{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,11]],"date-time":"2025-11-11T15:53:54Z","timestamp":1762876434773,"version":"3.41.0"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2023,9,30]],"date-time":"2023-09-30T00:00:00Z","timestamp":1696032000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,9,30]]},"abstract":"<jats:p>Throughout its eight-year history, Emotet has caused substantial damage. This threat reappeared at the beginning of 2022 following a take-down by law enforcement in November 2021. Emotet is arguably one of the most notorious advanced persistent threats, causing substantial damage during its earlier phases and continuing to pose a danger to organizations everywhere. In this article, we present a longitudinal study of several waves of Emotet-based attacks that we observed in VMware\u2019s customer telemetry. By analyzing Emotet\u2019s software development life cycle, we were able to dissect how it quickly changes its command and control (C2) infrastructure, obfuscates its configuration, adapts and tests its evasive execution chains, deploys different attack vectors at different stages, laterally propagates, and continues to evolve using numerous tactics and techniques.<\/jats:p>","DOI":"10.1145\/3594554","type":"journal-article","created":{"date-parts":[[2023,5,2]],"date-time":"2023-05-02T12:36:48Z","timestamp":1683031008000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Keeping Up with the Emotets: Tracking a Multi-infrastructure Botnet"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-6435-0196","authenticated-orcid":false,"given":"Oleg","family":"Boyarchuk","sequence":"first","affiliation":[{"name":"VMware, Inc."}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-1929-9914","authenticated-orcid":false,"given":"Sebastiano","family":"Mariani","sequence":"additional","affiliation":[{"name":"VMware, Inc."}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-5857-5755","authenticated-orcid":false,"given":"Stefano","family":"Ortolani","sequence":"additional","affiliation":[{"name":"VMware, Inc."}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3422-5369","authenticated-orcid":false,"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[{"name":"VMware, Inc. and UC Santa Barbara"}]}],"member":"320","published-online":{"date-parts":[[2023,10,6]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"Lawrence Abrams. 2019. Emotet Trojan Evolves Since Being Reawakend Here is What We Know. Retrieved September 2019 from https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-trojan-evolves-since-being-reawakend-here-is-what-we-know\/."},{"key":"e_1_3_2_3_2","unstructured":"Lawrence Abrams. 2021. Emotet starts dropping Cobalt Strike again for faster attacks. Retrieved December 2021 from https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks\/."},{"key":"e_1_3_2_4_2","unstructured":"Lawrence Abrams. 2022. Emotet malware campaign impersonates the IRS for 2022 tax season. Retrieved March 2022 from https:\/\/cyware.com\/news\/emotet-malware-campaign-impersonates-the-irs-for-2022-tax-season-54d73dc3."},{"key":"e_1_3_2_5_2","unstructured":"John Althouse. 2020. Easily Identify Malicious Servers on the Internet with JARM. Retrieved November 2020 from https:\/\/engineering.salesforce.com\/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a\/."},{"key":"e_1_3_2_6_2","first-page":"1093","volume-title":"Proceedings of the 26thSecurity Symposium","year":"2017","unstructured":"M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou. 2017. Understanding the mirai botnet. In Proceedings of the 26thSecurity Symposium. 1093\u20131110."},{"key":"e_1_3_2_7_2","unstructured":"Archyde. 2019. \u201cEmotet\u201d in Berlin: computer virus also affects Humboldt University - Berlin. Retrieved November 2019 from https:\/\/www.archyde.com\/emotet-in-berlin-computer-virus-also-affects-humboldt-university-berlin\/."},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2010.5593240"},{"key":"e_1_3_2_9_2","unstructured":"BlackBerry. 2018. Threat Spotlight: Panda Banker Trojan Targets the US Canada and Japan. Retrieved October 2018 from https:\/\/blogs.blackberry.com\/en\/2018\/10\/threat-spotlight-panda-banker-trojan-targets-the-us-canada-and-japan."},{"key":"e_1_3_2_10_2","unstructured":"O. Boyarchuk and S. Ortolani. 2022. EmoLoad: Loading emotet modules without emotet. https:\/\/blogs.vmware.com\/security\/2022\/12\/emoloadloading-emotet-modules-without-emotet.html."},{"key":"e_1_3_2_11_2","unstructured":"O. Boyarchuk and J. Zhang. 2022. Emotet C2 configuration extraction and analysis. https:\/\/blogs.vmware.com\/security\/2022\/03\/emotet-c2-configuration-extraction-and-analysis.html."},{"key":"e_1_3_2_12_2","unstructured":"Oleg Boyarchuk Jason Zhang and Stefano Ortolani. 2022. Emotet Moves to 64 bit and Updates its Loader. Retrieved May 2022 from https:\/\/blogs.vmware.com\/security\/2022\/05\/emotet-moves-to-64-bit-and-updates-its-loader.html."},{"key":"e_1_3_2_13_2","unstructured":"CheckPoint. 2020. January 2020\u2019s Most Wanted Malware: Coronavirus-themed spam spreads malicious Emotet malware. Access date: February 2020."},{"key":"e_1_3_2_14_2","unstructured":"Catalin Cimpanu. 2019. Frankfurt shuts down IT network following Emotet infection. Retrieved December 2019 from https:\/\/www.zdnet.com\/article\/frankfurt-shuts-down-it-network-following-emotet-infection\/."},{"key":"e_1_3_2_15_2","unstructured":"Gabrielle Ladouceur Despins. 2020. Emotet strikes Quebec\u2019s Department of Justice: An ESET Analysis. Retrieved September 2020 from https:\/\/www.welivesecurity.com\/2020\/09\/16\/emotet-quebec-department-justice-eset\/."},{"key":"e_1_3_2_16_2","unstructured":"Luca Ebach. 2021. Guess who\u2019s back. Retrieved November 2021 from https:\/\/cyber.wtf\/2021\/11\/15\/guess-whos-back\/."},{"key":"e_1_3_2_17_2","unstructured":"Europol. 2021. World\u2019s most dangerous malware EMOTET disrupted through global action. https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/world.s-most-dangerous-malware-emotet-disrupted-through-global-action. Access date: January 2021."},{"key":"e_1_3_2_18_2","unstructured":"Sergiu Gatlan. 2022. Emotet malware now steals credit cards from Google Chrome users. Retrieved June 2022 from https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-malware-now-steals-credit-cards-from-google-chrome-users\/."},{"key":"e_1_3_2_19_2","unstructured":"Colin Grady William Largent and Jaeson Schultz. 2019. Emotet is back after a summer break. Retrieved September 2019 from https:\/\/blogs.cisco.com\/security\/talos\/emotet-is-back-after-a-summer-break."},{"key":"e_1_3_2_20_2","unstructured":"James Haughom and Stefano Ortolani. 2020. Evolution of Excel 4.0 Macro Weaponization. Retrieved June 2020 from https:\/\/vb2020.vblocalhost.com\/uploads\/VB2020-61.pdf."},{"key":"e_1_3_2_21_2","unstructured":"Ionut Ilascu. 2021. Emotet botnet comeback orchestrated by Conti ransomware gang. Retrieved November 2021 from https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-botnet-comeback-orchestrated-by-conti-ransomware-gang\/."},{"key":"e_1_3_2_22_2","unstructured":"Intel 471. 2021. How the new Emotet differs from previous versions. Retrieved December 2021 from https:\/\/intel471.com\/blog\/emotet-returns-december-2021."},{"key":"e_1_3_2_23_2","unstructured":"Eduard Kovacs. 2014. Emotet\u2019 Banking Malware Steals Data Via Network Sniffing. Retrieved June 2014 from https:\/\/www.securityweek.com\/emotet-banking-malware-steals-data-network-sniffing."},{"key":"e_1_3_2_24_2","unstructured":"Eduard Kovacs. 2015. New Emotet Variant Targets Banking Credentials of German Speakers. Retrieved January 2015 from https:\/\/www.securityweek.com\/new-emotet-variant-targets-banking-credentials-german-speakers."},{"key":"e_1_3_2_25_2","unstructured":"Kryptos Logic. 2018. Emotet Awakens With New Campaign of Mass Email Exfiltration. Retrieved October 2018 from https:\/\/www.kryptoslogic.com\/blog\/2018\/10\/emotet-awakens-with-new-campaign-of-mass-email-exfiltration\/."},{"key":"e_1_3_2_26_2","unstructured":"S. Lyngaas. 2020. Berlin\u2019s high court should rebuild computer system after emotet infection report finds. https:\/\/cyberscoop.com\/berlin-emotetkammergericht\/."},{"key":"e_1_3_2_27_2","unstructured":"Malpedia. 2022. Mummy Spider. Retrieved July 2022 from https:\/\/malpedia.caad.fkie.fraunhofer.de\/actor\/mummy_spider."},{"key":"e_1_3_2_28_2","unstructured":"Malwarebytes. 2021. Let\u2019s talk Emotet malware. https:\/\/www.malwarebytes.com\/emotet. November 2021."},{"key":"e_1_3_2_29_2","unstructured":"MalwareTech. 2017. Investigating Command and Control Infrastructure (Emotet). Retrieved November 2017 from https:\/\/www.malwaretech.com\/2017\/11\/investigating-command-and-control-infrastructure-emotet.html."},{"key":"e_1_3_2_30_2","unstructured":"MITRE. 2022. ATT&CK Framework. Retrieved June 2022 from https:\/\/attack.mitre.org\/."},{"key":"e_1_3_2_31_2","unstructured":"Raphael Mudge. 2020. A Red Teamer Plays with JARM. Retrieved December 2020 from https:\/\/www.cobaltstrike.com\/blog\/a-red-teamer-plays-with-jarm\/."},{"key":"e_1_3_2_32_2","unstructured":"Netskope. 2021. JARM Randomizer. Retrieved May 2021 from https:\/\/github.com\/netskopeoss\/jarm_randomizer."},{"key":"e_1_3_2_33_2","unstructured":"Stefano Ortolani and Giovanni Vigna. 2021. Death of Emotet: The Takedown of The Emotet Infrastructure. Retrieved February 2021 from https:\/\/blogs.vmware.com\/security\/2021\/02\/death-of-emotet.html."},{"key":"e_1_3_2_34_2","unstructured":"Proofpoint. 2019. Threat Actor Profile: TA542 From Banker to Malware Distribution Service. Retrieved May 2019 from https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/threat-actor-profile-ta542-banker-malware-distribution-service."},{"key":"e_1_3_2_35_2","unstructured":"Reversing.fun. 2022. Emotet SMB spreader overview. Retrieved June 2022 from http:\/\/reversing.fun\/posts\/2022\/06\/20\/emotet-smb-spreader.html."},{"key":"e_1_3_2_36_2","unstructured":"RiskIQ. 2022. Report for 217.182.143.207. https:\/\/www.riskiq.com\/ June 2022."},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833765"},{"key":"e_1_3_2_38_2","unstructured":"Salesforce. 2021. JARM. Retrieved October 2021 from https:\/\/github.com\/salesforce\/jarm."},{"key":"e_1_3_2_39_2","unstructured":"J\u00fcrgen Schmidt. 2019. Trojan infestation: Emotet at Heise. https:\/\/www.heise.de\/news\/Emotet-bei-Heise-4437807.html. Access date: June 2019."},{"key":"e_1_3_2_40_2","unstructured":"Tara Seals. 2018. Allentown Struggles with $1 Million Cyber-Attack. Retrieved February 2018 from https:\/\/www.infosecurity-magazine.com\/news\/allentown-struggles-with-1-million\/."},{"key":"e_1_3_2_41_2","unstructured":"Digital Shadows. 2021. The Emotet Shutdown Explained. Retrieved April 2021 from https:\/\/www.digitalshadows.com\/blog-and-research\/the-emotet-shutdown-explained\/."},{"key":"e_1_3_2_42_2","unstructured":"Alexey Shulmin. 2015. The Banking Trojan Emotet: Detailed Analysis. Retrieved April 2015 from https:\/\/securelist.com\/the-banking-trojan-emotet-detailed-analysis\/69560\/."},{"key":"e_1_3_2_43_2","unstructured":"Baibhav Singh. 2020. Evolution of Excel 4.0 Macro Weaponization - Part 2. Retrieved October 2020 from https:\/\/blogs.vmware.com\/security\/2020\/10\/evolution-of-excel-4-0-macro-weaponization-continued.html."},{"key":"e_1_3_2_44_2","unstructured":"Pawe\u0142 Srokosz. 2017. Analysis of Emotet v4. Retrieved May 2017 from https:\/\/cert.pl\/en\/posts\/2017\/05\/analysis-of-emotet-v4\/."},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"key":"e_1_3_2_46_2","unstructured":"Symatec. 2018. The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved July 2018 from https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/evolution-emotet-trojan-distributor."},{"key":"e_1_3_2_47_2","unstructured":"U.S. Department of Health and Human Services. 2022. The Return of Emotet and the Threat to the Health Sector. https:\/\/www.hhs.gov\/sites\/default\/files\/the-return-of-emotet.pdf."},{"key":"e_1_3_2_48_2","unstructured":"VMware. 2022. Network Sandbox. https:\/\/www.vmware.com\/content\/dam\/digitalmarketing\/vmware\/en\/pdf\/docs\/vmw-nsx-sandbox-solution.pdf."},{"key":"e_1_3_2_49_2","unstructured":"Jason Zhang. 2020. Defeat Emotet Attacks with Behavior-Based Malware Protection. Retrieved November 2020 from https:\/\/blogs.vmware.com\/security\/2020\/11\/defeat-emotet-attacks-with-behavior-based-malware-protection.html."},{"key":"e_1_3_2_50_2","unstructured":"Jason Zhang. 2022. Emotet Is Not Dead (Yet) - Part 2. Retrieved February 2022 from https:\/\/blogs.vmware.com\/security\/2022\/02\/emotet-is-not-dead-yet-part-2.html."},{"key":"e_1_3_2_51_2","unstructured":"Jason Zhang Subrat Sarkar and Stefano Ortolani. 2020. COVID-19 Cyberthreats and Malware Updates. Retrieved November 2020 from https:\/\/blogs.vmware.com\/security\/2020\/11\/covid-19-cyberthreat-and-malware-updates.html."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3594554","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3594554","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:09:07Z","timestamp":1750183747000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3594554"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,30]]},"references-count":50,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2023,9,30]]}},"alternative-id":["10.1145\/3594554"],"URL":"https:\/\/doi.org\/10.1145\/3594554","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2023,9,30]]},"assertion":[{"value":"2022-11-29","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-04-14","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-10-06","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}