Jun 10, 2026
C2 Hosts: 26
Emotet
Also known as: Geodo, Heodo
While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.
It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.
Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
Linked Threat Actors
GOLD CABINMUMMY SPIDERMealybug
C2 Infrastructure
ISP/Residential 85%
Hosting/VPS 15%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 10, 2026 | 26 |
Further Reading
Kaspersky crimeware report: Emotet, DarkGate and LokiBot opens in a new tab
In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote.
securelist.com
Financial Cyberthreats in 2020 opens in a new tab
This research is a continuation of our annual financial threat reports providing an overview of the latest trends and key events across the financial threat landscape. The study covers the common p...
securelist.com
Using AI to Detect Malicious C2 Traffic opens in a new tab
Based on command and control (C2) traffic from malware, such as Sality and Emotet, this blog analyzes how deep learning models are further able to identify modified and incomplete C2 traffic packets.
unit42.paloaltonetworks.com
Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA opens in a new tab
cisa.gov
A Deep Dive into Packing Software CryptOne opens in a new tab
A packing software called CryptOne became popular recently among some major threat actors. It was first reported by Fox-IT.
deepinstinct.com
Malware vaccines can prevent pandemics, yet are rarely used opens in a new tab
The fact that despite their effectiveness, digital vaccines are not commonly used to fight malware might seem surprising. This article explains why that is.
gdatasoftware.com
Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog opens in a new tab
Microsoft coined the term “human-operated ransomware” to clearly define a class of attack driven by expert human intelligence at every step of the attack chain and culminate in intentional business...
microsoft.com
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by Chi En Shen (Ashley) Oleg Bondarenko opens in a new tab
The document discusses the cyber threat landscape in Japan, highlighting significant malware such as Emotet and Lokibot, which target financial institutions and gather sensitive data. It outlines r...
slideshare.net
The malware that usually installs ransomware and you need to remove right away opens in a new tab
If you see any of these malware strains on your enterprise networks, stop everything you're doing and audit all systems.
zdnet.com