Light Dark
July 28, 2020 By David Bisson 3 min read

A malspam campaign involving Emotet saw a resurgence after five months of laying low, Malwarebytes detected on Friday, July 17. This operation used the well-known method of sending attack emails as a reply within an existing email thread. From there, the emails invited the recipient to open an attachment. Named “Form – Jul 17, 2020.doc,” the attachment opened a Microsoft Word document that informed the user of the need to enable content.

If they agreed to do so, the user inadvertently enabled a heavily-obfuscated macro embedded within the document. That macro then proceeded to call Windows Management Instrumentation (WMI), which in turn launched PowerShell. As its final phase, the campaign used PowerShell to iterate through a list of compromised remote websites. Once it identified one that was responding, the operation pulled down an Emotet payload and installed it on the victim’s machine. Then, the malware sent confirmation back to one of its command-and-control (C&C) servers.

Restoring the “Real Damage” of an Emotet Attack

Malwarebytes notes the real damage from an Emotet infection comes from the threat group’s alliances with other malware actors. In particular, it opens machines up to actors responsible for families that are capable of dropping ransomware onto an infected computer. The actors responsible for coordinating Emotet’s attacks are aware of this point.

Just three days after Malwarebytes spotted this malspam campaign, a security researcher told Bleeping Computer that they had spotted Emotet distributing TrickBot, a trojan which has a history of distributing ransomware such as Conti and Ryuk. Just a day later, Bleeping Computer learned the Emotet gang had begun distributing QakBot across all three branches of the botnet’s infrastructure. QakBot is another preferred partner of Emotet that has in some instances loaded ProLock ransomware onto infected machines.

Emotet: Threat Activity Before Its Five-Month Pause

The threat activity described above marks the return of Emotet after nearly a five-month pause. It did not enter into that break with a whimper, however. 

Threat actors used Emotet in multiple attack campaigns before its hiatus. At the beginning of February 2020, IBM X-Force discovered an operation in which attackers had employed coronavirus 2019 as a lure in malspam emails to deliver Emotet via weaponized Word documents. Two weeks later, IBM researchers disclosed a SMiShing campaign in which attackers impersonating well-known banks sent text messages from what appeared to be local U.S. numbers. They used that cover to trick recipients into clicking on a link that redirected them to domains hosting Emotet.

These two attack campaigns, not to mention the use of brute-forcing attacks on local WiFi networks, played a large part in Check Point Research’s decision to name Emotet as the second most-popular malware in February 2020. It came behind Mirai, a threat which at the time was targeting internet of things (IoT) devices with a new vulnerability. It did so as a means of building its botnet and conducting distributed denial-of-service (DDoS) attacks.

How to Defend Against Emotet

Security professionals can help their organizations defend against an Emotet infection first and foremost by investing in a security awareness training program. As part of this education initiative, infosec personnel should regularly test their employees with phishing simulations. Emotet has a history of using email attacks to enter organizations. Therefore, by educating their employees about such campaigns, security professionals will be able to reduce the likelihood of an attack email entering into the organization.

Next, they need to realize that some attack emails will get through employees’ defenses. Therefore, they need to set up some technical controls designed to monitor the network for signs of malicious macros, a common delivery vector for Emotet. They can do this by implementing proper logging, reviewing logs for suspicious activity and performing endpoint scans.

Last but not least, infosec personnel need to stay on top of the latest attack campaigns, partnerships and tactics employed by malware actors such as those responsible for Emotet. The best way they can do this is by using threat intelligence services to prepare themselves against these new developments.

 |  |  |  | 
David Bisson
Contributing Editor

More from

March 26, 2025

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature