chains, and C2-related behavior including Base64-encoded exfiltration and communications to hard-coded IPs over ports 20, 80, 443, 7080, 8443, and 50000.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Emotet has been known to move from machine to machine by leveraging a server message block (SMB) vulnerability exploit like ETERNALBLUE or by brute-forcing credentials for access to Windows Administrative Shares.
In late 2023, Microsoft and the U.S. National Institute of Standards and Technology (NIST) reported that attackers were using a Windows vulnerability to distribute malware, including Emotet... The technique involved phishing emails with malicious attachments that leveraged a Windows feature known as the App Installer... To reduce the risk of exploitation, Microsoft updated the software to disable the affected functionality by default.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Emotet has been delivered by phishing emails containing attachments.
Emotet is advanced, modular malware that originated as a banking trojan (malware designed to steal information from banking systems but that may also be used to drop additional malware and ransomware). Today Emotet primarily functions as a downloader and distribution service for other cybercrime groups.
Le 11 mars 2022, le compte Twitter @Cryptolaemus1 a identifié la distribution d’un implant SystemBC par le botnet Epoch 5 lié au Malware-as-a-Service (MaaS) Emotet.
"...MUMMY SPIDER’s Emotet was leveraged by MALLARD SPIDER and WIZARD SPIDER."
"...shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot)."
Microsoft attributes this campaign to Storm-0249... known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware.
"The gang is believed to be behind the recent revival of the notorious Emotet botnet, which could lead to a massive new wave of ransomware infections."
"TA551 has previously distributed malware payloads such as Ursnif, IcedID, Qbot, and Emotet."
The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However... Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThrough a fully automated process, EMOTET malware was delivered to the victims’ computers via infected e-mail attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments.
Additionally, the branding of trusted organizations (for example the World Health Organization (WHO)) is abused in order to build credibility and trust in order to have people, for example, open malicious attachments or web pages.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself.
Execution
8 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Often malware will use the macro to launch a scripting engine such as cscript, wscript, or other scripting languages.
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself.
Microsoft Office by default allows a user to enable content and allow macros to run when opening Office documents like Word, Excel, and even PowerPoint. | Microsoft Office macros accounted for 43% of malicious Office document downloads... Emotet... heavily used Office macros to infect Microsoft Windows systems.
Persistence
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'
Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.' | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
3 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'
Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.' | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
2 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueCredential Access
5 techniques"Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory," "Fox Kitten has used PowerShell scripts to access credential data," and "Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz."
A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies... If an attacker can compromise a device and extract the browser cookies, they could pass that cookie into a separate web browser on another system, bypassing security checkpoints along the way.
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
As part of the criminal investigation conducted by the Dutch National Police into EMOTET, a database containing e-mail addresses, usernames and passwords stolen by EMOTET was discovered.
Discovery
1 techniqueThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Lateral Movement
1 techniqueA “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies... “Pass-the-cookie” is like pass-the-hash or pass-the-ticket attacks in Active Directory.
Collection
2 techniquesInfostealers live in infected computers and gather information, allowing attackers to exploit organizations and obtain credentials.
Examples include 'APT39 has used malware to drop encrypted CAB files' and 'Emotet uses obfuscated URLs to download a ZIP file.'
Command and Control
6 techniquesEmotet has used Google’s Protobufs to serialize data sent to and from the C2 server... Kapeka utilizes JSON objects to send and receive information from command and control nodes... Mori can use Base64 encoded JSON libraries used in C2... Remcos can serialize collected data with Protobuf.
Kapeka utilizes JSON objects to send and receive information from command and control nodes. Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server. Remcos can serialize collected data with Protobuf.
Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...
Emotet’s early resurgence was reported to be a reuse of TrickBot’s infrastructure.
What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
202 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
He has worked extensively on identifying and systematically monitoring major botnet families, including the infamous Emotet and Trickbot.
Referenced as a major botnet family in the author biography; no campaign-specific details are provided in the content.
A botnet cited as an example of a cybercrime operation that resumed activity after law-enforcement disruption.
Emotet is referenced as a botnet whose takedown preceded other ransomware actors using TA551 distribution services.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.