A Comprehensive Look at Emotet’s Summer 2020 Return

Share with your network!

TA542, an actor that distributes Emotet malware, took an extensive break from delivering malicious emails in 2020. They were absent from the landscape for over five months, last seen on February 7 before returning on July 17, 2020. While Emotet usually takes breaks throughout the year, this was the longest known vacation for the group. Despite this break, Emotet continues to be a dangerous threat and below we’ve detailed their delivery methods, regional targeting, and an analysis into their use of Qbot.

Now that they are back, TA542 email campaigns are once again the most prevalent by message volume by a large margin, with only a few other actors coming close. Proofpoint has blocked hundreds of thousands of messages (sometimes coming close to one million) each day. There is no clear industry targeting among TA542 campaigns.

While there are some innovations and incremental changes, Proofpoint researchers have noted surprisingly minimal change in TA542’s tactics or tooling, considering the long break. Many trends observed previously still remain relevant.

Significant new changes and innovations include:

  • Distribution of Qbot affiliate “partner01” as the primary payload delivered by Emotet instead of The Trick. However, Emotet has previously delivered Qbot affiliate “hhhXX” on a few occasions such as in March 2019.
  • A change in the Emotet mail sending module that can now attach benign attachments along with malicious ones.

Only small incremental changes were observed in:

  • Emails: We continue to see a significant volume of thread hijacking and language localization in emails. The actor continues to use generic as well as currently newsworthy lures such as COVID-19.
  • Attachments / URLs: Similar to activity observed before their break, TA542 continues to use Word attachments with macros, PDF attachments, and URLs linking to Word files. 
  • Country targeting: The actor continues to target a core set of countries including (listed by message volume) Germany, Austria, Switzerland, United States, United Kingdom, and Canada, while at the same time experimenting with targeting new geographies such as Indonesia, the Philippines, Sweden, and India.


Figure 1: Indexed volume of email messages containing Emotet (from April 19, 2017 to August 18, 2020)

Precursor Campaign

Before diving into the analysis, it’s important to mention that Proofpoint and other researchers were able to see warnings that Emotet was about to return. Those watching active Emotet infections took notice that new email sending modules were received. It's also possible to watch for unusual (old) Emotet email in inboxes.

On July 14, 2020 Proofpoint researchers spotted emails with old Emotet URLs, specifically those that were previously seen in the last known Emotet campaign on February 7, 2020. These emails came from many sender IPs, as if multiple emotet bots reactivated.


Emotet malspam is very different from other malware email campaigns in that it starts early and lasts throughout the whole day, making it hard to determine the end of one campaign and beginning of the next. However, in general, campaigns start at night between 1:00am EST and 5:00am EST. There are exceptions to this as some campaigns start much later in the day, for example at 3:00pm EST on August 5, 2020.

Emotet campaigns can typically be seen Monday through Friday, and there is no significant sending on weekends. There are some exceptions to this as the actor did not send malicious email on Friday, July 24, Monday, August 3, Tuesday, August 4, or during the period of July 17, 2020 to August 18, 2020.

TA542 continues to leverage social engineering mechanisms to increase infection rates. They compose emails in the appropriate language for the targeted country. They use simple “call to action” emails.


A large percentage of Emotet emails use thread hijacking (replies to previous conversations), and the subjects begin with “Re: ” or “RE: “, such as:

  • Re: [subject from stolen email]
  • RE: [subject from stolen email]

Another noticeable trend is using the recipient’s name, job function, company name, or company domain in the subject. The Friendly-From name of the sender address often contains the company name or domain. The email body also often contains the company name, domain or recipient name in the greeting and signature.



[Firstname Lastname]

John Doe

[Firstname, Lastname]

John, Doe



[Companyname Recipientfunction]

Widgetsmaker Payroll

Agreement for [Companyname]

Agreement for Widgetsmaker

Files for [Companyname]

Files for John Doe

INVOICE 1067935 from [Personname]

INVOICE 1067935 from John Doe

Table 1: Example subjects that use specific information related to recipient or their company

Besides those notable trends, there is a large and varying number of subjects. Below are a few examples of other subjects, though this list is not exhaustive:

  • Estimate [Digits]
  • Fatura [Date]
  • Financement pour
  • Find attached invoice INV-Y-35852
  • INVOICE [Digits]
  • Nota fiscal
  • Novos dados 20/07/2020
  • Open Past Due Orders
  • Open invoices
  • Order Processing
  • Our stay at the Weekend
  • Outstanding Invoices
  • PO 54203
  • Paid Invoice & Credit Card Receipt
  • Past Due Invoice
  • Payroll 80606
  • Question
  • Quote 862639
  • Quote RFQ-00012679
  • Quote Request
  • Renewals
  • Reno Update
  • Sales Invoice
  • Your statement is available online
  • demande

Geographical Targeting

TA542 continues the trend of consistently targeting certain regions, while also adding new countries periodically. The core regions that Emotet still targets include (listed by message volume): Germany, Austria, Switzerland, United States, United Kingdom, Japan, and Latin American countries. Other regions targeted recently but less consistently include Indonesia, the Philippines, Sweden, and India. Each country is typically targeted with appropriate language in email bodies, subjects, filenames, and branding. Known targeted countries are listed below (Table 2).






