• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • New Emotet botnet is rapidly growing, with +130K unique bots spread across 179 countries

New Emotet botnet is rapidly growing, with +130K unique bots spread across 179 countries

Pierluigi Paganini March 10, 2022

A few months after its return the Emotet botnet has already infected over 130,000 unique bots spread across 179 countries.

The Emotet botnet continues to grow and has infected approximately 130,000 hosts since its resurrection in November 2021.

Early 2021, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agencies were able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In November 2021 researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors were using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Since its report Emotet operators have amassed an impressive number of infected systems, researchers from Lumen’s Black Lotus Labs reported.

Researchers pointed out that the new Emotet botnet supports new features to avoid detection and analysis, such as the use encryption for network traffic and the separation of the process list into its own module.

The new version uses elliptic curve cryptography (ECC), with a public key to perform the encryption and a separate algorithm that is used to perform data validation.

The new version is also able to gather additional information about the infected host. Experts also reported significant growth of the C2 pool late February through March 4.

“While Black Lotus Labs tracked more than 300 unique Emotet C2s in May of 2019, the number of unique C2s in the roughly four months since the resurgence is roughly 200. As Figure 2 reflects, when Emotet came back online in November 2021, it did so with a smaller, but relatively consistent pool of Tier 1 C2s.” reads the report published by the experts. “Over the last few months, the C2 pool has continued to grow to an average of 77 unique Tier 1 C2s per day from late February through March 4.”

Emotet botnet C2 growth

One of the most important features in the new Emotet infrastructure is the apparent absence of Bot C2s, which are bots that would receive a UPnP module that enabled an infected device to act as a C2 by opening a port on the user’s router that would then allow it to proxy traffic from Emotet bots to a higher-tier C2.

Most of the Emotet C2s are located in the United States and Germany, the rest of the list of top 10 countries by volume of C2s includes France, Brazil, Thailand, Singapore, Indonesia, Canda, United Kingdom and India.

“The growth and distribution of bots is an important indicator of Emotet’s progress in restoring its once sprawling infrastructure. Each bot is a potential foothold to a coveted network and presents an opportunity to deploy Cobalt Strike or eventually be promoted to a Bot C2.” Black Lotus Labs concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

botnet EMOTET Hacking hacking news information security news IT Information Security Pierluigi Paganini

you might also like

Pierluigi Paganini July 10, 2025
Qantas data breach impacted 5.7 million individuals
Read more
Pierluigi Paganini July 10, 2025
DoNot APT is expanding scope targeting European foreign ministries
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    Nippon Steel Solutions suffered a data breach following a zero-day attack

    Data Breach / July 09, 2025

    Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

    Malware / July 09, 2025

    Hackers weaponize Shellter red teaming tool to spread infostealers

    Malware / July 09, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT