{ "family": "emotet", "sample_count": 12943, "category": "loader", "description": "Emotet is a sophisticated modular banking trojan that first appeared in 2014 and evolved into one of the most prolific malware-as-a-service platforms in cybercrime, distributing other payloads including Trickbot, Qakbot, and Ryuk ransomware. It spreads primarily through phishing emails carrying malicious Office documents with macros, and once installed it harvests credentials, propagates across local networks, and downloads secondary payloads. CISA has called Emotet one of the most costly and destructive malware affecting state, local, tribal, and territorial governments. International law enforcement disrupted its infrastructure in January 2021, though operations have since resumed. Defense requires email filtering, macro disablement, and network segmentation.", "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.", "aliases": [ "geodo", "heodo", "mealybug" ], "enrichment_level": "hand-curated", "faq": [ { "@type": "Question", "name": "What is Emotet?", "acceptedAnswer": { "@type": "Answer", "text": "Emotet is a sophisticated modular banking trojan that first appeared in 2014 and evolved into one of the most prolific malware-as-a-service platforms in cybercrime, distributing other payloads including Trickbot, Qakbot, and Ryuk ransomware. It spreads primarily through phishing emails carrying malicious Office documents with macros, and once installed it harvests credentials, propagates across local networks, and downloads secondary payloads. CISA has called Emotet one of the most costly and destructive malware affecting state, local, tribal, and territorial governments. International law enforcement disrupted its infrastructure in January 2021, though operations have since resumed. Defense requires email filtering, macro disablement, and network segmentation." } }, { "@type": "Question", "name": "How does Emotet spread?", "acceptedAnswer": { "@type": "Answer", "text": "Emotet spreads primarily through phishing emails with malicious Word, Excel, or OneNote attachments, hijacked email threads, and password-protected ZIP archives." } }, { "@type": "Question", "name": "What are the signs of an Emotet infection?", "acceptedAnswer": { "@type": "Answer", "text": "Outbound SMTP from unexpected processes, scheduled tasks with random alphanumeric names, secondary infections (Trickbot, Qakbot, Ryuk) appearing within hours, and antivirus detections for Emotet, Geodo, or Heodo indicate compromise." } }, { "@type": "Question", "name": "What should I do if I think I have Emotet on my system?", "acceptedAnswer": { "@type": "Answer", "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance." } } ], "faq_count": 4, "mitre_attack": [ "T1566.001", "T1059.001", "T1071.001", "T1547.001", "T1055" ], "cisa_advisory": "https://www.cisa.gov/news-events/alerts/2020/10/06/emotet-malware", "last_updated": "2026-05-27" }