Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors

Emotet

Also known asemotet

Emotet is a malware strain and cybercrime operation, also known as Heodo and sometimes referred to as Mealybug in the provided content. It is believed to be based in Ukraine. First detected in 2014 as a banking trojan, it later evolved into a modular loader and malware-as-a-service/crimeware operation that sold or rented access to infected systems to other criminal groups. The content states Emotet has delivered additional payloads including TrickBot and Ryuk-associated malware, and that as of September 2019 it operated three botnets: Epoch 1, Epoch 2, and Epoch 3. The operation primarily spread through malicious email campaigns, including infected attachments, links, malicious Word documents, and macro-enabled Office files. The content specifically notes use of malspam, thread hijacking using stolen emails, and lures such as invoices, shipping notices, and COVID-19-related messages. It also states Emotet adopted HTML smuggling after traditional macro-based delivery became easier to detect at the perimeter. Reported delivery changes in later campaigns included XLS attachments in 2022, oversized Word documents in March 2023 that used binary padding and hidden text to evade detection, and late-2023 abuse of a Windows App Installer-related technique via phishing attachments. Techniques and behaviors directly mentioned in the content include polymorphic code, fileless persistence via PowerShell, lateral movement within networks, and lateral movement via nearby Wi‑Fi networks. Emotet is described as an initial access platform whose operators rented compromised machines to other cybercriminals, including ransomware operators. The content also notes widespread global targeting, with significant activity against organizations and government entities, and cites over 16,000 Emotet-related alerts across U.S. federal networks between July and October 2020. In January 2021, an international law-enforcement operation coordinated by Europol and Eurojust disrupted Emotet by taking control of its infrastructure and redirecting infected machines to law-enforcement-controlled systems. The participating countries listed in the content include the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, and the action was reported as accompanied by arrests in Ukraine. The content states Emotet later resurfaced, including late-2021 samples using elliptic-curve cryptography for C2 communications.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics41 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0001
Initial Access
2 techniques
T1190
Exploit Public-Facing Application
T1566×2
Phishing
T1566.001×2
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.005
Visual Basic
T1204
User Execution
T1204.001
Malicious Link
T1204.002
Malicious File
TA0003
Persistence
3 techniques
T1112
Modify Registry
T1543
Create or Modify System Process
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
3 techniques
T1134
Access Token Manipulation
T1543
Create or Modify System Process
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
6 techniques
T1027
Obfuscated Files or Information
T1027.006
HTML Smuggling
T1036
Masquerading
T1134
Access Token Manipulation
T1218
System Binary Proxy Execution
T1480
Execution Guardrails
T1480.002
Mutual Exclusion
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0006
Credential Access
1 technique
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
3 techniques
T1057
Process Discovery
T1082
System Information Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105×2
Ingress Tool Transfer
T1573
Encrypted Channel
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
medium rabbit knightNews
Jun 27, 2026
Hunting HTML Smuggling with Velociraptor: Setting the Stage. Part 1 | by Rabbit Knight | Jun, 2026 | Medium

Adopted HTML smuggling as an alternative delivery method when macro-based delivery became less effective.

Read more
security intelligenceNews
Nov 12, 2024
Strela Stealer: Today's invoice is tomorrow's phish

Referenced as a prior malware distribution group known for using stolen email threads (thread hijacking) to increase phishing legitimacy.

Read more
europolNews
Jan 27, 2021
World’s most dangerous malware EMOTET disrupted through global action | Europol

Operated a major botnet/loader service that distributed malware via malicious email attachments and Word documents, then sold access to other criminal groups for follow-on data theft and ransomware deployment.

Read more
wikipedia cyber incidentsNews
May 22, 2017
Emotet - Wikipedia

Cybercrime operation running a large botnet/loader ecosystem: initial access via malspam and macro-laden Office attachments with email thread hijacking; establishes persistence/evasion (polymorphic code, fileless PowerShell), then downloads/installs secondary payloads and rents access to other criminal operations (including ransomware affiliates).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.