Dawn of the undead king of malware, Emotet

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

Maybe you’re sick of hearing about Emotet after all the controversy and the headlines. It's dead and gone. Why beat a dead horse? Well, when it rises from the grave, as it appears this undead king of malware, Emotet, has done, its worth ringing a few alarm bells. Read on to see how to stay off the hook!

Ding-dong the botnet king of malware is dead!

January rang in 2021 with one piece of great news: Ding-dong, the botnet king is dead! Investigators and law enforcement teamed up and gained control of the infrastructure of the infamous Emotet, taking it down from the inside.

Emotet, “The king of malware,” is one of the decade’s most destructive botnets. The long-suffered banking trojan’s original mission was to infect as many devices as possible and spy on sensitive private data. Later it became used mainly to deliver other malware, like ransomware.After dismantling Emotet, law enforcement released an update to it that would remove the malware from all infected devices. This sparked some controversy, since the police were acting without consent to remove files from millions of devices. Sure, the targeted files were malicious, but what if something went wrong?The controversy eventually died down, and Emotet appeared dead and buried. And then it rolled in its grave. Several months later, threat analysts at Hoxhunt started reporting on a new phishing campaign very similar to the one we saw spreading Emotet.

How Emotet works

Here's a quick recap on how Emotet used email accounts to spread malware. Once inside a compromised account, Emotet digs out old message chains and replies to them with a short text and a malicious attachment. The email chains used were often very old, sometimes from years prior. The text is sometimes translated to the language that is already present in the email chain, but most often in English. Here’s a sample text from one real Emotet email.

Undead malware king Emotet text


This text replied to an email chain that was active two years prior. The email chain happened to discuss a document that was being worked on by multiple colleagues. Recipients of this attack would see the sender as someone they have previously worked with, replying to an email chain they might still recognize as safe. The result is deceptively real.The malicious attachment was most often a word document containing malicious macros or a malicious link leading to the download of the malware. Once a new machine was infected, the malware was like a toxic zombie bite, spreading further with each account’s contacts and email chains. Its enormous destructive power earned Emotet malware the title, “The King of Malware.”

The malware zombie

We’ve been monitoring the new campaign for a while now. Differing from the original campaign, the language seems to almost always be the same that is already present in the emails, defaulting to English. The texts also have much more variety, ranging from reports and documents to meeting information and invoices.There is no added attachment this time. Now all the texts aim to make the victim click a link leading to a compromised site, which automatically initiates download of a zip file containing malicious content. The issue of replying to very old emails is not fixed; we’ve seen cases where the malware has unearthed emails from as far back as 2017.Speaking of alarm bells, this should ring a few. The new campaign has lost an element of trust-building. The current iteration lacks signatures of compromised emails, as opposed to the old Emotet emails.

How to stay safe

Here are some tips on how to keep the zombie king of malware from shambling into your account. When receiving an email asking to download some files, check the URL of the link. If the link leads to some weird site like campingwithhorsesbythefireplace.com instead of the usual filesharing service used by your company, check with the sender via another channel whether they really have shared the files. This does not mean that all files shared via the usual file-sharing service you use are safe though!

Undead malware king Emotet text 2


While the malicious texts have a lot of variety, and sometimes might work spot on with the content found in the real email, most of the time it does not completely add up. It is good to be a bit suspicious!

Here are some examples of the undead king of malware at work:

Undead malware king Emotet text

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this