Consistent targeting



Consistent targeting



Consistent targeting

United Kingdom


Consistent targeting

United States


Consistent targeting


English, French

Consistent targeting

United Arab Emirates


Consistent targeting



Consistent targeting

Latin America

Spanish and Portuguese

Consistent targeting of countries such as Brazil, Chile, Mexico, Colombia, Ecuador




























Table 2: Description of the countries with observed Emotet email campaigns since July 17, 2020. Note that this list is not considered exhaustive.


There are often mistakes in the way that Emotet malicious emails are created, where placeholders or macros are not filled in. These may be due to bugs in the code of the Emotet mail sending capability that generates these emails. For example, we have seen attachments with names such as those listed below. Placeholders like “{rcpt.domain}” are meant to be completed in the domain.

  • estimate ui00071 from {rcpt.domain-1-up}.doc
  • invoice-e00889 from {rcpt.domain}.rtf.doc
  • g1:regex:(invoice|profile|document|doc|doc|document|payment advice note|invoice|attn|invoice|verification letter|status update|invoice status update|invoice id|invoice for service|08_2020 invoice for service|your invoice|past due invoice|order confir.doc

There are also placeholders in the email body such as those shown below. A Spanish language email screenshot in Figure 3 illustrates this.


Example Emails

This section highlights email lures from some of the more notable TA542 campaigns.

The figure below shows the following emails:

  • Indonesian language email targeting Indonesia. The subject “faktur dari” translates to “invoice from”. (top left)
  • Hindi language email targeting India and utilizing thread hijacking. The “कृपया संलग्न फॉर्म देखें।” text in the body of the email translates to “Please see the attached form.” (top right)
  • Filipino language email targeting Philippines. The attachment name “impormasyon ng contact.doc” translates to “contact information.doc”. Note that this email contains both a Word attachment and a URL linking to a malicious Word file (bottom right)
  • Swedish language email targeting Sweden. The subject “Dagordning för det kommande mötet på fredagen” translates to “Agenda for the upcoming meeting on Friday” (bottom left)


Figure 2: Clockwise, starting from top left corner, Indonesian, Hindi, Filipino, Swedish language emails.

The figure below shows the following emails:

  • German language email targeting Germany. (top left)
  • Spanish language email targeting Spain. Note that this email still contains the {FROM.NAME} placeholder that should have been filled in with a name before the actor sent it. (top right)
  • Italian language email targeting Italy. (bottom right)
  • French language email targeting Canada. (bottom left)


Figure 3: Clockwise, starting from top left corner, German, Spanish, Italian, French language emails.

The figure below shows the following emails:

  • COVID-19 lure: On August 7, 2020 we began to see emails with attachment filenames that included “COVID-19” strings, such as “cd-8423 medical report covid-19.doc” and “covid-19 report 08 11 2020.doc”.
  • Japanese Bitcoin extortion: Extortion emails in Japan are back. We saw them before Emotet took a break with an almost identical message.


Figure 4: COVID-19 email example, Japanese Bitcoin extortion email.

We confirmed open source reports that there are examples of Emotet emails that include benign attachments along with malicious ones. These make up a minor portion of Emotet email. Examples below show benign PDF attachments along with malicious Word attachments.


Figure 5: benign PDF attachments in the same email with malicious Word attachments.


The malicious content included in the emails sent by this threat actor is either a URL or an attachment, and sometimes but rarely both a URL and an attachment in the same email. Word attachments are seen every day, URLs linking to Word files are also seen every day, and PDFs attachments are seen occasionally. Demonstrated for the period of July 17, 2020 to August 18, 2020:

2020-07-17: Word attachments, URLs

2020-07-20: Word attachments, PDF attachments, URLs

2020-07-21: Word attachments, PDF attachments, URLs

2020-07-22: Word attachments, URLs

2020-07-23: Word attachments, PDF attachments, URLs

2020-07-27: Word attachments, PDF attachments, URLs

2020-07-28: Word attachments, PDF attachments, URLs

2020-07-29: Word attachments, URLs

2020-07-30: Word attachments, URLs

2020-07-31: Word attachments, URLs

2020-08-05: Word attachments, URLs

2020-08-06: Word attachments, URLs

2020-08-07: Word attachments, URLs

2020-08-10: Word attachments, URLs

2020-08-11: Word attachments, URLs

2020-08-12: Word attachments, URLs

2020-08-13: Word attachments, URLs

2020-08-14: Word attachments, URLs

2020-08-17: Word attachments, URLs

2020-08-18: Word attachments, URLs


Most often an attachment is a Word document with macros, and less commonly a PDF. Other attachment types that the actor is known to use, specifically JScript or Zips, have not been observed since Emotet returned.

The Word attachments are first-stage downloaders that attempt to download the Emotet payload using macros from one of several (typically 5) hardcoded payload URLs. A new set of five payload URLs is seen periodically, as frequently as every 1 to 2 hours. Different documents may use the same set of 5 URLs. On any given day we observe up to 100 total payload URLs.

Note: On August 18, 2020 we started observing Word files with 6 or 7 payload URLs.

The PDF attachments contain an embedded URL linking to a site hosting a similar macro Word document.


Figure 6: TA542 most commonly uses Microsoft Word documents with macros. The actor periodically updates the visual lure used in the document. This collage shows two of the observed lures.


Figure 7: Examples of PDF attachments observed.

Emotet has a small library of templates for their PDF file names:





[2 letters]-[4 digits] report p[1 number].pdf

qx-6971 report p2.pdf

soc report [date].pdf

soc report 07 21 2020.pdf

[date]- balance & payment report.pdf

2020_07- balance & payment report.pdf

Table 3: PDF file names and format

Conversely, they have a large and varying library of file name templates that they use for the Word documents, below examples represent a small fraction of possibilities. Word attachment names are not always English–they may be in a language appropriate to the targeted geography.



#[5 digits].doc


[5 digits] logistics rate con.doc

00089 logistics rate con.doc

[11 digits]_jul2020.doc


[4 digits]-[5 digits]_county_report.doc


[4 digits]-[5 digits]_city_report.doc


[date]- balance & payment report.doc

2020_07- balance & payment report.doc

[date]- balance.doc

2020_07- balance.doc

[date]- report.doc

2020_07- report.doc

[date]- statement.doc

2020_07- statement.doc

[16 digits]_[date].doc


[4 digits]-[5 digits]_data sheet.doc

4087-60384_data sheet.doc






bank details and invoice.doc

biz_[11 digits].doc



august invoice.doc

form - [date].doc

form - aug 11, 2020.doc

zahlungsschreiben_[date]_[10 digits].doc


swift_[date]_[10 digits].doc




report [7 digits].doc

report 5557308.doc

po#[6 digits] [date].doc

po#046325 110820.doc

payment summary - ref id- d[5 digits].doc

payment summary - ref id- d28114.doc


संपर्क जानकारी.doc

Table 4: Examples of Word document file names

File names that stood out: On August 7, Proofpoint saw attachment filenames that included “COVID-19” strings, such as “cd-8423 medical report covid-19.doc” and “covid-19 report 08 11 2020.doc”. These names are still in use at the time of writing.

Extension mismatches: Some emails have attachment file names with a .docm, .rtf, or .zip extension, where they should be .doc extensions. This may be accidental or a deliberate attempt to evade detection. We did not do thorough testing, but we know that Microsoft Word can open some of these attachments without errors despite the mismatch. For example, Word 2010 can open the files with .rtf extension.


Figure 8: Example emails showing the extension mismatch


We have not observed changes in the way that this actor embeds URLs in emails. The URLs are still frequently hosted on compromised sites, including vulnerable WordPress installations. The URLs hosted on compromised WordPress CMS sites are obvious to spot as they are often hosted with “wp-content”, “wp-admin”, “wp-includes” and other similar folder structure. For other URLs it is not immediately obvious how the actor compromised the sites since there are a range of servers (i.e. Apache, nginx, IIS), databases (i.e. MySQL), languages (i.e. PHP), libraries, plugins, eCommerce frameworks, etc.

The actor typically adds a nested structure of one or more folders on the compromised site and hosts a malicious PHP script that initiates the download of the payload. Currently we only observe URLs leading to Microsoft Word documents with macros.

Malware: Emotet

We have not done extensive comparative reverse engineering and review of Emotet and its modules, but components that we analyzed had very little change. Emotet still uses the same way to store configuration and the same network command and control protocol.

We confirmed open source reports of a change in Emotet mail sending module now attaching benign attachments along with malicious attachments.

Emotet Payload: Qbot

Qbot affiliate id “partner01” is the primary payload dropped by Emotet seen almost daily. However, Emotet has previously delivered Qbot affiliate “hhhXX” on a few occasions such as in March 2019, January 2019, May 2017, and April 2017. Before Emotet disappeared from the landscape, it primarily delivered The Trick affiliate “morXX” in January and February 2020.

Example Qbot “partner01” sha256 hashes observed between July 17 and August 18:












Example Qbot configuration for the “7ca48480ca645ee2b83bf707893e84115f87ea6e327f369e40c4ab0afc8abe7a” sample:

ID: partner01

Timestamp: 1597332272

C&C: 72[.]28[.]255[.]159:995

C&C: 197[.]210[.]96[.]222:995

C&C: 71[.]192[.]44[.]92:443

C&C: 189[.]183[.]72[.]138:995

C&C: 68[.]33[.]206[.]204:443

C&C: 49[.]191[.]3[.]234:443

C&C: 71[.]56[.]53[.]127:443

C&C: 80[.]14[.]209[.]42:2222

C&C: 24[.]139[.]132[.]70:443

C&C: 76[.]187[.]12[.]181:443

C&C: 89[.]137[.]211[.]239:443

C&C: 216[.]201[.]162[.]158:443

C&C: 151[.]73[.]112[.]220:443

C&C: 92[.]59[.]35[.]196:2222

C&C: 189[.]140[.]55[.]226:443

C&C: 201[.]216[.]216[.]245:443

C&C: 50[.]244[.]112[.]10:995

C&C: 108[.]28[.]179[.]42:995

C&C: 108[.]27[.]217[.]44:443

C&C: 72[.]185[.]47[.]86:995

C&C: 199[.]116[.]241[.]147:443

C&C: 109[.]154[.]214[.]242:2222

C&C: 81[.]133[.]234[.]36:2222

C&C: 24[.]201[.]79[.]208:2078

C&C: 2[.]89[.]74[.]34:21

C&C: 50[.]244[.]112[.]106:443

C&C: 78[.]100[.]229[.]44:61201

C&C: 98[.]26[.]50[.]62:995

C&C: 174[.]104[.]21[.]157:443

C&C: 72[.]214[.]55[.]195:995

C&C: 71[.]126[.]139[.]251:443

C&C: 73[.]136[.]242[.]114:443

C&C: 86[.]99[.]75[.]165:2222

C&C: 199[.]247[.]22[.]145:443

C&C: 69[.]123[.]179[.]70:443

C&C: 41[.]97[.]231[.]7:443

C&C: 96[.]255[.]188[.]58:443

C&C: 102[.]44[.]192[.]196:995

C&C: 82[.]78[.]132[.]227:443

C&C: 75[.]135[.]184[.]133:443

C&C: 141[.]158[.]47[.]123:443

C&C: 187[.]200[.]218[.]244:443

C&C: 73[.]60[.]148[.]209:443

C&C: 185[.]246[.]9[.]69:995

C&C: 39[.]118[.]245[.]6:443

C&C: 71[.]187[.]170[.]235:443

C&C: 2[.]7[.]65[.]32:2222

C&C: 188[.]173[.]70[.]18:443

C&C: 188[.]26[.]11[.]29:2222

C&C: 2[.]89[.]74[.]34:995

C&C: 45[.]32[.]155[.]12:443

C&C: 74[.]129[.]24[.]163:443

C&C: 67[.]209[.]195[.]198:443

C&C: 67[.]246[.]16[.]250:995

C&C: 76[.]179[.]54[.]116:443

C&C: 75[.]136[.]40[.]155:443

C&C: 67[.]11[.]43[.]93:443

C&C: 94[.]49[.]67[.]180:995

C&C: 69[.]47[.]26[.]41:443

C&C: 99[.]240[.]226[.]2:443

C&C: 188[.]210[.]228[.]156:443

C&C: 173[.]26[.]189[.]151:443

C&C: 47[.]146[.]32[.]175:443

C&C: 178[.]222[.]12[.]162:995

C&C: 217[.]165[.]115[.]0:990

C&C: 68[.]116[.]193[.]239:443

C&C: 71[.]197[.]126[.]250:443

C&C: 2[.]50[.]58[.]57:443

C&C: 189[.]210[.]114[.]157:443

C&C: 207[.]255[.]18[.]67:443

C&C: 78[.]102[.]138[.]103:995

C&C: 149[.]71[.]49[.]39:443

C&C: 87[.]65[.]204[.]240:995

C&C: 96[.]232[.]163[.]27:443

C&C: 68[.]134[.]181[.]98:443

C&C: 98[.]219[.]77[.]197:443

C&C: 65[.]131[.]20[.]49:995

C&C: 66[.]30[.]92[.]147:443

C&C: 74[.]222[.]204[.]82:443

