Botnet that knows your name and quotes your email is back with new tricks

IT’S BA-ACK! —

Quoting Herman Melville is only one of Emotet’s latest innovations.


Botnet that knows your name and quotes your email is back with new tricks

Getty Images

Widely regarded as one of the Internet’s top threats, the Emotet botnet has returned after a months-long hiatus—and it has some new tricks.

Last week, Emotet appeared for the first time this year after a four-month hiatus. It returned with its trademark activity—a wave of malicious spam messages that appear to come from a known contact, address the recipient by name, and seem to be replying to an existing email thread. When Emotet has returned from previous breaks, it has brought new techniques designed to evade endpoint security products and to trick users into clicking on links or enabling dangerous macros in attached Microsoft Office documents. Last week’s resumption of activity was no different.

A malicious email sent last Tuesday, for instance, attached a Word document that had a massive amount of extraneous data added to the end. As a result, the file was more than 500MB in size, big enough to prevent some security products from being able to scan the contents. This technique, known as binary padding or file pumping, works by adding zeros to the end of the document. In the event someone is tricked into enabling the macro, the malicious Windows DLL file that’s delivered is also pumped, causing it to mushroom from 616kB to 548.1MB, researchers from security firm Trend Micro said on Monday.

Another evasion trick spotted in the attached document: excerpts from the Herman Melville classic novel Moby Dick, which appear in a white font over a white page so the text isn’t readable. Some security products automatically flag Microsoft Office files containing just a macro and an image. The invisible text is designed to evade such software while not arousing the suspicion of the target.

Deep Instinct

When opened, the Word documents present a graphic that says the content can’t be accessed unless the user clicks the “enable content” button. Last year, Microsoft began disabling macros downloaded from the Internet by default.

The graphic that appears immediately after opening a malicious Word document. It says the content can't be accessed unless the

Enlarge / The graphic that appears immediately after opening a malicious Word document. It says the content can’t be accessed unless the “enable content” button is clicked.

Trend Micro

Clicking the “enable content” button undoes that default and allows the macro to run. The macro causes Office to download a .zip file from a legitimate website that has been hacked. Office will then unzip the archive file and execute the inflated Emotet DLL that infects the device.

Once it has infected a victim’s device, the malware pilfers passwords and other sensitive data and uses the device to send malicious spam to other users. The malware can also download additional malware such as the Ryuk ransomware or the TrickBot malware. The infection chain looks like this:

Trend Micro

The attention to detail seen in this latest revival is signature Emotet behavior. For years, the botnet has painstakingly copied received email conversations from infected machines and embedded them into malicious spam sent to other parties in the thread. By following up on an email from someone the target has communicated with in the past, the malicious spam message stands a better chance of going undetected. Emotet can also gain access to Wi-Fi networks and infect connected devices.

With the return of Emotet, people should be on the lookout for malicious emails, even if they appear to come from trusted sources, call the target by name, and include previously sent and received emails. There is rarely a good reason for enabling macros in documents sent by email. People should refuse to allow them to run without first communicating with the sender by phone, instant message, or another non-email medium.

Countries hit the hardest in the latest Emotet run are European, Asian Pacific, and Latin American.

Read More
Dan Goodin

Latest

3 Reasons to Apply for Inc.’s Power Partner Awards

Please enable JS and disable any ad blocker

World Cup betting markets shift after Jordan Henderson’s bizarre celebration injury

Jordan Henderson, the 36-year-old England midfielder, will miss the remainder of the 2026 FIFA World Cup after suffering a serious wrist and forearm injury during post-match celebrations on July 6. He wasn’t even playing when it happened. Henderson was an unused substitute in England’s dramatic 3-2 victory over Mexico in the round of 16. The

Kraken’s World Cup debut and Brazil’s collapse: what crypto gets from the beautiful game

Brazil came into the 2026 World Cup as one of the tournament favorites. They left in the Round of 16, beaten 2-1 by Norway, undone in part by a tactical decision that raised eyebrows across the footballing world: deploying 34-year-old Casemiro as a central striker, a position he hadn’t occupied in years. Haaland scored both

FIFA overturns Balogun’s red card, Trump intervenes for US World Cup match

https://www.nytimes.com/athletic/7424790/2026/07/06/folarin-balogun-red-belgium-explanation/ FIFA’s Disciplinary Committee has overturned the red card suspension of Folarin Balogun, a key player for the U.S. Men’s National Team, allowing him to participate in the upcoming Round of 16 match against Belgium. This decision, made under Article 27 of the FIFA Disciplinary Code, places Balogun on a one-year probationary period, enabling him

Newsletter

Don't miss

3 Reasons to Apply for Inc.’s Power Partner Awards

Please enable JS and disable any ad blocker

World Cup betting markets shift after Jordan Henderson’s bizarre celebration injury

Jordan Henderson, the 36-year-old England midfielder, will miss the remainder of the 2026 FIFA World Cup after suffering a serious wrist and forearm injury during post-match celebrations on July 6. He wasn’t even playing when it happened. Henderson was an unused substitute in England’s dramatic 3-2 victory over Mexico in the round of 16. The

Kraken’s World Cup debut and Brazil’s collapse: what crypto gets from the beautiful game

Brazil came into the 2026 World Cup as one of the tournament favorites. They left in the Round of 16, beaten 2-1 by Norway, undone in part by a tactical decision that raised eyebrows across the footballing world: deploying 34-year-old Casemiro as a central striker, a position he hadn’t occupied in years. Haaland scored both

FIFA overturns Balogun’s red card, Trump intervenes for US World Cup match

https://www.nytimes.com/athletic/7424790/2026/07/06/folarin-balogun-red-belgium-explanation/ FIFA’s Disciplinary Committee has overturned the red card suspension of Folarin Balogun, a key player for the U.S. Men’s National Team, allowing him to participate in the upcoming Round of 16 match against Belgium. This decision, made under Article 27 of the FIFA Disciplinary Code, places Balogun on a one-year probationary period, enabling him

UK Foreign Secretary Warns World Cannot Wait for ‘AI Hiroshima’ Before Acting

UK Foreign Secretary Yvette Cooper has warned that the world cannot wait for an AI equivalent of Hiroshima before acting, urging global powers to build consensus on artificial intelligence (AI) safety principles and standards. Cooper made the case in an essay, positioning Britain to lead international talks on the technology. ...

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom