Threat Intelligence Tarot
pentacles · 9
Criminal (Eastern European)
G0120★★★★★
risk 4/5
✦ The Delivery Service ✦
Emotet / Mealybug
Mealybug · Gold Crestwood · TA542
Global enterpriseGovernmentHealthcareAnyone with an email address
Active since ~2014 (recurring) · Malware-as-a-service delivery, Banking credential theft, Ransomware loader
Emotet is the postal service of malware. It delivers whatever its clients need - TrickBot, Ryuk, Qbot, AnyDesk - to whatever inbox it can reach. At peak, 1.6 million machines waited for its instructions. When Europol took it down, the world exhaled. When it returned ten months later, the world understood: The Delivery Service has a second shift.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆World's largest malware botnet - 1.6M infected machines at peak
- ◆Europol/FBI global takedown operation (January 2021)
- ◆Resurrected by TrickBot operators in late 2021
- ◆NATO, UN, and US government targeting alongside global spam campaigns
Defenses
- ▸Email filtering with macro-enabled document blockingCIS Control 9 ↗
- ▸Disable Office macro execution from internet-sourced documentsCIS Control 2 ↗
- ▸Emotet indicator blocking via threat intelligence feedsNIST CSF: DE.CM ↗
- ▸User training on invoice and shipping document phishing luresNIST SP 800-50 ↗
Reversed: Their Weakness
Emotet's January 2021 takedown by a coalition of 8 countries was historic - and the decision to use the botnet's own update mechanism to push a self-uninstall module to infected machines was unprecedented. Its return proved resilience, but also proved that such operations are possible.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.