The Emotet Botnet is Back: TrickBot Infrastructure Being Used to Rebuild the Botnet

The infrastructure of the Emotet botnet was taken down in a Europol/Eurojust coordinated law enforcement operation in January 2021. Since the takedown it has been all quiet on the Emotet front, but the Emotet botnet has now returned.

That law enforcement operation saw the infrastructure seized and taken down and two individuals believed to have played key roles in maintaining the infrastructure of the botnet were arrested. The Emotet malware that infected devices and added them to the botnet was removed in a cleanup operation headed by law enforcement in Germany on April 25, 2021.

Emotet was originally a banking Trojan that was first detected in 2014. The Trojan was updated over the years and evolved into a botnet that acted as a malware downloader that delivered various secondary malware payloads. It was the loader operation that made the malware so dangerous, as it was rented out to other cybercriminal organizations and was used to deliver secondary payloads such as QakBot and TrickBot, which in turn were used to deliver ransomware variants such as Ryuk and Conti.

An estimated 1.6 million devices worldwide were infected with the Emotet Trojan at the time of the takedown, with those devices controlled by command and control infrastructure that comprised of hundreds of servers around the world. Emotet was one of the largest botnets ever created and was certainly the most dangerous at the time of the takedown, and its extensive C2 infrastructure was what made the botnet so resilient to previous takedown attempts.

Multiple security researchers have now confirmed that an effort is underway to reconstruct the botnet. The TrickBot Trojan, which Emotet used to deliver, is now being used to deliver a loader that downloads the Emotet Trojan. At present, the number of devices believed to have been infected with the new Emotet Trojan remains low, but the numbers are growing. There are at least 246 infected devices infected with the new Emotet Trojan that are currently serving as C2 servers.

It is likely that the botnet has been undergoing a total rebuild, with the infrastructure being created from scratch. That may be why it has taken so long for any Emote activity to be detected; however, spam campaigns are now being conducted using a range of lures to trick individuals into clicking links and opening email attachments including CyberMonday sales, canceled meetings, termination of dental insurance, and political donation drives, among others. These campaigns have used a combination of Word and Excel files with malicious scripts, and password-protected zip files to prevent the malicious files from being analyzed by email security solutions.

An analysis of the new Emotet loader by the research group Cryptolaemus and Advanced Intel has confirmed several changes have been made to the latest version, including a new command buffer with more options for executing download binaries.

Since Emotet was extensively used to infect devices with ransomware, it is likely that the return will trigger an increase in ransomware attacks over the coming weeks or months.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of