Emotet, one of the most dangerous and infamous botnets in history, is back, despite the long and synchronized efforts of the international community and law enforcement agencies worldwide that resulted in its take down in January 2021. Emotet, the banking Trojan turned modular botnet, is known for its massive reach of over 1.5 million infected computers worldwide, across thousands of compromised corporate networks. Emotet was used as a distribution platform to deliver other notorious malware families such as TrickBot, Qbot and Dridex, often resulting in network-wide ransomware attacks that crippled entire organizations. Inflicted damages were estimated at around USD$2.5 Billion, before it was forcibly shut down.

On November 14th, Emotet officially rose from the dead, as live samples were observed for the first time since its takedown. Emotet’s resurrection came from a surprising source: TrickBot’s botnet was used to drop Emotet’s samples on machines infected with the TrickBot malware. The very next day, Emotet returned to its signature method of distribution, with massive spam campaigns delivering the Trojan via malicious document attachments. To rebuild their network, Emotet operators chose to drop their spam bot on successfully infected machines, a method that enabled them to distribute the malware to even more potential targets.


TrickBot’s service as a dropper was a natural choice for Emotet’s revival, thanks to their rich history of collaboration. In fact, this might suggest that at least some of its old malware partners are also involved in its resurrection. TrickBot itself was briefly taken down in 2020, and yet it persisted and was featured in the Top Malware families rankings of May, June and September 2021. During the last year, Check Point Research spotted over 140,000 TrickBot victims worldwide, involving over 200 campaigns and thousands of compromised networks. This huge installation base makes TrickBot the perfect platform to re-launch Emotet’s new botnet.


Emotet itself came back even stronger with some new additions to its toolbox. The upgraded variant uses Elliptic curve cryptography as opposed to RSA cryptography, improved its control-flow flattening techniques, and added to its initial delivery methods the use of malicious Windows App installer packages that impersonate legitimate software. In addition, researchers found that Emotet is now dropping Cobalt Strike beacons directly for the first time, instead of intermediate malware families which in turn would drop Cobalt Strike beacons after some time. Cobalt Strike has been the cornerstone of targeted ransomware attacks in previous years, and this unfortunate development means that the duration from initial Emotet infection to a full blown ransomware attack just got even shorter, leaving the defenders with far less time to respond to an ongoing attack.

Since its return, Check Point Research observed that the volume of Emotet’s activity was at least 50% of the level we saw in January 2021, right before the takedown. This rising trend continued throughout December with several end-of-the-year campaigns, and is expected to continue well into 2022, at least until the next takedown attempt.

Alexandra image

Towards the end of the year the world came to the realization that even an international task force, could only slow Emotet down, and not eradicate it altogether.

At least some of its group members were able to elude justice and have taken their time to reorganize, regroup, and to use their old underground connections to launch a new and improved global malspam campaign.

Trickbot and Emotet are old partners in crime, so in many ways it was unsurprising that Emotet would leverage TrickBot’s service as a dropper for its own revival.

Alexandra Gofman
Team Leader, Check Point Research