Home/Threat Actor/Emotet Operators
Threat Actor

Emotet Operators

emotet_operators · russia_speaking_organized_cybercrime · active since 2014-06

Emotet Operators (Mealybug per ESET / Eurojust / Europol canonical naming.

TA542 per Proofpoint.

MUMMY SPIDER per CrowdStrike.

GOLD CABIN per SecureWorks.

signature malware family also called Geodo / Heodo / historical Feodo lineage) is a Russia-speaking organized cyber-criminal cluster financially-motivated, active publicly since June 2014, one of the longest-running organized cyber-criminal clusters in modern cyber-threat-intelligence history.

the cluster originated as a German-banking-customer-focused banking trojan (2014-2017) and transitioned to canonical loader-as- a-service operations (2017-present) becoming the modern era's defining loader-as-a-service operator with signature affiliate relationships to TrickBot (forming the Emotet - TrickBot - Ryuk-then-Conti ransomware affiliate chain, one of the most operationally consequential organized-cybercrime malware- deployment chains in modern history)

Check Point estimated that Emotet potentially affected one out of every five organizations worldwide at peak, and Europol publicly characterized Emotet as "the world's most dangerous malware"; Europol + Eurojust coordinated international multi-agency takedown on January 27, 2021 involving authorities and law enforcement from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, achieving takeover of several hundred C2 servers worldwide, Ukrainian SBU/National-Police arrests at Emotet-operator- affiliated locations, and deployment of a custom uninstaller via the Emotet botnet's own command channel scheduled for delivery on April 25, 2021.

cluster operationally resurfaced on November 14, 2021 via TrickBot-distributed Emotet samples with ECC-based C2 cryptography, continuing operations through April 2023 followed by an extended operational quiet period; signature tradecraft includes high-volume email-spam- distribution via compromised-host spambot relay (~thousands of emails per host per day), email-thread-hijacking lure- distribution tradecraft (Emotet emails sent as legitimate- appearing replies to harvested actual email threads), multi-format weaponized attachments across operational eras, sophisticated multi-epoch C2 infrastructure, modular plugin- based architecture, and post-2022 obfuscation refinements including control flow flattening and timer-queue-based callback function execution.

reported operational basing in Ukraine confirmed via January 2021 Ukrainian SBU operations.

russia_speaking_organized_cybercrime confidence: high 17 aliases MITRE ATT&CK G0127 ↗
Sigma rules202 YARA rules50 Live IOCs15 CVEs exploited6

Profile

Emotet Operators (also tracked as Mealybug per ESET / Eurojust / Europol canonical naming, TA542 per Proofpoint, MUMMY SPIDER per CrowdStrike, GOLD CABIN per SecureWorks.

signature malware family also referred to as Geodo, Heodo, or historical Feodo lineage) is a Russia-speaking organized cyber-criminal cluster financially-motivated, active publicly since June 2014 , one of the most operationally consequential and longest- running organized cyber-criminal clusters tracked across modern cyber-threat-intelligence history. The cluster's signature malware family (Emotet) is operationally cluster- defining, the cluster is consistently identified across industry vendor reporting by the signature malware family, and the cluster's operational identity is fundamentally tied to the Emotet malware-loader operational capability. Operational phases of the cluster's longitudinal history: (1) BANKING TROJAN ERA (2014-2017). Foundational operational era as a banking trojan targeting German banking customers (signature 2014 initial geography) via Microsoft Word documents with embedded malicious VBA macros distributed through spam email campaigns. The earliest Emotet variants focused on JSON-formatted browser-injection capability for capturing online-banking credentials, cookies, and credit-card data. The cluster operationally expanded targeting geography across Western and Northern European banking customers (Austria, Switzerland, Netherlands, France, Italy) through 2014-2016 before evolving into the loader-as-a-service operational model that subsequently dominated operations. (2) LOADER-AS-A-SERVICE OPERATIONAL TRANSITION (2017-2018). Operational transition from banking-trojan-only operations toward the loader-as-a-service operational model. Mealybug operators re-architected Emotet as a modular malware loader with dynamic plugin capability supporting follow-on payload delivery. The cluster began monetizing the operational capability by selling access-to-compromised-hosts to other organized-cybercrime operators via the malware-as-a-service business model, operationally pioneering the modern loader-as-a-service model that subsequently became dominant across the Russia-speaking-organized-cybercrime ecosystem.

