Emotet Botnet dismantled in a joint international operation

Pierluigi Paganini January 27, 2021

A global operation of law enforcement has dismantled the infrastructure of the infamous Emotet botnet.

A global operation of law enforcement, lead by Europol, has dismantled the infrastructure of the infamous Emotet botnet.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

At the end of 2020, a large-scale Emotet campaign hit Lithuania, the malware infected the networks of Lithuania’s National Center for Public Health (NVSC) and several municipalities.

“Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.” reads the announcement published by Europol. “This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).”

According to Europol, Emotet’s infrastructure was composed of several hundreds of servers worldwide having different functionalities. The C2 infrastructure allowed operators to manage infected systems that were involved in malware distributions and in the provisioning of malicious services to criminal groups.

Law enforcement agencies and judicial authorities took control of the infrastructure from the inside, and bots are now redirected to the C2 infrastructure under the control of law enforcement.

The Dutch National Police’s as part of the criminal investigation discovered a database containing email addresses, usernames, and passwords stolen by the bots. You can check if your email address is included in the database here.

“As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),” continues the press release.


The National Police of Ukraine published a video showing a house search performed by its agents that seized computers, hard drives, and large amounts of money along with gold bars.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment