Emotet Surges Back to Life After Five-month Hiatus


Emotet, the most active spamming trojan of 2019, is back on the cybercriminal field following five months of inactivity. On Friday, July 17, online news site ZDNet reported the malware’s comeback, saying Emotet has spewed out spam emails worldwide.

First appeared in 2014, Emotet is originally a banking trojan designed to infect computers and steal sensitive and private information from victims. Later, it evolved to included spamming and malware delivery services. It is spread primarily spread through spam emails that contain macro-enabled documents and uses functionality to prevent detection and analysis by some anti-malware products.


ZDNet described it to be “the largest, most active, and sophisticated cybercrime operation.”

Emotet Surges Back to Life

“The Emotet gang operates an email spam infrastructure that it uses to infect end-users with the Emotet trojan. It then uses this initial foothold to deploy other malware, either for its own interest (such as deploying a banking trojan module) or for other cybercrime groups who rent access to infected hosts (such as ransomware gangs, other malware operators such as Trickbot, etc.),” the news site explained.


“Due to its close ties to ransomware gangs, in some countries such as Germany or the Netherlands, Emotet is treated with the same level of urgency as a ransomware attack. Companies and organizations that find an Emotet-infected host are told to isolate the infected system and take their entire network offline as they investigate, a measure necessary to prevent the delivery of a ransomware payload in the meantime,” it added.

Emotet was last spotted on February 7, 2020 and has never appeared since then. To date, with reports of the malware launching malicious spams worldwide, Emotet officially marks its return from a five-month hiatus.

Specifically, the botnet sent about 250,000 messages at its comeback, with targets mostly from the United States and the United Kingdom. Other victims are also identified to be from the Middle East, South America, and Africa, Arcs Technica reported.

“Today’s campaign so far has recipients primarily in the US and UK with the lure being sent in English,” Sherrod DeGrippo, Senior Director Threat Research at Proofpoint, told ZDNet via email.

The emails contain either a Word attachment or URLs linking to the download of a Word document that contains malicious macros which, if enabled by the users, will download and install Emotet.

“The campaign is ongoing and has reached around 80,000 messages so far today,” he added.

The five-month hiatus marks the second major break of Emotet, following another session of inactivity between May and September 2019.