(3) TRICKBOT
  • RYUK / CONTI FLAGSHIP RANSOMWARE AFFILIATE CHAIN ERA (2018-2020). The cluster operationally established the Emotet.
  • TrickBot.
  • Ryuk-then-Conti ransomware affiliate chain as the modern era's most operationally consequential organized-cybercrime malware-deployment chain. The chain drove hundreds of high-value enterprise ransomware compromises across United States, Europe, Canada, Australia, and broader Western economies, generating cumulative ransom payments estimated in the hundreds of millions of dollars. The operational partnership relationships with the Wizard Spider / TrickBot / Conti ecosystem (curated separately in this corpus as wizard_spider_conti.yaml) were operationally defining for both clusters during this era. Check Point data from this era indicated that Emotet potentially affected one out of every five organizations worldwide. Europol publicly characterized Emotet as "the world's most dangerous malware." (4) EUROPOL/EUROJUST INTERNATIONAL TAKEDOWN AND OPERATIONAL QUIET PERIOD (January-November 2021). On January 27, 2021, Europol and Eurojust coordinated an international multi-agency takedown of Emotet infrastructure involving cybersecurity authorities and law enforcement from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. The operation achieved takeover of several hundred Emotet C2 servers worldwide, Ukrainian SBU and Ukrainian National Police arrests at Emotet-operator- affiliated locations in Ukraine, and deployment of a custom uninstaller via the Emotet botnet's own command channel scheduled for delivery on April 25, 2021 to systematically remove Emotet malware from victim machines. The January 2021 Emotet takedown was the largest international law-enforcement takedown of a malware operation in history at the time and operationally established the precedent that subsequently informed the August 2023 FBI Operation Duck Hunt Qakbot takedown (curated separately as qakbot_operators.yaml). (5) OPERATIONAL RESURGENCE AND POST-TAKEDOWN ADAPTATION (November 2021.
  • April 2023). On November 14, 2021, new Emotet samples emerged that were very similar to the previous pre-takedown bot code but with operational improvements including a different encryption scheme using elliptic curve cryptography (ECC) for command-and-control communications. The resurgence was distributed via TrickBot to computers previously infected with TrickBot, confirming that the cluster's operational coordination with the broader Wizard Spider / TrickBot ecosystem had survived the takedown. Within days the resurfaced operations rapidly rebuilt the spam-botnet capability and resumed malicious spam email distribution. The November 2021 resurgence operationally demonstrated that infrastructure-disruption law-enforcement operations alone are insufficient for permanent operational defeat absent operator-membership prosecution. Following Microsoft's February 2022 announcement that VBA macros would be disabled by default in Office applications, the cluster experimented with alternative initial-access tradecraft including LNK files (April-July 2022), XLL Excel add-ins (October 2022 onward), Microsoft OneNote files (early 2023), and 64-bit-architecture Emotet samples (November 2022 onward). ESET tracking documented three distinctive 2023 malspam campaigns each testing different intrusion avenues. (6) EXTENDED QUIET PERIOD AND POST-EMOTET LOADER ECOSYSTEM (April 2023.
  • Present). The cluster's last publicly-documented Emotet spam campaign concluded approximately April 2023, and the cluster has remained in an extended operational quiet period since. The post-April-2023 quiet period has been longer than the cluster's typical historical operational quiet-period rhythm (2-3 months of active campaigns followed by 3-12 months offline) and may reflect operational difficulty finding new initial-access tradecraft as effective as the pre-2022 VBA-macros tradecraft. The broader loader-as-a- service ecosystem has continued operating during this period through other loader families including IcedID, Pikabot (operationally related to Qakbot), DarkGate, Bumblebee, Hijack Loader, and others.
Signature operational tradecraft includes
  • High-volume email-spam-distribution capability via compromised-host spambot relay (signature: Emotet-infected machines acted as spambot relays sending a dozen or more Emotet-distribution emails per minute, enabling thousands of Emotet emails per host per day and hundreds of thousands of emails per day across the active botnet).
  • Signature email-thread-hijacking tradecraft: Emotet operationally harvested email from infected machines and then sent Emotet-distribution emails as legitimate-appearing replies to actual past email threads from the infected machine, operationally devastating for social-engineering effectiveness because targeted victims received Emotet emails appearing to be legitimate replies from known correspondents within actual email threads.
  • Multi-format weaponized attachments across operational eras: Microsoft Word with VBA macros (2014-2022 signature), Excel with VBA macros, LNK shortcut files (post-2022 era), XLL Excel add-ins (October 2022 onward), Microsoft OneNote files (early 2023), and broader file-format diversification following the Microsoft macro-disable 2022.
  • Sophisticated multi-epoch C2 infrastructure: Emotet operationally maintained separate C2 epochs (Epoch 1 through Epoch 5 across the cluster's operational history) providing operational resilience and concealment of the main C2 backend.
  • Registry-Run-Key persistence (T1547.001) and Windows Service persistence (T1543.003) signature persistence patterns.
  • Modular plugin-based architecture enabling dynamic capability loading without requiring full malware updates, operationally distinguishes Emotet from competing organized- cybercrime malware families.
  • Anti-analysis and anti-VM/sandbox tradecraft sophisticated across the cluster's operational history with continuous updates following endpoint-detection-and-response platform capability changes.
  • Post-2022 obfuscation refinements including control flow flattening (operationally significant analysis-resistance technique), randomization of structure-member ordering, randomization of constant-calculation instructions (constants masked), and timer-queue-based callback function execution combined with control flow flattening. The cluster is operationally significant as the modern era's canonical loader-as-a-service operator across approximately a decade of operational continuity, with documented direct operational role in hundreds of ransomware deployments via the Emotet.
  • TrickBot.
  • Ryuk-Conti chain, peak operational scale of one of the largest spam botnets ever observed (with Check Point estimating that Emotet potentially affected one out of every five organizations worldwide at peak), and operational continuity through one major international law- enforcement takedown (January 2021) followed by a successful operational resurgence (November 2021). The January 2021 Europol/Eurojust takedown operation is one of the most operationally significant law-enforcement takedown operations against organized-cybercrime malware operations in modern cyber-threat-intelligence history, alongside the August 2023 FBI Operation Duck Hunt Qakbot takedown (curated separately as qakbot_operators.yaml). The two takedown operations together operationally demonstrated that international multi- agency law-enforcement coordination can disrupt operationally- productive Russia-speaking-organized-cybercrime malware operations even in the absence of complete operator-membership prosecution, though the post-takedown continuing operations observed for both Emotet (November 2021 onward through April 2023) and Qakbot (September 2023 onward) demonstrate that infrastructure disruption alone is insufficient for permanent operational defeat absent comprehensive operator-membership prosecution.

