June 7, 2023

Emotet now directly installs the Cobalt Strike Beacon, giving threat actors immediate network access and making ransomware attacks imminent.

Ironically, Emotet is a malware that spreads by spam emails containing malicious Word or Excel documents. These documents use macros to download and install the Emotet Trojan on the victim’s computer, which is then used to steal emails and deploy further malware to the device.


In General, Emotet would install TrickBot or Qbot Trojans on infected devices. These Trojans will eventually deploy Cobalt Strike to an infected device or perform other malicious behaviour.

Cobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy “beacons” on compromised devices to perform remote network monitoring or execute further commands. However, Cobalt Strike is very popular among threat actors who use cracked versions as part of their network breaches and is commonly used in ransomware attacks.

This is a significant change in strategy because after Emotet has installed its primary payload of TrickBot or Cubot, victims usually have some time to detect infection before deploying a Cobalt strike.

Now that these initial malware payloads have been discarded, threat actors will have immediate access to a network to spread, steal data, and quickly deploy ransomware later.

This is a big deal. Usually Emotet dropped TrickBot or Kakbot, which in turn dropped Cobalt Strike. You usually have about a month between the first infection and the ransomware. Dropping Emotet CS straight away With, there is likely to be very little delay.


The latest wave of spam attacks prompts users to download password-protected ZIP archive files, which contain malicious documents that, once opened and macros are enabled, result in the deployment of Emotet malware, thereby enabling it to rebuild its botnet network and grow in volume

This rapid deployment of Cobalt Strike will potentially speed up the deployment of ransomware on compromised networks. This is especially true for the Conti ransomware gang that persuaded to relaunch emote operators after they closed by law enforcement In January.

Leave a Reply

%d bloggers like this: