30.11.2021 Renewed Emotet Activity

by Elena Lapina

There have been indications of renewed Emotet activity since 14 November 2021. Emotet is a prolific botnet operation, where computers infected with malware are leveraged to perform cyber-attacks. We recommend reminding everyone in your organization to follow industry guidance on best cyber security practices and exercise caution when using email.


In January 2021, Europol reported on a multi-agency effort to “severely disrupt the Emotet infrastructure”. However, similar to their breaks in activity observed in 2019 and 2020, it appears that it only led to a temporary interruption of Emotet operations.

Various cybercriminal groups have been using Emotet since 2014 as a loader available through a Malware-as-a-Service (MaaS) offering. It is typically used as first-stage malware that provides initial access to victims’ systems, thereby enabling threat actors to deploy ransomware, keyloggers, banking trojans, and other types of malicious software on the infected systems.

Emotet has a distributed botnet structure. The malware infects end-user systems and forms bots out of individual hosts. These bots would then form groups with each cluster controlled by a botmaster that instructs the infected hosts on further actions. Depending on the available modules, it could instruct the bots to infect other computers on the same network or deploy other types of malware on an infected host.

Researchers track Emotet botnet’s activity by several subgroups, called “Epochs”, where each subgroup has its own command-and-control (C2) servers, payloads, target locations, spam templates, and delivery methods. There are five known Epochs, labelled Epoch 1 through to Epoch 5, with Epoch 4 and 5 currently reported being active in Japan, Germany, Latin America, Italy, Spain, and other parts of the world.

In the past, Emotet has had an ability to infect a system and perform additional functions through its modules allowing self-propagation, elevation of privileges, brute-forcing, data exfiltration and more.

Previous and current Emotet infections by Emotet typically start with a victim opening a malicious email containing a URL in the body or a malicious attachment that could be an Excel spreadsheet, a Word document, a PDF, or a password-protected ZIP archive. It can also be delivered from other infected computers on the same network or be a secondary infection from another malware.

Emotet has also been using thread hijacking. Emotet operators would take over email chains using already infected users to send authentic-looking emails to other recipients in the email chain. As these emails would appear legitimate to the recipient, they are often opened without hesitation, which enables the threat actors to conduct further attacks.

One change in the new Emotet activity appears to be the use of encrypted HTTPS C2 communications instead of HTTP. The hard-coded C2 communication destination is now obfuscated. Emotet is now also abusing the Windows 10 App Installer to imitate an Adobe update; a tactic recently observed used by other malware.


Emotet has been a persistent threat with threat actors regularly changing their infrastructure, spam templates, and malware code. Since the latest Emotet activity has started, our analysts have been tracking this threat activity and employing the latest indicators of compromise in our detections.

However, most of Emotet’s methods are well-researched and are used by multiple other threats. Detecting this threat through a signature and indicator-based approach would only provide partial protection.

Covalence stops Emotet before it is able to infect your system by reducing your threat surface, and enables timely blocking of similar threats. By focusing on abnormal behavior on endpoints, emails, network, and cloud, Covalence alerts on activity patterns that are indicative of malicious activity early on.

This is a good opportunity to remind everyone in your organization to follow the recommended cyber security practices and and exercise caution when using email. Some of the guidance can be found in the References section below.


CISA Guidance on Emotet
MS-ISAC Guidance on Emotet
SANS: Emotet Returns


Request Demo

Fill out the form and we will send you details about our demo.