Emotet

Category: loader · Aliases: Emotet, Geodo · Sample count (EMBER 2018): 12,943 · Enrichment: curated_sourced · Updated: 2026-06-09
First seen: 2014Status: active resurged

Overview

Emotet is a modular malware family that, per MITRE ATT&CK, is primarily used as a downloader for other malware such as TrickBot and IcedID. It first emerged in June 2014, initially targeting the financial sector, and later expanded to many other industries. Although it began as a banking trojan, it became best known as a 'loader' that establishes a foothold and then pulls in additional payloads. Its operators were known for hijacking real email threads to make malicious messages look trustworthy. An international law-enforcement action disrupted its infrastructure in early 2021, though activity has been observed at times since.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1566.001Spearphishing Attachment
T1059.005Visual Basic
T1547.001Registry Run Keys / Startup Folder
T1071.001Web Protocols

Indicators of Compromise

Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.

Delivery vectors

Network indicators

Persistence mechanisms

Detection Guidance

Detection ideas drawn from public reporting. Tune to your environment before deploying.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_EMOTET {
    meta:
        description = "Detects Emotet (loader)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "emotet" ascii wide nocase
        $s2 = "emotet" ascii wide nocase
        $s3 = "geodo" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Emotet Activity
id: 5333f9a7036ae7d10e81cb5fc558a20d
status: experimental
description: Detects generic indicators of the emotet malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*emotet*"
            - "*emotet*"
            - "*geodo*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate affected host from network
  2. Block known C2 IPs at perimeter
  3. Reset credentials cached on the host
  4. Hunt for lateral movement via SMB and WMI
  5. Audit for follow-on payloads (TrickBot, Qbot, Cobalt Strike)

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not simply delete the dropper without checking for secondary payloads
  2. Do not re-enable macros until policy hardening is verified
  3. Do not assume single-host containment; Emotet spreads laterally

References & External Analysis

Authoritative Advisory

CISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2020/10/06/emotet-malware

Frequently Asked Questions

Is Emotet a virus, a banking trojan, or a loader?

It started in 2014 as a banking trojan but is best described today as a modular loader/downloader: once it infects a system it downloads and installs other malware. MITRE ATT&CK classifies it primarily as a downloader.

What other malware does Emotet install?

MITRE documents Emotet as a downloader for families such as TrickBot and IcedID, which in turn have been linked to ransomware operations.

When did Emotet first appear?

June 2014, initially focused on the financial sector before expanding to multiple industries.

How does Emotet usually reach a computer?

Mainly through phishing emails carrying malicious attachments or links, often by replying within genuine, previously-stolen email threads so the message looks legitimate.

Why is thread-hijacking dangerous?

Because the malicious email appears as a reply in a real conversation you recognize, it bypasses the usual 'unknown sender' suspicion.

Was Emotet ever taken down?

Yes. A coordinated international law-enforcement operation disrupted Emotet's infrastructure in January 2021. Activity has been reported at various points afterward, so treat it as a continuing risk and follow current advisories.

How can I reduce the risk from Emotet-style threats?

Be cautious with email attachments even from known contacts, disable Office macros from untrusted sources, keep systems patched, and use reputable endpoint protection. If a work device may be affected, contact your IT/security team rather than acting alone.

Where can I read the authoritative technical details?

MITRE ATT&CK's Emotet entry (S0367) documents its observed techniques and links to vendor reporting; it is linked from this page.

Related Families (Category: loader)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/emotet.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.