Threat actors are hijacking the infamous Emotet botnet

Pierluigi Paganini July 25, 2020

A sort of vigilante is attempting to disrupt the operations of the Emotet botnet by hacking the supply chain of the malware.

Someone is attempting to sabotage the operations of the Emotet botnet by replacing the Emotet payloads with animated GIFs, in this way the victims will not be infected with the bot.

The mysterious activity was observed in the past few days, the hackers targeted the Emotet’s distribution channel composed of compromised websites used to host the malicious payloads distributed by Emotet operators.

Once the victims of these campaigns will open a weaponized attachment and the embedded macros are executed, instead of retrieving the Emotet malware payload from compromised sites, it will retrieve the GIFs images and memes.

Experts noticed that the alleged vigilante used images of James Franco and Hackerman meme replacing the original Emotet payload.

“There is an ongoing battle for the control of the Emotet shells that drop maldocs/malware on T1 Distro sites. Someone is altering them to serve up Imgur gifs instead of malware,“ tweeted Joseph Roosen, a member of the Cryptolaemus group of researchers fighting Emotet.

There is an ongoing battle for the control of the Emotet shells that drop maldocs/malware on T1 Distro sites. Someone is altering them to serve up Imgur gifs instead of malware. It will likely result in long term changes to lock down the shells more but short term it is funny.
— Joe Roosen (@JRoosen) July 22, 2020

The Emotet operators leverage web shells to manage compromised servers, experts noticed that the ones used by the crooks are open-source scripts using all the same password.

This circumstance could allow threat actors that guess the password to take over the infrastructure used by the Emotet operators.

https://twitter.com/GossiTheDog/status/1210520720222097408

The popular cybersecurity researcher Kevin Beaumont observed that about a quarter of the payloads he checked had been replaced with GIF images.

The replacement of the Emotet malware payload was quick, is some cases the GIFs have been uploaded in less than an hour since Emotet planted them.

https://twitter.com/GossiTheDog/status/1286271503005290497

“From tracking, the replacements generally happen within a few minutes of Emotet updating their botnet. Around a quarter of all malware is getting replaced.” wrote Beaumont in a post. “This suggests a few possibilities:

Emotet themselves are doing this.
Other threat actors are doing this to sabotage Emotet.
Security researchers are doing it.“

According to Roosen, the Emotet gang is aware of the attack against its infrastructure and on Thursday it has shut down the botnet likely to look out the attacker from its web shells.

“Since Ivan [the admin of Emotet] was having technical difficulties today, the hashes are way down and we barely saw much of anything,” Roosen wrote.

Roosen pointed out that Emotet likely implements alternative methods to drop the web shells, this means that its operators could regain access to the compromised sites used for the malware distribution.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

EMOTET Hacking malware

Pierluigi Paganini July 04, 2025

Google fined $314M for misusing idle Android users' data

Pierluigi Paganini July 04, 2025