For never was a story of more woe than this of once again returning Emotet. This time, there were no full-scale campaigns for about seven months, although isolated cases of infection were recorded and researchers found documents distributing this malware. The attacks resumed last Friday, with the botnet sending about 250,000 emails in a matter of hours, targeting recipients primarily in the United States and the United Kingdom. Since then, the botnet continued to supply researchers with new samples occupying a leading position on 

In recent campaigns, the botnet has been distributing the IcedID trojan, but attackers can quickly reconfigure it for any payload. Recall that last year Emotet went on vacation for the whole summer and after a long time ‘came to his senses’. This time everything happened faster, and we are already looking forward to his next long vacation. In the meantime, the Threat Bounty Program members present you fresh  community content to detect this threat:

Emotet Through Word Document (Sysmon Behavior) by Lee Archinal

Public cyber enemy Emotet has returned by Osman Demir


The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint



Tactics: Initial Access, Execution, Defense Evasion, Command And Control

Techniques: Spearphishing Attachment (T1193), Command-Line Interface (T1059), Indicator Removal on Host (T1070), Standard Application Layer Protocol (T1071)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts