Jpinkerton-Sec/Threat-Intelligence-Report-Emotet

# Threat Intelligence Report — Emotet ## **Author:** Jacob Pinkerton | **Date:** May 2026 | **Framework:** MITRE ATT&CK ## 1. Executive Summary Emotet is a modular malware threat that has been active since 2014, originally targeting financial institutions before evolving into one of the most widely distributed malware platforms in the world. It operates primarily as a dropper and access broker, meaning its role is to compromise a system, harvest credentials, and sell or rent that access to other threat groups who deliver the final payload. The downstream consequences of an Emotet infection have included large-scale ransomware deployments, financial theft, and significant operational disruption across healthcare, government, and critical infrastructure sectors globally. Despite a coordinated law enforcement takedown in January 2021, Emotet resurfaced within ten months and remains actively circulating as of May 2026. Organisations running Windows environments with email-based workflows, particularly those without macro controls or behavioural endpoint detection, should treat Emotet as a credible and ongoing threat. ## 2. Malware Overview - **Type:** Modular malware, originally a banking trojan, now primarily a dropper and access broker - **First observed:** June 2014, as a banking trojan, often referred to as Geodo or Feodo - **Current status:** Active. Emotet was taken down by a coordinated international law enforcement operation in January 2021, however this malware has had a resurgence from then, coming back in November 2021, and it is still an active threat. As recently as May 2026, new Emotet samples continue to appear in malware analysis platforms, predominantly delivered via malicious Word documents with macros, consistent with its established delivery methods. - **Primary targets:** Businesses, government organisations, and critical infrastructure sectors globally. The original targets were banking and financial institutions at its origins, but it has since evolved to an indiscriminate threat. Healthcare, finance, and tech are all at risk and frequently targeted due to the value of stolen data. Windows-based systems are the primary platform. - **Notable campaigns:** There are many notable campaigns that can be traced back to Emotet, just one to name would be the **Healthcare Sector, USA (2023)**, [Emotet campaigns delivered payloads to healthcare providers, compromising sensitive systems and prompting alerts from U.S. authorities](https://www.radware.com/cyberpedia/bot-management/emotet-anatomy-examples-and-defense/#EmotetHistory) ## 3. Tactics, Techniques & Procedures (TTPs) | Tactic | Technique | ATT&CK ID | Notes | |---|---|---|---| | Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Malicious Word docs with macros | | Execution | User Execution | T1204 | User must open attachment | | Persistence | Registry Run Keys / Startup Folder | T1547.001 | | | Defense Evasion | Obfuscated Files or Information: Binary Padding | T1027.001 | Pads binary files to inflate their size and evade signature-based detection | | Credential Access | Credentials from Password Stores/Web Browsers | T1555.003 | Browser password grabber modules | | Discovery | Account Discovery: Email Account | T1087.003 | Leverages a module that scrapes email addresses from Outlook | | Lateral Movement | Exploitation of Remote Services | T1210 | Exploits SMB vulnerabilities such as EternalBlue | | Command & Control | Encrypted Channel | T1573 | Has encrypted data before sending to the C2 server | | Impact | Resource Hijacking | T1496 | Emotet-compromised machines are rented to other threat groups as a botnet, consuming system resources and enabling further criminal operations | ## 4. Indicators of Compromise (IOCs) ### File Hashes (SHA256) | Type | Value | Notes | |---|---|---| | File hash (SHA256) | `4978285fc20fb2ac2990a735071277302c9175d16820ac64f326679f162354ff` | Emotet loader sample | | File hash (SHA256) | `9f22626232934970e4851467b7b746578f0f149984cd0e4e1a156b391727fac9` | Password-protected zip dropper (form.zip) | | File hash (SHA256) | `6d55f25222831cce73fd9a64a8e5a63b002522dc2637bd2704f77168c7c02d88` | Excel file with malicious macros (form.xlsm) | ### C2 IP Addresses | Type | Value | Notes | |---|---|---| | Known C2 IP | `41.226.30[.]6:8080` | Emotet C2 server | | Known C2 IP | `45.138.98[.]34:80` | Emotet C2 server | | Known C2 IP | `62.141.45[.]103:443` | Emotet C2 server | ### File Names | Type | Value | Notes | |---|---|---| | File name | `form.zip` | Delivery archive, password protected | | File name | `form.xlsm` | Malicious Excel macro file | | File name | `dwa.ocx` | Dropped Emotet loader | *Note: Emotet infrastructure is frequently rotated. C2 IP addresses and domains change regularly. IOCs above are sourced from Unit42 research and are provided for historical reference. For current live IOCs, refer to [Feodo Tracker](https://feodotracker.abuse.ch) which updates every five minutes.* *Source: [Palo Alto Unit42 — Emotet Malware Summary](https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/)* ## 5. Attack Lifecycle 1. **Initial Delivery** — A phishing email lands in the target's inbox, usually dressed up as an invoice, unpaid bill, or a reply to a legitimate conversation thread. It either has a malicious Word or Excel file attached, or links to one hosted on a compromised site. 2. **User Execution** — The victim opens the file and gets prompted to enable macros. That's the trigger. Once macros are enabled the infection chain starts without any further interaction needed from the user. 3. **Loader Dropped** — The macro pulls down the Emotet loader and drops it onto the system, usually into a user directory under a randomised filename to stay under the radar of signature-based detection. 4. **Persistence** — Emotet digs in by writing registry run keys or dropping itself into the startup folder, making sure it survives a reboot. 5. **C2 Communication** — The infected machine starts beaconing out to a C2 server over encrypted channels. Emotet rotates its C2 infrastructure regularly, which makes static IP blocking largely ineffective on its own. 6. **Reconnaissance and Credential Theft** — Emotet deploys modular components to scrape Outlook for email addresses, pull stored credentials from browsers, and collect basic system information to send back to the operator. 7. **Lateral Movement** — From there it tries to move across the local network, using harvested credentials and SMB vulnerabilities like EternalBlue to hop between machines. 8. **Secondary Payload** — Once enough access is established, Emotet calls in a secondary payload on behalf of whichever threat group has rented access to the botnet at the time. This has historically included TrickBot, Ryuk, Conti, and Cobalt Strike. 9. **Impact** — The end result depends on what gets dropped. Outcomes range from credential theft and financial fraud through to full ransomware deployment across the network. ## 6. Defensive Recommendations | Mitigation | ATT&CK Mitigation ID | Notes | |---|---|---| | Disable Office macros by default via Group Policy | M1042 | Directly cuts off Emotet's primary delivery mechanism | | Deploy email filtering and attachment sandboxing | M1021 | Intercepts malicious documents before they reach the end user | | User awareness training focused on phishing recognition | M1017 | Reduces the likelihood of a user enabling macros on a malicious document | | Enforce multi-factor authentication across all accounts | M1032 | Limits the usefulness of harvested credentials during lateral movement | | Patch management, prioritising SMB vulnerabilities | M1051 | Closes the door on EternalBlue-style exploitation used for lateral movement | | Network segmentation to limit lateral movement | M1030 | Contains an infection to a single segment if initial access is achieved | | Deploy endpoint detection with behavioural monitoring | M1049 | Catches Emotet loader activity that signature-based tools may miss | | Block known malicious C2 IPs and domains at the firewall | M1031 | Disrupts beaconing behaviour, refer to Feodo Tracker for current blocklists | | Monitor registry run keys and startup folder for unauthorised changes | M1054 | Early detection of Emotet's persistence mechanism | ## 7. Conclusion Emotet remains one of the more persistent and adaptable threats in the current landscape. What makes it particularly difficult to manage is that the malware itself is rarely the final impact, it is the access it provides to other threat groups that causes the real damage. An organisation that detects and removes Emotet may have already had credentials harvested, email contacts scraped, and secondary payload operators waiting in the wings. The most effective defensive posture against Emotet is layered, no single control is sufficient on its own. Disabling macros by default removes the primary delivery mechanism, but user awareness, network segmentation, and behavioural endpoint detection are all needed to catch infections that get through. Given that Emotet's C2 infrastructure rotates frequently, static blocklists alone are not a reliable defence and should be supplemented with behavioural detection at the endpoint and network level. For organisations in healthcare, finance, and government, where Emotet campaigns have historically concentrated, treating any unexpected macro-enabled document as a high-priority incident is a reasonable baseline posture. ## 8. References - [MITRE ATT&CK — Emotet (S0367)](https://attack.mitre.org/software/S0367) - [MalwareBazaar — Emotet](https://bazaar.abuse.ch/browse/tag/Emotet/) - [Palo Alto Unit42 — Emotet Malware Summary](https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/) - [Feodo Tracker — Botnet C2 Blocklist](https://feodotracker.abuse.ch/blocklist/) - [Radware — Emotet History and Campaigns](https://www.radware.com/cyberpedia/bot-management/emotet-anatomy-examples-and-defense/#EmotetHistory)