What We Do
How We Do
Get Started
Security advisories

Emotet Activity Identified 

November 18, 2021 | 2 MINS READ

Speak With A Security Expert Now



As of November 15th, 2021, multiple sources [1] [2] have observed activity associated with the Emotet malware. This activity includes malware delivery through email and existing infections.

Successful Emotet payload execution has not been observed across customers at this time. The Threat Intelligence team assesses with medium confidence current campaigns are focused on re-establishing botnet infrastructure following law enforcement's action to take down the botnet in January 2021[3]. Email delivery techniques and payload execution remain consistent or similar to past Emotet infections. The eSentire Threat Intelligence team assesses, with medium confidence, Emotet’s email campaigns will continue.

What we’re doing about it

What you should do about it

Employ email filtering and protection measures

Protect endpoints against malware

Additional information

Emotet is an information stealer malware that is also used for initial access by multiple threats such as Qakbot and Trickbot. Emotet has been previously observed leading to Ryuk, Conti, ProLock, and Egregor ransomware threats.

As of this writing, follow-on malware has not been observed in these latest campaigns. Emotet activity halted in early 2021, after law-enforcement acted against the Emotet threat and seized malicious infrastructure. Recent activity is believed to be focused on re-establishing botnet hosts.

Overview of November 15th to 17th 2021 Emotet Activity


Emotet Email Content

Malicious Office Documents

Figure 1: Malicious Word Document

Figure 2: Malicious Excel Document

A detailed breakdown of current infection scheme can be found here: https://isc.sans.edu/forums/diary/Emotet+Returns/28044/


[1] https://isc.sans.edu/forums/diary/Emotet+Returns/28044/
[2] https://twitter.com/Cryptolaemus1/status/1460302706954981385
[3] https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action

View Most Recent Advisories