Emotet first appeared in 2014 as a banking trojan targeting financial credentials. Over the following years, TA542 — also tracked as Mealybug and Mummy Spider — evolved it into something far more dangerous: a modular malware-as-a-service platform that could load virtually any payload onto an infected system. By the time of its takedown, Europol had described it as the world's most dangerous botnet. Its infrastructure spanned hundreds of servers across multiple countries and supported three separate botnets, designated by researchers as Epoch 1, Epoch 2, and Epoch 3.
On January 27, 2021, an international coalition including law enforcement agencies from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine seized Emotet's server infrastructure from the inside. Infected machines worldwide were redirected to law enforcement-controlled sinkholes, effectively cutting the botnet's operators off from their own network. Ukrainian authorities made arrests. It looked, for a moment, like a decisive end.
It wasn't. On November 14, 2021, new Emotet samples began surfacing — dropped onto systems already infected with TrickBot. The operators had rebuilt their infrastructure, retained their code repository, and returned to business with significant upgrades. The new infrastructure ran on two botnets: Epoch 4 and Epoch 5.
Who Brought It Back and Why
The mechanism of Emotet's return revealed something important about the relationships within the ransomware ecosystem. Intelligence firm AdvIntel assessed that the November 2021 resurrection was essentially requested by the Conti ransomware operation — the successor group to Ryuk, itself a former beneficiary of Emotet's initial access capabilities. According to AdvIntel analysts Yelisey Boguslavskiy and Vitali Kremez, former Ryuk members convinced Emotet operators to rebuild from their existing code repository specifically to restore the TrickBot–Emotet–Ryuk delivery chain, which had atrophied after Emotet's absence.
The mechanism confirmed what the previous relationship had implied: Emotet was not just a tool but a service provider within a structured criminal supply chain. Conti needed reliable initial access at scale, and Emotet — with its established infrastructure, proven email delivery, and modular loader architecture — was the most capable vehicle for providing it. Rebuilding Emotet was, from Conti's perspective, a business decision.
Cryptolaemus — the independent group of security researchers who have tracked Emotet since its early iterations — confirmed Cobalt Strike beacon deployment from Epoch 5 infrastructure as early as December 7, 2021, less than a month after Emotet's return. This was not a capability the previous epochs had demonstrated. The addition of Cobalt Strike as a direct payload dramatically shortened the path from initial email infection to full domain compromise and ransomware deployment.
Epoch 4 vs. Epoch 5: How They Differed
The two new botnets were not redundant copies of each other. Each operated with its own command-and-control infrastructure, delivery mechanisms, update schedules, and malspam templates. Epoch 4 and Epoch 5 were tracked as separate campaigns with distinct characteristics, though both shared the core Emotet codebase.
In broad terms, Epoch 4 accounted for the larger share of observed compromises across most deployment environments studied by researchers. Darktrace's analysis of global deployments found Epoch 4 activity spread across manufacturing and supply chain, hospitality and travel, public administration, technology and telecoms, and healthcare verticals. Company size was not a targeting criterion — affected organizations ranged from under 250 employees to over 5,000. Emotet's approach has always been indiscriminate at the initial infection stage, with the loader's value lying in selling access to the most valuable targets downstream rather than selecting them upfront.
Epoch 5 was more notable for payload delivery. Cryptolaemus researchers tracked Epoch 5 as the botnet actively deploying Cobalt Strike beacons onto infected systems, with connections routed to external team servers for post-exploitation. The E5 infrastructure also employed the SilentBuilder dropper and, per Intrinsec analysis of the November 2022 campaign, the EtterSilent malicious document builder — a tool sold on underground forums that generates Office documents with embedded evasion techniques. C2 communications in both botnets used elliptic curve Diffie-Hellman (ECDH) for key exchange and elliptic curve digital signature algorithm (ECDSA) for data validation, replacing the earlier RSA-based scheme and complicating decryption of captured traffic.
Technical Upgrades in the New Architecture
The version of Emotet that returned in November 2021 was not a simple reload of the pre-takedown codebase. Intel 471 documented several significant changes in its initial analysis: a new communication protocol, a new process-checking module, modified obfuscation mechanisms, and the payload now delivered as a DLL executed via rundll32.exe rather than a standalone executable. The DLL format, combined with algorithmically generated filenames, made signature-based detection harder to sustain.
The C2 infrastructure itself reflected a lesson learned from the 2021 disruption. Rather than maintaining stable long-term server infrastructure — the kind that can be seized in coordinated action — the new architecture favored short-burst availability. SentinelOne researchers tracking C2 servers for the new variant found individual servers remaining active for only one to four days at a time, with extended gaps between sessions. This pattern limits the window for blocklisting and disrupts investigations that depend on persistent infrastructure. Multiple hardcoded C2 URLs in each dropper provided failover logic, and rapid DNS record changes allowed IP rotation without modifying the malware samples.
Emotet's polymorphic design generates different file hashes for samples distributed through its botnets — a technique sometimes called hashbusting. Combined with short-lived C2 infrastructure and algorithmically generated filenames, hash-based and IP blocklist-based detections have limited shelf life. Organizations relying primarily on these controls will see rapid degradation in coverage as campaign artifacts rotate.
Persistence varied based on user privilege. On unprivileged systems, the payload creates a Registry Run key for persistence on logon (HKCU\Software\Microsoft\Windows\CurrentVersion\Run). On administrator-privileged systems, it installs as a Windows service. In both cases the payload copies itself to a new path — either %WINDIR%\SysWoW64 or %LOCALAPPDATA% — under an algorithmically generated name before establishing persistence, making the original execution path a dead end for incident responders who don't follow the copy chain.
The malware's module roster in the resurgence included a spam module for propagating further infections, an Outlook scraper using the Messaging API to harvest contacts and email addresses, browser credential stealers, a MailPass View module extracting stored credentials from email clients, and web injection capabilities for intercepting banking sessions. The combination of credential harvesting, address book scraping, and high-volume spam generation made each infected host a self-sustaining infection vector.
Delivery Mechanism Evolution
Emotet's original delivery relied on macro-enabled Word and Excel documents attached to malspam. The resurgence maintained this core approach but introduced several adaptations in response to evolving platform defenses — particularly Microsoft's February 2022 announcement that it would begin blocking VBA macros by default in Office documents downloaded from the internet, a change that went into effect in mid-2022.
The thread hijacking technique, which Emotet had used prior to the 2021 takedown, returned immediately in November 2021 and remained the primary delivery method throughout the Epoch 4/5 period. Thread hijacking involves using email messages stolen from the Outlook accounts of previously infected machines to craft replies that appear to continue legitimate conversations. Recipients receive what looks like a reply from a known contact in an existing thread — a context that significantly reduces suspicion and increases the likelihood of opening an attachment or clicking a link.
As Microsoft's macro restrictions began rolling out in 2022, researchers tracked Emotet experimenting with alternative delivery formats: OneDrive URLs hosting zip files containing Microsoft Excel Add-in (.XLL) files, which execute the same way as macros but bypass VBA-specific restrictions; password-protected ZIP archives containing malicious documents; and ISO image files, which when mounted bypass Mark-of-the-Web protections that trigger macro blocking. Cisco Talos observed a November 2022 campaign where Emotet was still using XLS documents but instructing victims to copy the file to a trusted local folder — a social engineering workaround designed to move the file out of the scope of macro protection policies.
One particularly notable evasion technique observed in 2023 campaigns was binary padding. Malicious ZIP attachments contained Word documents inflated to over 500 MB via binary padding — deliberately oversized to exceed the file size limits of many scanning and endpoint protection tools, which skip analysis of files above a configured threshold. The ZIP file itself compressed to around 600 KB for email delivery, then decompressed to a size that many security products would decline to scan.
In March 2023, updated Emotet campaigns shifted to Microsoft OneNote attachments — exploiting the fact that OneNote files can embed executable content and were not, at the time, subject to the same macro protection policies as Word and Excel. The technique was short-lived as Microsoft moved to restrict embedded content execution in OneNote, but it illustrated the consistent pattern: each time a delivery vector is blocked, the operators test and deploy an alternative rather than abandoning campaigns.
The Ransomware Pipeline Connection
Understanding why Emotet warranted sustained attention from law enforcement agencies and defenders requires understanding how it fits into the ransomware attack chain. Emotet itself does not deploy ransomware. Its role is initial access and loader — it establishes a foothold, gathers intelligence about the host and network, and delivers secondary payloads. The secondary payloads are where the damage compounds.
The pre-2021 Emotet operation ran a well-documented pipeline: Emotet infection led to TrickBot deployment, which provided reconnaissance and lateral movement capabilities and fed victim information to the Ryuk ransomware operation. SecurityHQ analysts tracking 2022 activity documented a consistent pattern where spikes in Emotet incident data closely correlated with subsequent spikes in ransomware incidents across their SOC environments. The relationship between Emotet activity and downstream ransomware deployment was not coincidental — it was structural.
After the 2021 return, Conti replaced Ryuk as the primary ransomware operator in this chain. Epoch 5's Cobalt Strike deployment represented an even faster path: Cobalt Strike beacons on E5-infected hosts allowed operators to conduct domain reconnaissance, identify high-value targets, move laterally to domain controllers and backup systems, and deploy ransomware — all within a compressed timeline compared to the earlier TrickBot-mediated approach. The interval between initial Emotet infection and ransomware detonation shrank.
Between 2018 and 2020, Emotet facilitated the success of ransomware, and its return in late 2021 is a warning sign for 2022. — Lotem Finkelstein, Head of Threat Intelligence, Check Point
In addition to Cobalt Strike, the Epoch 4/5 era saw Emotet deploying IcedID as a secondary payload — IcedID being a banking trojan-turned-loader that itself feeds into multiple ransomware affiliate programs. The modular, service-based nature of Emotet meant its operators could serve multiple customers simultaneously, with different victims receiving different second-stage payloads depending on which operators had purchased access to their infected systems.
Detection Context for Defenders
Darktrace's analysis of Epoch 4 and Epoch 5 activity documented several network-level behavioral patterns that appeared consistently across affected environments regardless of industry or company size. C2 communications were characterized by SSL connections to infrastructure using self-signed certificates, often with example.com in the certificate issuer field — a pattern that appears in known Emotet samples. Devices initiating these connections also exhibited spam module activity, with high volumes of outbound SMTP connections to external mail servers that were not part of the organization's normal email infrastructure.
The payload download phase typically involved HTTP GET requests to suspicious hostnames — researchers documented connections to infrastructure like www.arkpp.com — retrieving DLL payloads disguised as image files or other non-executable formats. PowerShell was used to both download and execute these payloads, making command-line argument logging a necessary condition for detecting this phase.
- Unusual outbound SMTP connections from workstations that should not be initiating email directly — the spam module generates high volumes of outbound mail from infected hosts
- SSL connections to certificates with anomalous issuer fields, particularly self-signed certs with generic or suspicious common names
- PowerShell spawned from Office processes (
winword.exe,excel.exe) — the canonical indicator of a macro-triggered infection chain - New DLL files with algorithmically generated names appearing in
%LOCALAPPDATA%or%WINDIR%\SysWoW64, executed viarundll32.exe - Registry Run key modifications or new service installations with random-looking names coinciding with any of the above
- Subsequent TrickBot or Cobalt Strike C2 traffic — if Emotet is present, the second-stage payload is the higher-priority detection target
Current Status: Operation Endgame and What Comes Next
Emotet activity declined sharply after March 2023. No new Emotet-related activity was observed in the wild after April 2023, according to The Hacker News reporting on subsequent law enforcement findings. This silence coincided with broader disruption of the malware-dropper ecosystem, including the dismantling of QakBot infrastructure in August 2023.
In May 2024, Operation Endgame — a coordinated action by Europol, Eurojust, and law enforcement agencies from multiple countries — targeted the infrastructure supporting several major malware dropper operations including IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot. Four arrests were made and over 100 servers were seized. Emotet's associated infrastructure was included in the action. As of the Operation Endgame announcement, all of Emotet's known C2 servers were offline, and the Feodo Tracker maintained by abuse.ch — which has tracked Emotet C2 infrastructure since its early iterations — reported its datasets empty as a direct result.
Following Operation Endgame, authorities publicly named and sought information about an individual using the handle "Odd" — believed to be the primary operator behind the Emotet infrastructure. Odd is also known by the aliases Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron. Law enforcement's public disclosure indicated they believe Odd is not working alone and may be active on other projects. No C2 infrastructure has been confirmed active as of this writing, but the operators remain unapprehended and the codebase exists.
The pattern of Emotet's history warrants caution about treating the current silence as permanent. The 2021 takedown was larger in scope than the 2024 action, included arrests in Ukraine, deployed a law enforcement-authored remediation payload to infected machines worldwide — and Emotet was back within ten months. Operation Endgame is a more sustained, multi-phase campaign with psychological pressure elements and ongoing asset seizure, which may prove more durable. But the code exists, the operators are known to be active, and the demand for reliable initial access delivery in the ransomware ecosystem has not diminished.
Key Takeaways
- The Epoch 4/5 infrastructure was technically more sophisticated than its predecessors. Elliptic curve cryptography for C2 communications, DLL delivery via rundll32, polymorphic hashbusting, short-lived C2 server availability, and algorithmically generated filenames all reflected specific lessons learned from the 2021 takedown and from the evolution of defensive tooling.
- Emotet's return was orchestrated by ransomware operators, not just the malware's own developers. The Conti operation played an active role in requesting and facilitating the resurrection. This reflects the degree to which major ransomware groups depend on specialized initial access infrastructure — and will invest in rebuilding it when disrupted.
- Cobalt Strike deployment from Epoch 5 shortened the path from email to ransomware significantly. The previous TrickBot-mediated pipeline had multiple stages and took days to progress. Direct Cobalt Strike deployment on E5 bots allowed operators or their customers to begin domain reconnaissance and lateral movement within hours of initial infection.
- Delivery mechanisms evolved continuously in response to platform defenses. Each time Microsoft or endpoint vendors closed a delivery vector — VBA macro blocking, XLL restrictions, OneNote executable content changes — the operators tested and deployed alternatives. The underlying social engineering remained consistent: thread-hijacked emails from compromised accounts, leveraging existing trust relationships to increase open rates.
- All Emotet C2 infrastructure is currently offline, but the situation is not resolved. Operation Endgame disrupted the network and the operators are under active law enforcement pressure. The primary operator "Odd" remains unapprehended. Given Emotet's history of returning from coordinated disruptions, defenders should maintain detection coverage and not deprioritize Emotet-specific hunting rules based on current inactivity.
Emotet earned its reputation as the world's most dangerous botnet by combining industrial-scale spam delivery, a modular architecture that adapted to any customer's needs, and deeply integrated relationships with the ransomware groups that ultimately monetized its access. The Epoch 4 and Epoch 5 campaigns demonstrated that a determined operator with existing code and criminal infrastructure relationships can rebuild from a major law enforcement action faster than the security community would prefer. Current C2 infrastructure is dark. The operators are not.