Emotet

Overview

Emotet is one of the most dangerous and persistent malware families in history. Originally a banking trojan, it evolved into a malware distribution platform that delivers other threats including ransomware. Despite multiple takedowns, Emotet has repeatedly resurfaced.

Also Known As

Heodo, Geodo

How It Spreads

• • Phishing emails with malicious Office attachments
• • Email thread hijacking (replies to real conversations)
• • Malicious links in emails
• • Infected Office documents with macros
• • Compromised email accounts spreading to contacts

What It Does

• • Installs additional malware (ransomware, banking trojans)
• • Steals email credentials and address books
• • Sends spam from infected machines
• • Creates persistence for other threats
• • Moves laterally through networks
• • Harvests network and system information

Target Platforms

Windows 7, Windows 10, Windows 11

Detection Tips

• • Block Office macros from internet-downloaded documents
• • Monitor for suspicious PowerShell and WScript execution
• • Alert on SMTP traffic from non-email servers
• • Watch for processes creating scheduled tasks
• • Detect unusual DLL loading patterns

MITRE ATT&CK Techniques

T1566, T1059, T1204, T1105, T1021