Emotet
What is Emotet?
EmotetA modular banking trojan turned malware-as-a-service loader that delivered ransomware affiliates and was taken down by international law enforcement in January 2021.
Emotet first appeared in 2014 as a banking trojan targeting European customers and evolved into one of the most prolific malware loaders in the criminal ecosystem. Operated by the threat cluster known as TA542 / Mealybug, it spread mainly through malicious Word and Excel attachments in thread-hijacked email replies, then deployed second-stage payloads including TrickBot, QakBot, IcedID and ransomware such as Ryuk, Conti and BlackCat. In January 2021, Europol coordinated Operation Ladybird, seizing Emotet's command-and-control infrastructure across multiple countries. The botnet was rebuilt later in 2021 and again in 2022, with new tactics like OneNote and LNK lures, before subsiding in 2023.
● Examples
- 01
An accountant opens a thread-hijacked Excel attachment and Emotet drops QakBot, leading to a Conti ransomware deployment two days later.
- 02
An ISP uses Have I Been Emotet to notify customers whose addresses were sent from Emotet-infected machines.
● Frequently asked questions
What is Emotet?
A modular banking trojan turned malware-as-a-service loader that delivered ransomware affiliates and was taken down by international law enforcement in January 2021. It belongs to the Malware category of cybersecurity.
What does Emotet mean?
A modular banking trojan turned malware-as-a-service loader that delivered ransomware affiliates and was taken down by international law enforcement in January 2021.
How does Emotet work?
Emotet first appeared in 2014 as a banking trojan targeting European customers and evolved into one of the most prolific malware loaders in the criminal ecosystem. Operated by the threat cluster known as TA542 / Mealybug, it spread mainly through malicious Word and Excel attachments in thread-hijacked email replies, then deployed second-stage payloads including TrickBot, QakBot, IcedID and ransomware such as Ryuk, Conti and BlackCat. In January 2021, Europol coordinated Operation Ladybird, seizing Emotet's command-and-control infrastructure across multiple countries. The botnet was rebuilt later in 2021 and again in 2022, with new tactics like OneNote and LNK lures, before subsiding in 2023.
How do you defend against Emotet?
Defences for Emotet typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Emotet?
Common alternative names include: TA542, Mealybug, Geodo, Heodo.
● Related terms
- malware№ 084
Banking Trojan
Malware designed to steal online-banking credentials and authorize fraudulent transactions, typically through web injects, form grabbing, or overlays.
- malware№ 621
Loader
Malware that prepares the environment and loads further payloads — often directly into memory — for a subsequent stage of an attack.
- malware№ 119
Botnet
A network of internet-connected devices infected with malware and remotely controlled by an attacker to perform coordinated activities.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
● See also
- № 1171TrickBot
- № 954Ryuk Ransomware