A recent report has revealed that the developers of Emotet malware, known as Mummy Spider (aka TA542), have been enhancing the malware continuously since its resurgence in November 2021.

Post-resurgence enhancements

The VMware Threat Analysis Unit has released a report, providing details of the new tactics and infrastructure updates adopted by Emotet operators to avoid detection.
  • Emotet is using different attack vectors while trying to stay hidden from security radars. This includes the use of spam messages, malicious documents, or embedded URLs that lead to the download of malware.
  • In January, it was using three different infection mechanisms to deliver the payload - directly via an Excel 4.0 macro, an Excel 4.0 macro with PowerShell script, or a VBA macro with PowerShell.
  • In some instances, it was seen using the legitimate tool mshta.exe to drop the Emotet malware via a malicious HTA file.

Infrastructure changes

Since its resurgence, Emotet has come up with several changes in its C2 infrastructure.
  • The malware has launched two new botnet clusters dubbed Epochs 4 and 5, which are leveraged heavily during cyberattacks. 
  • Between March 15 and June 18, 10,235 Emotet payloads were found using C2 servers belonging to the Epoch 5 cluster.
  • During analysis, out of 328 unique IP addresses obtained from DLL payloads, around 38.6% belonged to Epoch 5 botnet, while 60.8% were from Epoch 4. There was just one IP address that bgedelon to both the botnet clusters.

Additional enhancements

  • Emotet started two new modules, one designed to target Google Chrome browsers to steal credit card information, and the other is designed for lateral movement by leveraging SMB protocol.
  • All the sample payloads used in a recent campaign comprised 10 modules: one WebBrowserPassView, one MailPassView, four ThunderbirdStealer, and four spam.


To stay protected against Emotet, experts recommend enforcing a zero-trust model for security, using strong authentication mechanisms, and implementing network segmentation. It is further suggested to apply security patches for all software, firmware, plugins, and OS on a regular basis.
Cyware Publisher