Hundreds of thousands of Emotet attacks spotted daily after four-month hiatus

Global map in black and red colour scheme denoting threat with plots in major cities to show cyber attacks being observed across the world

The cyber criminals running the Emotet botnet operation are already among the most high-volume threat actors in the current cyber security landscape after rebooting following a four-month break.

Detections of Emotet payloads dropped off in July 2022 but re-emerged in early November, according to cyber security firm Proofpoint, and the botnet is now acting as a primary facilitator for the delivery of major malware strains.

Emotet had previously returned to activity in November 2021, less than a year after a law enforcement operation shut down its original infrastructure that targeted businesses with malware for years.

The company said it has been blocking hundreds of thousands of Emotet-related emails every day, putting it among the most voluminous email threat campaigns currently in operation.

Following its historical patterns, Emotet demonstrated continued evolution in the way it operates, including a change in lures, the malware’s binary, and other malware dropped through successful campaigns.

See more

Palo Alto Networks’ Unit 42 team discovered at the start of the month that in one single Emotet infection, both IcedID and Bumblebee malware strains were dropped onto a victim’s machine.

Proofpoint said the IcedID strain currently spreading via Emotet is a more recent version equipped with different commands and a new loader which could signal a change in ownership, or a new relationship between the criminals running IcedID and those behind Emotet.

“Emotet dropping IcedID marks Emotet as being in full functionality again, by acting as a delivery network for other malware families,” said Proofpoint in a technical analysis.

“Emotet has not demonstrated full functionality and consistent follow-on payload delivery (that’s not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot.

“TA542’s return coinciding with the delivery of IcedID is concerning. IcedID has previously been observed as a follow-on payload to Emotet infections. In many cases, these infections can lead to ransomware.”

Some of the capabilities of IcedID include retrieving desktop information, running processes, and system information. It can also read and exfiltrate files via command and control (C2) infrastructure.

Bumblebee malware, which often acts as a malware or ransomware loader, was discovered earlier this year and is believed to be related to the operations running TrickBot and BazarLoader.


MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI


These two malware families are also thought to be affiliated with the now-shuttered Conti ransomware organisation.

Proofpoint also established links with IcedID and Conti - leaks from the ransomware organisation’s internal chats revealed it may have been referred to as ‘Anubis’ internally.

The company went on to say that it expects Emotet to continue growing further, demonstrating more attack attempts against targets in more locations around the world.

Emotet is known for being one of the most impactful cyber criminal operations of the past few years and it took months of a coordinated effort between various international law enforcement agencies to bring it down for the first time.

It is known for continually adapting its infection techniques to exploit the latest vulnerabilities and evade detection.

Emotet was one of the first operations to evolve after Microsoft blocked VBA macros in Office documents by pivoting to the use of OneDrive URLs instead.

Microsoft’s blocking of VBA macros was widely welcomed in the cyber security industry at the time. It was introduced as a way to reduce the number of successful malicious email campaigns distributing malware.

Regardless, various workarounds have already been established with the exploitation of LNK files proving most popular in recent months.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.