Close this search box.

“World’s most dangerous” malware Emotet back after year of hiding


Dubbed the “world’s most dangerous malware”, the Emotet botnet has apparently been reborn.

Emotet is one of the most prolific and disruptive botnet malware-delivery systems known.

It now appears to be making a comeback after nearly a year of inactivity.

A team of researchers from Cryptolaemus, G DATA and AdvIntel recently observed the trojan launching a new “loader” for the notorious malware.

It appears that Emotet is now being distributed via Trickbot.

Emotet was largely dismantled earlier this year by an international law-enforcement effort. This has been part of a wave of international activity that we have covered extensively. The international effort has seen arrests in the ransomware space and seemingly disrupted cyber threat actors’ collective actions.

But after a circumspect analysis, researchers are now confident that “the samples (analysed) indeed seem to be a re-incarnation of the infamous Emotet”.

The history of the Emotet trojan

Emotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism.

It can install a collection of malware on victims’ machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.

Ransomware is currently the cyber threat most worrying international law enforcement.

Emotet was last seen in volume hitting 100,000 target mailboxes a day to deliver TrickBot, Qakbot and Zloader in December 2020 ahead of the Christmas holidays.

Emotet appeared to be put out of commission by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021.

The effort eliminated active infections on more than 1 million endpoints worldwide.

Now it appears to have resurfaced using familiar partner-in-crime TrickBot, with the two having a history of working together. 

In the past, Emotet used its vast network to deliver TrickBot as a payload in targeted email phishing campaigns, though TrickBot also in the past has delivered Emotet samples, which appears to be the case once more.

Why Emotet’s re-emergence may mean a phishing onslaught lies ahead

The recent news has security professionals concerned the world over.

While unsurprised by Emotet’s resurfacing, there seems to be a consensus that the disruption it can wreak is significant.

“Emotet was once the ‘world’s most dangerous malware,’” noted James Shank, senior security evangelist and chief architect of community service at security firm Team Cymru.

But as the botnet will need some time to gain “full strength”, organisations still have some breathing room to shore up defenses.

How organisations can prepare for “the world’s most dangerous” malware

Organisations can already get ahead of the threat by focusing on training their workforces about the dangers of email threats as well as shoring up network monitoring.

We’ve previously written useful guides that we’d recommend sharing with staff, colleagues and networks, including our guide Trojans, Malware and Phishing Scams – How To Protect Yourself.

What we wrote then (before Emotet disappeared) seems to have eery tones:

Emotet is persistent. It injects its code into running services and alters registry entries ensuring that it cannot be removed, even by antivirus software.

It can also spread throughout an entire corporate network by brute-forcing credentials, and Trickbot can spread further by taking advantage of the EternalBlue vulnerability that is present on Windows machines.

Once Emotet and Trickbot have taken over a corporate network, this serves as the initial attack vector for the Ryuk ransomware to take over every connected machine and hold data for ransom. These kinds of attacks are sophisticated campaigns that utilise several kinds of malware, potentially costing an organisation millions of dollars.

It seems these words are relevant again!

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →