top of page

Emotet continues to adapt techniques to evade detection

According to new research by VMware, threat actors behind the notorious Emotet malware strain have continued to shift and evolve their tactics and command-and-control (C2) infrastructure to evade detection.

Emotet’s infrastructure was taken down as part of a coordinated law enforcement operation in January 2021, however, the malware’s resurrection in November 2021 gained significant traction across the cyber threat landscape, paving the way for Cobalt Strike infections and, more recently, ransomware attacks involving Quantum and BlackCat.

The research suggests that Emotet is continuously changing to make it more difficult for defenders to adapt and block the malware.

The Emotet threat actors typically distribute phishing emails and specially crafted messages to convince victims to click on malicious links or open malicious documents using a range of differing filetypes.

In January 2022 alone, VMware observed three different sets of attacks in which the Emotet payload was delivered via an Excel 4.0 (XL4) macro, an XL4 macro with PowerShell, and a Visual Basic Application (VBA) macro with PowerShell.

Since then, the NMC have reported on a range of techniques that avoid the use of macros since Microsoft blocked them by default.

Several of the attack chains identified were also observed abusing legitimate executables, also known as living-off-the-land binaries, a popular technique used to prevent detection.

The threat actors also use significant anti-analysis countermeasures to attempt to hide the details of their C2 infrastructure.

The ongoing adaptation of Emotet's attack chain is a major contribution to the reason the malware has been successful for so long.

As Emotet is primarily leveraged through phishing emails, user awareness of this prevalent threat is essential to help mitigate risk of exploitation and therefore prevent a ransomware intrusion.

Organisations are encouraged to provide guidance through internal channels; further guidance on phishing can be found here.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page