The Emotet botnet, notorious for its insidious operations, resurged in November 2021 after a significant period of inactivity, accumulating over 100,000 compromised hosts. The botnet’s activities have demonstrated a steady increase, indicating a troubling return to form for this malware.
According to researchers from Lumen’s Black Lotus Labs, since its resurgence, Emotet has not yet reached the scale it once commanded but currently operates with roughly 130,000 unique bots distributed across 179 countries. This resurgence underscores the botnet’s adaptability in evading law enforcement scrutiny, which had previously dealt significant blows to its operations.
Before a globally coordinated takedown in January 2021—known as “Ladybird”—Emotet had already compromised at least 1.6 million devices worldwide. Its primary function is to act as a facilitator for cybercriminals, enabling the installation of various malware types, including banking trojans and ransomware on infected systems.
Emotet’s comeback was facilitated by leveraging TrickBot as its delivery mechanism, despite TrickBot’s own infrastructure facing disruption due to significant changes within the gang behind it, who have reportedly integrated into the Conti ransomware operations. The pivot to Emotet by these actors appears to be a strategic response to increasing regulatory pressure on TrickBot’s operations.
Black Lotus Labs further reported that the botnet’s real growth began in earnest in January 2022. Notably, the updated versions of Emotet are incorporating elliptic curve cryptography (ECC) instead of RSA for encrypting network communications, a shift indicative of evolving tactics aimed at increasing resilience against detection.
Additionally, the botnet has enhanced its capabilities to extract more detailed system information from infected machines, moving beyond just monitoring running processes. This expanded functionality supports a broader array of malicious activities, further complicating efforts to mitigate its impact.
The operational framework of Emotet now reportedly includes nearly 200 command-and-control (C2) servers, with concentrated infrastructure located in countries like the U.S., Germany, and India. In contrast, the majority of infected hosts are situated in Asia—especially Japan, India, and Indonesia—places where outdated Windows systems are common, facilitating easier exploitation.
The resurgence of Emotet presents a significant risk for businesses, as each bot serves as a foothold in potentially valuable networks, creating entry points for deploying advanced attack tools like Cobalt Strike. As this rapidly evolving threat landscape continues to develop, it remains crucial for organizations to fortify their cybersecurity posture against these sophisticated tactics.
