Close this search box.

It’s official: The dreaded Emotet malware is back


One of the world’s most feared malware operations is back in full force, less than a year after being shut down in a global law enforcement bust. 

Emotet was considered the “most dangerous piece of malware” before the January takedown saw its infrastructure seized, two of its operators arrested, and an uninstall update pushed out to infected devices, cleaning up more than one million computers. 

It earned this notorious title by offering a highly valuable service to other malware operators, most notably the Conti ransomware and Trickbot banking trojan: we’ll gain initial access into a sought-after victim network, and leave the door open for you to waltz in and launch your attack. 

“Emotet’s strategic, operational, and tactical agility was executed through a modular system enabling them to tailor payload functionality and specialisation for the needs of specific customers,” security firm AdvIntel says. 

But the law enforcement takedown left a significant void in the market, and Emotet’s partners without a high-quality method of gaining access to their desired victims. 

This prompted the group’s loyal customers – specifically the Conti ransomware gang – to push for an Emotet return to operations. 

“This partnership enables the Conti syndicate to answer the unfulfilled demand for initial accesses on an industrial scale, while competitor groups such as LockBit or Hive will need to rely on individual low-quality access brokers. As a result, Conti can further advance their goal of becoming a ransomware monopolist,” AdvIntel said. 

Researchers first spotted new Emotet activity on November 14, indicating the fearsome Emotet-Trickbot-Conti triad was making a triumphant return. 

Emotet appeared to be back up to its old tricks, sending out spam emails with malicious attachments that, when opened, downloaded malware that infected the victim’s device.  

The spam emails are currently presented as replies to previous legitimate emails, aiming to lure the recipient into opening the Word, Excel, or password-protected ZIP file. The pretense can be anything from a missing wallet, a sale event, or a cancelled meeting, among many other scenarios.



The malicious attachment restricts the recipient from previewing the file, urging them instead to ‘enable editing [or] content’. 

Once these buttons are clicked, the Emotet malware silently downloads to the device, biding its time until it starts looking for email to steal, other devices to spread to, or – most famously – prepares to drop other malware like Conti or Trickbot. 

A concerning new development has seen Emotet drop Cobalt Strike: a highly effective penetration testing tool that has been commandeered by hackers to essentially do their job for them.  

Among other things, Cobalt Strike makes gaining access to critical parts of the network much easier for criminals. It is commonly used in ransomware attacks. 

“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware,” security firm Cofense said. 

“This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped Cobalt Strike. You’d usually have about a month between first infection and ransomware. With Emotet dropping CS directly, there’s likely to be a much much shorter delay,” security researcher Marcus Hutchins tweeted

Researchers believe Emotet’s unmatched capabilities and the market demand will see the group quickly return to a dominant position, causing “the largest threat ecosystem shift” this year. 

They expect it will in turn boost the Conti syndicate into becoming one of the most dangerous ransomware threats around. 

An Emotet infection is now “no longer just an irritation or commodity malware noise”, according to a group of security researchers dedicated solely to fighting Emotet

“This should be very high on your threat model now,” the Cryptolaemus group tweeted

“You need to pay attention to this and you need to prepare. 

Stay vigilant!”

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →