Emotet is a modular malware family that, per MITRE ATT&CK, is primarily used as a downloader for other malware such as TrickBot and IcedID. It first emerged in June 2014, initially targeting the financial sector, and later expanded to many other industries. Although it began as a banking trojan, it became best known as a 'loader' that establishes a foothold and then pulls in additional payloads. Its operators were known for hijacking real email threads to make malicious messages look trustworthy. An international law-enforcement action disrupted its infrastructure in early 2021, though activity has been observed at times since.
Threat reports may refer to this family under multiple names:
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.
Macro-enabled Office documentsOneNote attachmentsPassword-protected ZIPs in phishing reply-chain emailsHTTP POST to C2 with cookie-style payloadTier-1 C2 over ports 80/443/8080Registry Run keysScheduled tasksService installation under randomized nameDetection ideas drawn from public reporting. Tune to your environment before deploying.
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_EMOTET {
meta:
description = "Detects Emotet (loader)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "emotet" ascii wide nocase
$s2 = "emotet" ascii wide nocase
$s3 = "geodo" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Emotet Activity
id: 5333f9a7036ae7d10e81cb5fc558a20d
status: experimental
description: Detects generic indicators of the emotet malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*emotet*"
- "*emotet*"
- "*geodo*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
CISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2020/10/06/emotet-malware
It started in 2014 as a banking trojan but is best described today as a modular loader/downloader: once it infects a system it downloads and installs other malware. MITRE ATT&CK classifies it primarily as a downloader.
MITRE documents Emotet as a downloader for families such as TrickBot and IcedID, which in turn have been linked to ransomware operations.
June 2014, initially focused on the financial sector before expanding to multiple industries.
Mainly through phishing emails carrying malicious attachments or links, often by replying within genuine, previously-stolen email threads so the message looks legitimate.
Because the malicious email appears as a reply in a real conversation you recognize, it bypasses the usual 'unknown sender' suspicion.
Yes. A coordinated international law-enforcement operation disrupted Emotet's infrastructure in January 2021. Activity has been reported at various points afterward, so treat it as a continuing risk and follow current advisories.
Be cautious with email attachments even from known contacts, disable Office macros from untrusted sources, keep systems patched, and use reputable endpoint protection. If a work device may be affected, contact your IT/security team rather than acting alone.
MITRE ATT&CK's Emotet entry (S0367) documents its observed techniques and links to vendor reporting; it is linked from this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/emotet.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.