Security3 min read

VMware Report Exposes Emotet Malware’s Supply Chain

Emotet Malware

Finds the malware’s infrastructure is constantly shifting to stay covert

Emotet, one of the most evasive and destructive malware delivery systems, caused substantial damage during its initial reign. After a coordinated takedown by authorities in early 2021, Emotet has reemerged as a global threat that will persist for organizations.

With telemetry from VMware Contexa™ cloud-delivered threat intelligence, the VMware Threat Analysis Unit™ first observed the newest waves of Emotet attacks in January 2022. Today, the VMware Threat Analysis Unit™ is releasing insights learned from Emotet’s most recent resurgence in hopes that organizations can better understand and defend themselves against this resilient malware.

“Successful breaches typically involve sophisticated, multi-step attacks that move laterally between various endpoints and networks and disguise themselves,” said Giovanni Vigna, senior director of threat intelligence at VMware. “Since it reappeared, Emotet has evolved to become one of the most advanced malware-as-a-service (MaaS) infrastructures globally. After observing new waves of Emotet attacks early this year, our threat intelligence team investigated them. We dissected how the Emotet malware rapidly changes its command and control (C2) infrastructure, obfuscates its configuration, and adapts. We also discovered that the malware tests its evasive execution chains, deploys different attack vectors at various stages, laterally propagates, and evolves using numerous tactics and techniques. As this malware grows in strength, our analysis will prove invaluable to organizations in reinforcing their security strategy.”

The recent Emotet attacks have brought to light key findings about the exploitation chains and inner workings of the malware:

  • Emotet’s attack patterns are in continuous evolution: Based on a new similarity metric, the VMware Threat Analysis Unit’s clustering analysis identified various stages of Emotet attacks with several initial infection waves that change how the malware is delivered. The ongoing adaptation of Emotet’s execution chain is one reason the malware has been successful for so long. As part of this report, Emotet's execution chains are characterized, infection techniques are explored, and the evolution of the tactics, techniques, and procedures (TTPs) are illustrated to help identify them in an environment.
  • Emotet can serve a number of attack objectives: VMware Threat Analysis Unit intercepted two newly updated modules: The first targets Google Chrome browsers to steal credit card information, and the second leverages the SMB protocol to spread laterally. These examples demonstrate just how expansive Emotet attacks can be.
  • Emotet authors are hiding their C2 infrastructure: The actors behind Emotet go to great lengths to make the information about the malware’s command and control (C2) infrastructure difficult to extract. The VMware Threat Analysis Unit developed a tool to bypass the anti-analysis techniques employed by Emotet's authors and found how Emotet obfuscates this information. In this report, the VMware Threat Analysis Unit shares how to extract the IP addresses and ports of the C2 servers from Emotet samples to understand the attack’s infrastructure.
  • Emotet's infrastructure is constantly shifting: By analyzing the network endpoints involved in the C2 infrastructure, the VMware Threat Analysis Unit could track and document the Emotet botnets’ evolution.  In the past, attackers have relied on many infrastructures, called Epochs, to infiltrate environments. Before the law enforcement takedown in January 2021, Epochs 1, 2, and 3 were the infrastructures commonly used by attackers, and following Emotet’s resurgence, Epochs 4 and 5 are the infrastructures that are favored.

Read the full report to learn more about Emotet's latest resurgence and how to build a more robust defense against it and other nefarious malware strains. 


The VMware Threat Analysis Unit (TAU) helps protect customers from cyberattacks through innovation and world-class research. TAU is composed of malware analysts, reverse engineers, threat hunters, data scientists, and intelligence analysts at VMware. To understand how to detect and prevent attacks that bypass traditional, file-centric, prevention strategies, TAU focuses on techniques that were once the domain of advanced hackers and are now moving downstream into the commodity attack market. The team leverages real-time big data, event streaming processing, static, dynamic and behavioral analytics, and machine learning.

In early 2022, the VMware Threat Analysis Unit observed waves of new Emotet attacks in VMware Contexa and investigated each wave to understand the infection mechanisms, map the threat’s command-and-control (C2) infrastructure, and analyze the components delivered by the latest reincarnation of this dangerous threat. 

VMware and Contexa are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and other jurisdictions.