The best crime novels often feature thieves who are not only clever and bold, but masters of disguise. By changing their appearance every time they steal someone else’s valuables, it becomes ever more difficult for the police to catch them.
This approach isn’t limited to human beings making physical, in-person thefts. It can also be incorporated into cyber threats such as the Emotet malware, which has proven just as elusive to law enforcement authorities.
What Is Emotet?
Emotet falls under the category of a trojan – a form of malware that appears at first as a legitimate piece of software.
Once it’s been activated, it tends to download or act as a dropper of other malware such as a remote access trojan (RAT). This can create backdoors for cybercriminals to gain increased access to an organization’s systems and data.
It is also modular in nature, which means it will attack a system in different stages.
Common characteristics and behaviors of Emotet
Just like a worm might make its way through an apple, Emotet tends to spread widely by dropping additional trojans, which carry through the attack by stealing an organization’s data or damaging its IT infrastructure. In some cases, data has been used as leverage for extorting financial rewards from the malware’s victims.
Emotet also employs a complex set of command and control servers that are constantly updated and difficult to disrupt. In the meantime, the malware will use dynamic link libraries (DLLs) that allow it to alter key features and become more difficult to identify. As a result, it has been described as “polymorphic” malware.
Importance of understanding the threat
Unlike some cyber threats that cause a wave of attacks and are then thwarted or neutralized, Emotet has been highly resilient, continuing to pop up over the course of the past 10 years. This makes it particularly important for IT security teams and even everyday business professionals recognize the danger it presents.
How Does Emotet Spread?
Unlike more targeted cyberattacks, Emotet tends to cast its net widely and see where it can gain initial access to an organization’s systems. It's an example of self-propagating malware, where the first order of business is reproducing itself across multiple platforms while remaining undetected. Later, those responsible can trigger the payload to achieve a more specific goal.
Different propagation methods used by Emotet
In order to gain a persistent presence, Emotet uses spam botnets that spread via e-mail. It can also drop exploits and take advantage of software vulnerabilities without human intervention, accelerating its ability to spread.
Other Emotet propagation methods include using password lists to conduct brute force attacks on a system's credentials.
Common infection vectors and techniques
Phishing schemes may be one of the oldest tricks in the book, but Emotet is further proof that they work.
People will receive an e-mail that appears to come from a legitimate source and will contain a link or an attachment, such as a Microsoft Word doc. Downloading the document or clicking on a link, however, allows the trojan to immediately begin infecting the victim’s computer.
These e-mail messages may appear to be an invoice, a payment notification or anything that compels the recipient to take the next step.
Besides phishing schemes, cybercriminals have infected an organization with Emotet via credential harvesting, whereby they scrape names and e-mail addresses from directories like Microsoft Outlook. The malware can even be injected into browsers such as Internet Explorer.
History and Evolution of Emotet
Law enforcement officials haven’t taken the Emotet threat lightly. There was a coordinated international takedown in January 2021 where arrests were made, but the malware reemerged later that year and continued to wreak havoc throughout 2022.
Origins and development of Emotet
According to Operation Endgame, an international partnership between the FBI, Europol and others, Emotet was created by a cybercriminal known as Odd, who has used a variety of other aliases. Others have suggested the malware was created by a group of threat actors with names ranging from Mealybug and Mummy Spider to simply TA542.
When it first emerged in 2014, Emotet acted primarily as a banking trojan, infecting financial institutions to steal credit card and account numbers. As a 2023 presentation from the U.S. Office of Information Security notes, however, the malware developed a pattern by 2017 in which attack campaigns were followed by pauses to update and improve itself.
Notable milestones and versions of the malware
By 2016, Emotet was already on Version 4 and being spread by the RIG 4.0 exploit kit. It began dropping third-party malware in 2017, around the same time it started using PDF attachments in its campaigns. This was followed by versions using password-protected zip files in 2019.
The Emotet version that emerged in late 2021 had additional capabilities, including changes to the loader, the dropper and the number of command and control servers supporting it. In October 2022, Dark Reading reported that Emotet variations had grown exponentially. A study of execution flows revealed more than 21000 invocation chains and 139 unique program chains. This makes it even harder to recognize the malware and allowed for increasingly stealthy attacks.
Insights into Emotet's evolution as a threat
With Emotet, no news is not necessarily good news. As ongoing research and analysis has proven, the malware’s periods of inactivity may just be a precursor to even more advanced attacks to come.
A 2023 report from The Hacker News, for instance, profiled how Emotet was hiding in Microsoft OneNote attachments to bypass macro-based security measures.
Emotet's Impact on Individuals and Organizations
Noteworthy Emotet attacks and their consequences
Germany’s Fürstenfeldbruck district hospital was a high-profile victim of the malware in 2018, when Emotet knocked its computers offline for a week. More recently, the Max Planck Institute for Plasma Physics said in 2022 it had taken one of its systems offline as a protective measure following an Emotet attack.
Financial and data security risks posed by Emotet
Besides the potential data lost or compromised through Emotet attacks, organizations have suffered significant costs in terms of revenue and expenses associated with getting their systems back online.
While it’s impossible to know the precise number given that many incidents could go unreported, the U.S. Department of Justice has suggested Emotet has led to hundreds of millions of dollars in damages.
Protecting personal and business information from Emotet
Authorities across North America, Europe and beyond are all working to combat Emotet and apprehend those behind it. However, even with repeated takedowns and arrests, new campaigns are possible and even likely.
Protecting Yourself Against Emotet
All this should make it clear that safeguarding your systems and data against Emotet is a critical priority. Fortunately, there are several ways to avoid or mitigate the risks.
Best practices for safeguarding against Emotet infections
Many of these attacks would never have a chance to spread if employees and consumers simply didn’t open attachments or click on the links in unsolicited e-mail messages.
More people need to understand how phishing schemes work and act accordingly.
Organizations should also install strong e-mail filters, block suspicious domains and patch vulnerabilities regularly.
Using strong passwords and secure authentication methods
Passwords should never be easy to guess, especially when they may be harvested by third parties. A password manager like LastPass makes this easier, even if employees are using a host of credentials to access essential applications.
Utilizing reliable security software and keeping it up to date
Intrusion detection products, firewalls and security and incident event management (SIEM) platforms can all keep trojans at bay. However, organizations should always have the latest versions installed.
Reporting Emotet Incidents
Informing law authorities about an attack isn’t just a way to get help in an emergency. It also contributes to a growing knowledge base about how these threat actors operate, which can reduce the risk for other organizations.
How to report Emotet-related incidents or suspicious activity
It may not always be clear whether an incident was caused by Emotet or not. Focus on providing information such as indicators of compromise (IOCs), the estimated degree of data loss and any unexpected changes in network traffic or other anomalies.
Contacting law enforcement or cybersecurity authorities
Most countries have some kind of hub for reporting cybercriminal activity. In the U.S, for instance, incidents can be directed to the Internet Crime Complaint Center (IC3).
Contributing to the fight against Emotet
Complement the background you’ve gained through this post by making use of the best available technology to keep organizational systems well protected: Start your LastPass trial today.
FAQ
Is Emotet still active?
Currently, there’s no credible evidence pointing to Emotet activity in 2025. However, given its history of adaptability and persistence, the trojan may reappear in another mode or in partnership with other malware operations.
Notably, Emotet returned to the threat landscape in September and November 2022 after the international takedown of its global botnet infrastructure in 2021.
In September 2022, it was observed dropping ransomware like Quantum and BlackCat, and in November 2022, it appeared again, dropping malicious payloads like IcedID and Bumblebee.
How does Emotet spread?
Emotet primarily spreads through spam or phishing emails that contain malicious links. When those links are clicked, they deploy the Emotet payload. Emotet can also spread by brute forcing systems and infecting multiple endpoints across a network.
