Banking trojan / Loader
Emotet
aka Geodo · Heodo · Mealybug
A modular banking trojan turned prolific malware-as-a-service loader, infamous for malspam campaigns and for dropping ransomware payloads before its 2021 takedown.
Emotet first appeared in 2014 as a banking trojan targeting German and Austrian customers, intercepting online-banking credentials via network sniffing. Over the following years it pivoted into one of the most prolific malware-as-a-service loaders in the world: rather than monetising victims directly, Emotet rented its foothold to other criminal operations.
History
- 2014 — Emerges as a credential-stealing banking trojan (v1/v2).
- 2016–2017 — Drops banking modules, shifts toward a delivery platform.
- 2018–2020 — Becomes the premier loader for TrickBot and QakBot, which in turn deployed Ryuk and Conti ransomware.
- January 2021 — Disrupted by Operation Ladybird, a coordinated takedown led by Europol and eight countries.
- Late 2021 — Rebuilt and redistributed via TrickBot infrastructure.
How it spreads
Emotet is delivered almost entirely through malspam — emails carrying weaponised Office documents or links. Its signature technique is email thread hijacking: it steals real conversations and replies within them, making lures highly convincing.
For the assembly-level unpacking routine and module loader internals, see the teardown on the Reverse Engineering Hub.
Notable attacks
Emotet acted as the initial-access stage for many major ransomware incidents. The downstream Ryuk and Conti campaigns it enabled are catalogued on Cyber Breaches — see also the TA542 threat-actor profile.
Detection
Defenders should alert on Office documents spawning PowerShell or WScript, outbound connections to known C2 on ports 8080/443, and the scheduled-task persistence Emotet creates. YARA rules and current IOCs are linked in the fact sheet.