The Emotet malware is spreading widely and is believed to be switching to new payloads detected by fewer antivirus engines. The emails carrying malicious payloads have increased sharply during the last month.

Increase in attacks

According to Kaspersky, Emotet infection has seen a ten-fold increase from February to March, going from 3,000 to 30,000 emails. Further, another report ranked Emotet as one of the most prevalent malware in March.
  • Emotet operators are known for taking advantage of current interests and affairs. For example, it was observed taking advantage of the ongoing Easter celebration.
  • The messages use varied languages such as English, Hungarian, French, Italian, Polish, Russian, Norwegian, Spanish, Chinese, and Slovenian.
  • Further, ongoing Emotet email distribution campaigns were observed using discussion thread hijacking tricks, which were spotted in Qbot campaigns associated with the same attackers.
  • They are, moreover, intercepting already existing correspondence and sending the recipients an email laden with a file or link, which most of the time leads to a legitimate cloud-hosting service.

Use of 64-bit modules

The malware operators have started using 64-bit loaders and stealer modules on Epoch 4, one of the subgroups of the botnet that operates separate infrastructures. Previously, it used a 32-bit code.
  • The change is not observed on Epoch 5 server, but only on Epoch 4 which serves as a development test-bed for the Emotet operators.
  • Moreover, the detection rate for Epoch 4 decreased by 60%, which could be a direct result of this change.


Emotet operators are super active again and attempting to retain their position in the cybercrime world. Thus, people should always stay alert when receiving suspicious emails from unknown senders. Further, deploy email gateways to filter out such emails before they cause any damage.

Cyware Publisher