If you thought it was safe, it’s back! As this botnet reappears after a short break to infect Windows systems with malware.

So, this rife botnet has re-emerged with some new sneaky ways to get in and infect Windows PCs with malware. Global law enforcement took it down back in January 2021. And what was once described as the most dangerous malware botnet in existence, and helped criminals to distribute malware and ransomware to victims around the world, is back.

And now Emotet has re-emerged 10 months later and resumed campaigns with new break in tactics. Firstly, in a mass spam campaign, it is sending out millions of phishing emails in the hopes of infecting devices malware. Once infected these devices are then controlled by cyber criminals through Emotet.

Secondly, the masters behind the botnet Emotet appear to be testing their new attack techniques on a smaller scale, according to cybersecurity researchers at Proofpoint. In other words, they are possibly going to use them on a larger scale if they work. Most importantly, the techniques they are working on are designed to make it more difficult to detect their tricks. And that spells trouble, with a capital T because it will increase the likelihood of getting away with their trickery.

In the meantime, the new tricks have come up in low volume and sent by a human user and while the widespread Emotet campaigns were on hold. Certainly, very different from their previous automated mass spam campaigns.

For example, one of their new tactics exploits compromised email accounts. Firstly they use the email account it sends out spam-phishing emails with a simple subject heading they know may bait a user. A word such as “salary” that someone is more likely to click on especially in an office.

Secondly, with a similar name to the subject line is a OneDrive URL, which hosts zip files containing Microsoft Excel Add-in (XLL) files.

And finally, if the file is opened and executed in comes Emotet infecting the machine with malware.


But the main concern is the way the new campaign uses OneDrive URLs, especially for businesses. As Emotet attempts to spread itself via the use of Microsoft Office attachments or phishing URLs that link to Office files rather than Microsoft Excel or Word documents containing Visual Basic for Applications (VBA) scripts or macros like they did before.

As a result of the announcement by Microsoft that they’d been blocking macros by default, obtained from the internet. So, gangs must come up with new techniques to work around the change.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint says that “Emotet is switching things up and testing small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures)

She continues to warn businesses to “be aware of the new techniques and ensure they are implementing defences accordingly.” While also ensuring they continue to train staff to spot and report any malicious emails. Even try some simulated attacks to delve deeper and recognise people who are especially susceptible.

DeGrippo explains “that the best simulations mimic real-world attack techniques. Look for solutions that tie into real-world attack trends and the latest threat intelligence.”

In short try to close the back door to any unwanted intruders and take on some good advice from the experts.

How can we make your business better with IT?