Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Loader Malware Emotet is Now Led by Quantum and BlackCat
Sep 14, 2022
7 Mins Read
Jun 08, 2026
Moon

Loader Malware Emotet is Now Led by Quantum and BlackCat

Emotet (also known as SpmTools) is a sophisticated, modular banking trojan. Emotetmostly serves as a downloader or dropper of other banking trojans. It is a loader-as-a-service (LaaS). It is mainly distributed by spam emails (malspam).

Malicious scripts, document files with built-in macros, or malicious links can all spread the infection. Emotet has become a prominent, intrusive malware loader due to changes throughout time, mainly as a result of its capacity to carry out a complete infection cycle and smoothly spread other types of malware.

BlackCat and Quantum Use Emotet as Initial Attack Vector

AdvIntel recorded 1,267,598total Emotet infections globally in 2022. Further data from the research shows that Emotet infections peaked at the beginning of the Russian/Ukrainian crisis, with groups like Quantum and BlackCat starting to use the malware after Conti. The malware’s most targeted country is the U.S., with an approximately 36% rate.

Emotet infection rates in countries
Emotet infection rates in countries (Source: AdvIntel)

Emotet was once a tool mainly used by Conti affiliates. It has also been used by many threat actors and groups in various cyberattacks. Now, Quantum and BlackCat are the ones who lead the Emotet infection chain.

Emotet’s botnet attack flow utilizes Cobalt Strike to launch ransomware. In other words, threat actors presently use Emotet primarily as a dropper or downloader for a Cobalt Strike beacon, which distributes a payload enabling threat actors to hijack networks and carry out ransomware operations.

TTPs & IoCs

Emotet TTPs

ID Name
T1087 .003 Account DiscoveryEmail Account
T1560 Archive Collected Data
T1547 .001 Boot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder
T1110 .001 Brute ForcePassword Guessing
T1059 .001 Command and Scripting InterpreterPowerShell
.005 Command and Scripting InterpreterVisual Basic
.003 Command and Scripting InterpreterWindows Command Shell
T1543 .003 Create or Modify System ProcessWindows Service
T1555 .003 Credentials from Password StoresCredentials from Web Browsers
T1114 .001 Email CollectionLocal Email Collection
T1573 .002 Encrypted ChannelAsymmetric Cryptography
T1041 Exfiltration Over C2 Channel
T1210 Exploitation of Remote Services
T1040 Network Sniffing
T1571 Non-Standard Port
T1027 Obfuscated Files or Information
.002 Software Packing
T1003 .001 OS Credential DumpingLSASS Memory
T1566 .002 PhishingSpearphishing Link
.001 PhishingSpearphishing Attachment
T1057 Process Discovery
T1055 .001 Process InjectionDynamic-link Library Injection
T1021 .002 Remote ServicesSMB/Windows Admin Shares
T1053 .005 Scheduled Task/JobScheduled Task
T1552 .001 Unsecured CredentialsCredentials In Files
T1204 .001 User ExecutionMalicious Link
.002 User ExecutionMalicious File
T1078 .003 Valid AccountsLocal Accounts
T1047 Windows Management Instrumentation

 

Latest Emotet IoCs

URL Date Added
https://xsnonline.us/blogs/4x466v/ 2022-09-07
http://jimlowry.com/9tag/ 2022-08-24
https://saeblaser.com/wp-admin/jx7w814/ 2022-08-17
http://scandryer.se/you-d-not-agree-to-elements-of-the-letter-s/ 2022-08-09
http://avjcomp.ru/I5Su4/ 2022-08-09
http://ispapazarlama.com.tr/JcEXH/ 2022-08-09
https://kulshai.com/wp-includes/7fslng/ 2022-08-09
https://fractal.vn/users_contact/ol-e-g-d-m-i-tr-ie-nko4-9-7gmail-com/ 2022-08-09
https://progea4d.pl/waloryzacja-przyrodnicza-kamieniolomow-mydlniki-oraz-bodzow/ 2022-08-09
https://www.altinoluk-akcay.com/9uZYqjHN/ 2022-08-09

IoCs for BlackCat and Quantum Locker are also available.