Aliases

17
emotetgeodoheodofeodomealybugmealy bugta542ta-542mummy spidermummy-spidermummyspidergold cabinmitre-s0367-emotetemotet_operatorsemotet operatorsemotet gangmealybug_ta542

MITRE ATT&CK aliases

2
Additional names MITRE lists for G0127.
TA551Shathak

Notable Campaigns

8
2023-presentEmotet Operational Quiet Period and Loader-Ecosystem Successor Era (April 2023 - Present)
2023US HHS HC3 Health Sector Alert: Emotet Enduring Threat (2023)
2022-2023Microsoft Macro-Disable Adaptation: LNK + XLL + OneNote Lures (2022-2023)
2021Europol + Eurojust Coordinated International Takedown (January 27, 2021)
2021Emotet Operational Resurgence (November 14, 2021)
2018-2020TrickBot - Ryuk / Conti Ransomware Affiliate Chain (2018-2020)
2017-2018Loader-as-a-Service Operational Transition (2017-2018)
2014Emotet Banking Trojan Operational Emergence (June 2014)

Attribution & Reporting

Attributed by
EuropolEurojustUkrainian National PoliceUkrainian Security Service (SBU)FBINetherlands National PoliceGerman Federal Criminal Police Office (BKA)French National Cybercrime CenterLithuanian Criminal Police BureauRoyal Canadian Mounted Police (RCMP)UK National Crime Agency (NCA)ESETCrowdStrikeProofpointMicrosoft Threat Intelligence CenterCisco TalosSecureWorks Counter Threat UnitMandiantTrend MicroCheck Point ResearchSophosSymantec / Broadcom Threat Hunter TeamKaspersky GReATCryptolaemusCofenseSpamhausAbuse.chCybereasonPalo Alto Networks Unit 42US Department of Health and Human Services HC3
Key reporting
reportEuropol + Eurojust: World's Most Dangerous Malware EMOTET Disrupted Through Global Action (January 27, 2021), canonical international takedown announcement
reportESET Research (Jakub Kaloč): What's Up With Emotet? (July 6, 2023), canonical post-takedown technical-operational tracking
reportPalo Alto Networks Unit 42: Emotet Malware Summary Epoch 4 + 5 (June 2024)
reportCrowdStrike: Mummy Spider Threat Actor Profile (multiple years)
reportProofpoint: TA542 Banker Bot Comprehensive Profile (multiple years)
reportCISA AA20-280A: Emotet Malware Alert (October 2020), pre-takedown US-government formal-attribution publication
reportCisco Talos: Emotet Resurfaces Following VBA Macro Disable (April 2022)
reportUS HHS HC3: Emotet, The Enduring and Persistent Threat to the Health Sector (2023)
reportCryptolaemus Community Research Collective: Emotet Operational Tracking (multiple years), community-volunteer cluster-tracking project
reportCofense: Emotet Malware Analysis (multiple years)
reportSecureWorks Counter Threat Unit: GOLD CABIN Operational Profile (Emotet operator naming)
reportSpamhaus + Abuse.ch: Emotet Infrastructure Tracking (multiple years)
reportMicrosoft Threat Intelligence: Emotet Tracking (multiple years)
reportMandiant: Emotet Operational Tracking
reportTrend Micro: Emotet Continued Operational Tracking
reportCheck Point Research: Emotet Affected One in Five Organizations Globally Estimate
reportSymantec / Broadcom: Emotet Operational Analysis
reportKaspersky GReAT: Emotet Continued Tracking
reportCybereason: Emotet Operational Profile
reportSophos: Emotet Threat Analysis
reportMalpedia Malware Profile: Win.Emotet
reportMITRE ATT&CK Software S0367, Emotet

Operational

State sponsor

Russia-speaking organized cyber-criminal cluster, financially- motivated, with reported operational basing in Ukraine and broader Russia-speaking-CIS jurisdictions. The January 27, 2021 Europol/Eurojust-coordinated international takedown operation included Ukrainian SBU and Ukrainian National Police operations that resulted in publicly-disclosed arrests at Emotet-operator-affiliated locations in Ukraine. The Ukrainian operational basing is operationally distinctive among Russia-speaking-organized-cybercrime malware-loader operators and reflects the historical operational pattern of Ukrainian-jurisdiction tolerance of Russia-speaking-organized- cybercrime operations targeting Western victims that operated through the pre-February-2022 era. No formal state-actor attribution has been asserted by any government cybersecurity authority.

the cluster has not been linked to state intelligence services and is consistently tracked across industry vendor reporting (ESET, CrowdStrike, Proofpoint, Microsoft, Cisco Talos, SecureWorks, Mandiant, Trend Micro, Check Point, Sophos, Symantec, Kaspersky) as financially- motivated organized cybercrime. The cluster's operational sophistication (one of the largest spam botnets ever observed, signature distinctive operational rhythm of 2-3 months of active campaigns followed by 3-12 month operational quiet periods, sustained operational continuity across approximately a decade with one major law-enforcement takedown survived) is operationally distinctive among organized-cybercrime malware-loader operators. The operator membership relationships with the broader Russia-speaking- organized-cybercrime ransomware ecosystem are operationally significant: Emotet operations were a primary initial-access vector and TrickBot/Qakbot/IcedID delivery vector for multiple ransomware affiliates under the broader Russia- speaking-organized-cybercrime umbrella, with documented operational coordination relationships with Conti, Ryuk, Maze, and broader Wizard Spider operations (curated separately in this corpus as wizard_spider_conti.yaml and maze_ransomware.yaml).

Motivations
banking_credential_theft_historical_2014_2017, loader_as_a_service_revenue_2017_present, access_resale_to_ransomware_affiliates, malware_as_a_service_infrastructure_provider, financial_fraud, information_stealing_and_exfiltration
Sectors
financial_servicesbankinghealthcaremanufacturingretailhospitalityeducationgovernment_administrationstate_and_local_governmentcritical_infrastructuretelecommunicationstechnologyit_serviceslaw_firmsinsurancelogistics_and_supply_chainnon_profit_organizationssmall_and_medium_business_indiscriminate
Regions
germanyaustriaswitzerlandunited_statesunited_kingdomcanadafranceitalyspainnetherlandspolandbelgiumportugalmexicojapansouth_africaaustralianew_zealandglobal_broadly

Techniques Used

60
T1003T1003.001T1003.004T1003.005T1005T1010T1012T1016T1018T1020T1021T1021.001T1021.002T1027T1027.001T1027.002T1027.005T1027.013T1029T1033T1036T1036.004T1036.005T1039T1041T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1069T1070T1070.001T1070.004T1071T1071.001T1071.004T1074T1074.001T1078T1080T1082T1083T1087T1090T1090.001T1090.002T1090.003T1091T1095T1106T1110T1112T1114T1114.001

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)28/60 · 46%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)13/60 · 21%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

1 mapped
S0002 · Mimikatz
Other tooling / TTPs (curation, not ATT&CK-mapped):
MAZE RANSOMWAREMEGACORTEX RANSOMWARE

CVEs Exploited

6
CVECVE-2017-0199
CVECVE-2017-11882
CVECVE-2017-8570
CVECVE-2018-0802
CVECVE-2022-30190
CVECVE-2023-36025
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin