Skip to Content

Emotet Trickbot Botnet Malware Development

Updated on 2022-11-21: Emotet’s return

Deep Instinct researchers have an analysis of Emotet’s return, the infamous spam botnet that has been asleep since June this year. More on this from Proofpoint too. Read more:

Updated on 2022-11-18: Emotet’s return

Proofpoint has a detailed write-up of the recent Emotet spam campaigns after the botnet came back from its most recent hiatus, with the botnet ceasing all activity between June and November 2022. As Proofpoint’s Sherrod DeGrippo told RiskyBizNews in our latest podcast, this comeback involved lots of international lures targeting users using phishing emails in different languages, such as Greek, German, French, Italian, Japanese, Portuguese, and Spanish. Read more: A Comprehensive Look at Emotet’s Fall 2022 Return

Indexed volume of email messages containing Emotet.

Updated on 2022-11-17

Emotet has returned to the threat landscape after a hiatus of four months, noted Proofpoint researchers. In a new update, it is now dropping IcedID. Read more: A Comprehensive Look at Emotet’s Fall 2022 Return

Updated on 2022-11-09: Emotet back from the dead

Cisco Talos has analyzed the recent email malspam campaigns coming out from the Emotet botnet, which recently came back to life after being dormant for months since June this year. Read more: Emotet coming in hot

Updated on 2022-11-04: Welcome back, Emotet

After stopping operations back in June, the Emotet botnet is back at its old tricks, sending out new email spam waves in search of new victims. Read more: Emotet botnet starts blasting malware again after 4 month break

Updated on 2022-10-31

Elastic’s security team has published an analysis of Emotet’s new encoding format the malware uses to store and protect its configuration. Read more: EMOTET Dynamic Configuration Extraction

Updated on 2022-10-30

The VMware Threat Analysis Unit has put out a 68-page report on the activities of the new incarnation of the Emotet botnet, which returned to activity in January this year after being taken down by law enforcement in 2021. Read more: Emotet Exposed: A Look Inside the Cybercriminal Supply Chain

Updated on 2022-10-21

Trustwave SpiderLabs spotted a rise in threats contained in password-protected archives, with 96% of these being spammed by Emotet. Read more: Nested self-extracting RAR

Updated on 2022-10-20

Because Dridex operated on a closed model, providing limited access to their botnet to only a handful of very carefully vetted operators, Emotet, and later TrickBot, cornered the market in MaaS services working with ransomware gangs. Read more: More on URSNIF (Gozi/IFSB)

Updated on June 2022: Emotet update

The Emotet malware has returned to deploying an SMB spreader module to allow it to move laterally across an infected network. Read more: Emotet SMB spreader overview

Emotet deploys credit card stealer

The same Proofpoint Threat Insights team also reported a major change in the Emotet botnet, which made a comeback last year. According to the security firm, in recent attacks, a section of the Emotet botnet also tried to load a payment card stealer module inside the Chrome browser. Proofpoint said that “once card details were collected they were exfiltrated to different C2 servers than the module loader,” suggesting the data might have been collected by someone running tests or who rented access to the Emotet botnet for this particular operation.

Updated on May 2022: Emotet botnet

The Trend Micro team has published a technical report on the recent malspam campaigns carried out by the Emotet botnet since its return this winter.

Updated on December 2021: Microsoft December Patch Tuesday

Microsoft’s monthly security updates for December 2021 comprises fixes for more than 65 vulnerabilities, including one for a zero-day flaw in AppX installer that has been used to spread Emotet malware. The batch of fixes also fixes an issue that prevented Defender for Endpoint from launching on certain systems.


  • Remember patch Tuesday or were you distracted by another security concern? So far, pushing this update has been smooth and the fix to Defender not launching will relieve some of the stress caused by that issue. Make sure your team is on this update as well as the Apple updates also released. Note that the zero-day (CVE-2021-43890) in the AppX installer is being actively exploited.
  • The actively exploited vulnerability is being used by multiple initial access groups and then sold via initial access brokers to other groups including ransomware. It is a busy month for patching but try to get these done before the holidays. Many organizations try to implement year-end freezes. These should not be in scope of that.


Updated on April 2021: Update Delivered by Law Enforcement in January is Now Deleting Emotet

Over the weekend, law enforcement officials activated code that erases Emotet malware from infected computers. In late January 2021, law enforcement agencies from several countries took control of Emotet’s command and control infrastructure. Shortly thereafter, Germany’s federal police agency, Bundeskriminalamt, began pushing out the update designed to remove Emotet.


  • The uninstaller was delivered by the captured Emotet C2 servers in late January with a self-destruct date of April 25th. The package addresses the two ways Emotet achieves persistence: either as a system service or a Run key. The Malwarebytes blog explains the behavior of the package and actions it takes. Per the US DOJ, the update was provided by foreign law enforcement using overseas C2 servers, not FBI agents. The delay between distribution and removal was to give time for responders to complete forensic analysis and cleanup of any other related malware.
  • The Emotet takedown appears to be one of the more successful takedowns in recent memory. A lot has been written about law enforcement pushing an update to remove the malware (similar also to recent law enforcement action against unpatched Exchange servers). I believe we should and hopefully will see more of the same in the future. Waiting for users to patch and fix their systems hasn’t been working and these systems become ticking timebombs waiting for additional infections, or being used to revive taken down botnets.

Read more in:

Updated on March 2021: TrickBot Warning

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert warning of “continued targeting through spearphishing campaigns using TrickBot malware.” A group of cybersecurity companies took steps to dismantle the TrickBot infrastructure last fall. The effort disrupted TrickBot operations for several weeks. The CISA/FBI alert provides a list of suggested mitigations, including blocking suspicious IP addresses, using antivirus software, and providing phishing and social engineering training to employees.


  • TrickBot is getting more exposure after legal actions shut down some competing botnets. Please do not focus too much on blocking specific IP addresses as they tend to change quickly. One interesting method to detect TrickBot is by inspecting TLS certificates. Tools like Zeek are excellent to collect this information and it tends to be quite useful not just for TrickBot.
  • Attackers use TrickBot to drop other malware such as Ryuk and Conti ransomware, or serve an Emotet downloader. The Alert warning below includes a layout of TrickBot’s techniques, mapped to MITRE ATT&CK techniques. That mapping can be used to help others understand the relevance of ATT&CK. Mitigations include user training, policy and procedures for reporting suspect email, firewall rules as well as segmenting systems to limit lateral movement. I have seen great success in reporting by adding a reporting button to email clients. Note: You will have to respond to reported messages for use to continue past the initial rollout.

Read more in:

Updated on January 2021: International Effort Disrupts Emotet Operations

Law enforcement agencies and judicial systems authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine have worked together to disrupt functionality of the Emotet malware. The operation took control of Emotet’s command-and-control infrastructure, which comprised hundreds of servers around the world. At least two people have been arrested in Ukraine in connection with the operation. Law enforcement officials in the Netherlands are delivering an Emotet update that will remove it from infected devices on April 25, 2021. Read more in:

Updated on September 2020: New Qbot Trojan (Pinkslipbot) evolved called Emotet

Exhibited new features and a new command-and-control infrastructure to insert itself into the legitimate email threads and distributing ransomware, according to CheckPoint research report: An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods.

Updated on July 2020: Emotet Botnet is Back

The Emotet botnet, which has been dormant since early February 2020, has re-emerged. On Friday, the botnet became active again, sending spam in an attempt to infect new users with the malware using malicious Word and Excel documents.

Read more in:

Updated on April 2020: Microsoft DART Case Report: Emotet Caused Full Operational Shutdown

Microsoft’s Detection and Response Team (DART) has published a case report that describes an incident in which the Emotet malware shut down an entire operational network. The attack began with a malicious attachment to a phishing email. Once the attackers gained purchase within the system, they proceeded to spread Emotet throughout the system. Emotet updated with new definitions every few days, enabling it to evade detection by antivirus programs. The malware maxed out computers’ CPUs and consumed the network’s bandwidth, shutting down the company’s core services.

Note: “Phishing” and other attacks designed to dupe and exploit users will continue to be the Achilles heel of the enterprise unless and until we isolate e-mail and browsing from other enterprise applications.

Read more in:

Oveview: New Emotet Variant Can Spread Through Wi-Fi Networks

A recently-detected variant of Emotet malware has the ability to spread from infected devices to nearby unsecured Wi-Fi networks. From there, it can attempt to infect connected devices. When Emotet first appeared more than five years ago, it was a banking Trojan. Over the years, it has gained the ability to install a variety of malware on infected devices.

Note: The Japanese CERT, JP-CERT, has a great write up on this malware at [Updated] Alert Regarding Emotet Malware Infection, and they have also released a tool to check for Emotet called EmoCheck; it can be downloaded from the JP-CERT GIT Repository: JPCERTCC / EmoCheck

Read more in:

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on