C&C: 67[.]6[.]3[.]51:443

C&C: 175[.]111[.]128[.]234:443

C&C: 200[.]124[.]231[.]21:443

C&C: 47[.]206[.]174[.]82:443

C&C: 12[.]5[.]37[.]3:995

C&C: 96[.]227[.]127[.]13:443

C&C: 134[.]0[.]196[.]46:995

C&C: 72[.]190[.]101[.]70:443

C&C: 72[.]142[.]106[.]198:465

C&C: 73[.]228[.]1[.]246:443

C&C: 2[.]51[.]240[.]61:995

C&C: 109[.]100[.]125[.]127:2222

C&C: 193[.]248[.]44[.]2:2222

C&C: 66[.]222[.]88[.]126:995

C&C: 75[.]110[.]250[.]89:995

C&C: 71[.]43[.]175[.]202:61200

C&C: 47[.]28[.]131[.]209:443

C&C: 86[.]182[.]234[.]245:2222

C&C: 186[.]82[.]157[.]66:443

C&C: 67[.]8[.]103[.]21:443

C&C: 86[.]153[.]98[.]126:2222

C&C: 73[.]137[.]184[.]213:443

C&C: 70[.]123[.]92[.]175:2222

C&C: 72[.]240[.]200[.]181:2222

C&C: 68[.]225[.]56[.]31:443

C&C: 172[.]87[.]134[.]226:443

C&C: 71[.]182[.]142[.]63:443

C&C: 72[.]142[.]106[.]198:995

C&C: 187[.]214[.]9[.]138:995

C&C: 182[.]185[.]98[.]215:995

C&C: 188[.]15[.]173[.]34:995

C&C: 68[.]190[.]152[.]98:443

C&C: 67[.]165[.]206[.]193:993

C&C: 75[.]183[.]171[.]155:995

C&C: 74[.]195[.]88[.]59:995

C&C: 96[.]41[.]93[.]96:443

C&C: 99[.]231[.]221[.]117:443

C&C: 209[.]182[.]122[.]217:443

C&C: 98[.]190[.]24[.]81:443

C&C: 209[.]137[.]209[.]163:995

C&C: 65[.]24[.]76[.]114:443

C&C: 95[.]76[.]185[.]240:443

C&C: 83[.]110[.]226[.]145:443

C&C: 74[.]75[.]237[.]11:443

C&C: 93[.]151[.]180[.]170:61202

C&C: 47[.]138[.]204[.]170:443

C&C: 98[.]173[.]34[.]212:995

C&C: 24[.]116[.]227[.]63:443

C&C: 172[.]78[.]30[.]215:443

C&C: 72[.]209[.]191[.]27:443

C&C: 76[.]170[.]77[.]99:995

C&C: 47[.]153[.]115[.]154:465

C&C: 200[.]75[.]136[.]78:443

C&C: 100[.]37[.]36[.]240:443

C&C: 77[.]27[.]173[.]8:995

C&C: 207[.]255[.]161[.]8:465

C&C: 2[.]90[.]92[.]255:443

C&C: 90[.]68[.]84[.]121:2222

C&C: 188[.]247[.]252[.]243:443

C&C: 71[.]80[.]66[.]107:443

C&C: 197[.]165[.]161[.]55:995

C&C: 73[.]227[.]232[.]166:443

C&C: 41[.]228[.]35[.]102:443

C&C: 80[.]195[.]103[.]146:2222

C&C: 65[.]48[.]219[.]244:22

C&C: 174[.]80[.]7[.]235:443

C&C: 5[.]13[.]88[.]29:995

C&C: 68[.]46[.]142[.]48:995

C&C: 24[.]28[.]183[.]107:995

C&C: 68[.]204[.]164[.]222:443


Since returning from an extended vacation, TA542 email campaigns are once again the most prevalent by message volume by a large margin, with only a few other actors coming close. They have introduced code changes to their malware, such as updates to the email sending module, and picked up a new affiliate payload to distribute (Qbot). They continue to experiment with delivery to new countries. Despite these changes we also noted that many of their other methods and tooling have remained relatively unchanged from previous activity since their return. Current lures, delivery mechanisms, and widespread geographic targeting are all similar to what we have observed in the past. Whether they iterate and change their tactics or continue in the same manner, Emotet remains a highly dangerous threat.

Emerging Threats + Emerging Threats Pro Signature

2842317 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M9