• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Emotet botnet surges back after months of absence

Emotet botnet surges back after months of absence

Pierluigi Paganini July 18, 2020

After months of inactivity, the infamous Emotet trojan has surged back with a new massive spam campaign targeting users worldwide.

The notorious Emotet went into the dark since February 2020, but now has surged back with a new massive spam campaign targeting users worldwide.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Emotet re-appeared on the threat landscape in August 2019, with an active spam distribution campaign. At the time, Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

Emotet is considered by security experts as one of the most active botnet of 2019,

“Today, Emotet suddenly surged back to life with reply-chain, shipping, payment, and invoice spam that deliver malicious Word documents spreadsheets.” states BleepingComputer.

#Emotet AAR for 2020/07/17- Well played Ivan, I dont usually do a Friday report but I did one just for you <3. Actually surprised there were not more changes today in this campaign but it was a lot of the same. I did get some malspam here but it was all filtered. TNW and Be safe! https://t.co/bQvxIwNBpP

— Joe Roosen (@JRoosen) July 18, 2020

Malware researchers Joseph Roosen confirmed that limited activity associate with the botnet was observed earlier this week, botnet operators were using weaponized documents employing old URLs.

Roosen added that the Emotet botnet is now spewing forth massive amounts of spam employing new URLs pointing to compromised WordPress sites.

According to researchers from Confense Labs, most of the recent spam messages are using email with a subject of ‘Jobs GO,’ and a few of them are using a ”Expedia Payment Remittance Advice”  or requests for W-9 templates.

Other samples analyzed by the researchers use bait documents that pose as a shipping document from Loomis-express.com.

Researchers from Cryptolaemus, a group of experts focused on analyzing Emotet, also confirmed Emotet’s resurrection. Other research groups also observed a surge back of the botnet:

Looks like Emotet is back in town 🔥

👉 https://t.co/fkDITyH9GT https://t.co/7DgiwZQlJN

— abuse.ch (@abuse_ch) July 17, 2020

Emotet resurfaced in a massive campaign today after being quiet for several months. The new campaign sports longtime Emotet tactics: emails carrying links or documents w/ highly obfuscated malicious macros that run a PowerShell script to download the payload from 5 download links pic.twitter.com/FZJqDCJQGV

— Microsoft Threat Intelligence (@MsftSecIntel) July 17, 2020

#Emotet spinning up their buisness. New spam modules being pushed and new spamwaves coming in from both Epoch 2 and 3. Either attached a doc or a mallink. Current Emotet tier-1 C&C geolocation attached. pic.twitter.com/vUTuf9v0GM

— Peter Kruse | Cybercrime Research (@peterkruse) July 17, 2020

Researchers from MalwareBytes also published a post containing details of the Emotet activity recently observed.

“It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback.” reads the post published by MalwareBytes.

“The Emotet botnets started pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment.”

Upon enabling the macro, WMI launches PowerShell to retrieve the bot binary from one of the remote compromised websites.

The news that Emotet is back is alarming for security experts, the operators behind the threat used their botnet to deliver also other threats, for this reason, it is very important to share any info related to recent attacks to prevent them from targeting organizations worldwide.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

botnet EMOTET Hacking malware spam

you might also like

Pierluigi Paganini July 29, 2025
Orange reports major cyberattack, warns of service disruptions
Read more
Pierluigi Paganini July 29, 2025
Hackers leak images and comments from women dating safety app Tea
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Orange reports major cyberattack, warns of service disruptions

    Security / July 29, 2025

    Hackers leak images and comments from women dating safety app Tea

    Data Breach / July 29, 2025

    Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

    Hacktivism / July 29, 2025

    Seychelles Commercial Bank Reported Cybersecurity Incident

    Data Breach / July 29, 2025

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT