Redazione RHC : 13 November 2025 13:59
Emotet is a malware of the Trojan Horse category, which began its first spread in 2014 which brought it to the podium among the main cyber threats of the decade managing to affect over 1.6 million devices.
Emotet, a product of the MealyBug criminal organization, was initially used to steal banking credentials. Once installed, the malware could download various modules for data exfiltration.
Some of these modules used brute-force algorithms to find passwords on the infected device by searching for passwords among those saved by the browser and on the machine.
During its evolution, given the efficiency of the Trojan in its diffusion, it was reconfigured in such a way as to allow the download of different payloads on infected machines , drastically increasing its dangerousness and thus moving from the role of a simple Trojan horse to the much more threatening one of a modular Trojan-dropper.
Furthermore, to increase the organization’s profits, the botnets created using the infamous Trojan subsequently began to be rented out on the dark web, thus falling under the category of Malware-as-a-Service . These infrastructures were subsequently rented out to many other criminal organizations, including the Ryuk cybergang.
In later versions where it was used as a dropper, the malware downloaded and installed other malware inside the victim device, including the infamous TrickBot, Qbot and Conti.
The danger of this malware is mainly dictated by its key characteristic: its polymorphism . This means that the malware’s fingerprint, or the sequence of bytes that uniquely identifies it, is modified by the malware by encrypting its code with each infection, making it difficult even for traditional antivirus programs to detect the breach.
Initially, it was spread via spam email. Once installed, it would search for contacts classified as family, friends, and work within Outlook and then send emails to these contacts, often using the subject line “RE:” and the title of a previously received email.
Note that the emails sent were written to appear genuine and contained a Word file that, once downloaded and opened, prompted the user to enable macros (Figure 2), so the code hidden within the file would be executed and installed on the new machine.
However, it must be considered that the spread of Emotet, as often happens with other malware, is not always identical, in fact cases of spread have been reported through Excel files, LAN networks, e-mails , always by running external programs and more generally files with extensions (.doc, .docx, .xls, .xlsx) or compressed .zip folders protected by a password sent as an attachment.
In the specific case of Italy, malicious emails with references to the Ministry of Economic Development , spam regarding the coronavirus, rather than the recent crisis in Ukraine are reported (Figure 3).
As you might imagine, the criminal organization behind this malware does not transmit the Trojan from your home computer, but rather uses, in most cases, botnets —a large group of compromised devices connected via the Internet to network infrastructures under the control of the criminals.
In our case, it is associated with terms known as Epoch, which is used to indicate the malware distribution botnet and the physical network management infrastructure related to it, these terms in turn are associated with a specific number.
Epochs 1, 2 and 3 are the botnets responsible for distribution that were very active until 2021, the year in which, through a special operation by the authorities of Germany, the Netherlands, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, coordinated through Europol and Eurojust , the supporting infrastructures of the identified criminal networks were blocked and dismantled.
This operation rendered the Trojan harmless within the infected computers, making the malware no longer usable for its “tasks” , and a large number of cybercriminals linked to these networks were arrested.
Later, Operation LadyBird exploited Emotet’s dropper functionality to download a module containing an automated uninstallation procedure, implemented by law enforcement, to all infected computers.
In November 2021, there was an “Emotet resurrection” as cybercriminal groups began rebuilding the trojan’s networks through new spam email campaigns, resulting in Epochs 4 and 5.
The main feature that differentiates these new botnets from the previous ones is that in this case the Emotet infection brought with it the activation of a Cobalt Strike beacon.
Cobalt Strike is a tool used in cybersecurity to create simulations of criminal activity on a network . The tool in question, through the installation of a beacon, allows the execution of commands, data exfiltration, privilege escalation and lateral movement.
The Emotet payload in this new version, once the beacon is installed, attempts to track down a domain controller and Active Directory credentials in order to spread across all computers on the network and thus speed up its spread and the reconstruction of botnets.
In this specific case, network administrators may instead resort to methods such as:
Redazione