![Beitragsbild zu World’s most dangerous malware EMOTET disrupted through global action](https://www.all-about-security.de/wp-content/uploads/2021/01/Europol.jpg)
Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.
This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
EMOTET has been one of the most professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.
Spread via Word documents
The EMOTET group managed to take email as an attack vector to a next level. Through a fully automated process, EMOTET malware was delivered to the victims’ computers via infected e-mail attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET email campaigns have also been presented as invoices, shipping notices and information about COVID-19.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.
Attacks for hire
EMOTET was much more than just a malware. What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer.
This type of attack is called a ‘loader’ operation, and EMOTET is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.
Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.
Disruption of EMOTET’s infrastructure
The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.
To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.
How to protect oneself against loaders
Many botnets like EMOTET are polymorphic in nature. This means that the malware changes its code each time it is called up. Since many antivirus programmes scan the computer for known malware codes, a code change may cause difficulties for its detection, allowing the infection to go initially undetected.
A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like EMOTET. Users should carefully check their email and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and emails that implore a sense of urgency should be avoided at all costs.
As part of the criminal investigation conducted by the Dutch National Police into EMOTET, a database containing e-mail addresses, usernames and passwords stolen by EMOTET was discovered. You can check if your e-mail address has been compromised. As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs).
The following authorities took part in this operation:
- Netherlands: National Police (Politie), National Public Prosecution Office (Landelijk Parket)
- Germany: Federal Criminal Police (Bundeskriminalamt), General Public Prosecutor’s Office Frankfurt/Main (Generalstaatsanwaltschaft)
- France: National Police (Police Nationale), Judicial Court of Paris (Tribunal Judiciaire de Paris)
- Lithuania: Lithuanian Criminal Police Bureau (Lietuvos kriminalinės policijos biuras), Prosecutor’s General’s Office of Lithuania
- Canada: Royal Canadian Mounted Police
- United States: Federal Bureau of Investigation, U.S. Department of Justice, US Attorney’s Office for the Middle District of North Carolina
- United Kingdom: National Crime Agency, Crown Prosecution Service
- Ukraine: National Police of Ukraine (Національна поліція України), of the Prosecutor General’s Office (Офіс Генерального прокурора).
Fachartikel
![Featured image for “DDoS-Angriffe auf Technologieunternehmen: Die wachsende Bedrohung”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_145060697_S.jpg)
DDoS-Angriffe auf Technologieunternehmen: Die wachsende Bedrohung
![Featured image for “Kontinuierliche Ransomware-Validierung: Warum jährliche Tests nicht mehr ausreichen”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_19125253_S.jpg)
Kontinuierliche Ransomware-Validierung: Warum jährliche Tests nicht mehr ausreichen
![Featured image for “Herausforderungen im Zuge von IT-Sicherheit: Ist MDR die Lösung?”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_95679652_S.jpg)
Herausforderungen im Zuge von IT-Sicherheit: Ist MDR die Lösung?
![Featured image for “IT-Sicherheit: Die vier typischsten Angriffsflächen von Unternehmen”](https://www.all-about-security.de/wp-content/uploads/2023/04/wood-g908abea64_640.jpg)
IT-Sicherheit: Die vier typischsten Angriffsflächen von Unternehmen
![Featured image for “CTEM: Ein moderner Ansatz für kontinuierliches Bedrohungsmanagement”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_77282656_S.jpg)
CTEM: Ein moderner Ansatz für kontinuierliches Bedrohungsmanagement
Studien
![Featured image for “KI-gestützter Identitätsbetrug auch 2025 weiter auf dem Vormarsch”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_435022046_S.jpg)
KI-gestützter Identitätsbetrug auch 2025 weiter auf dem Vormarsch
![Featured image for “Wissenschaftler der Universität Paderborn entwickeln App, die sicheres digitales Verhalten fördert”](https://www.all-about-security.de/wp-content/uploads/2024/10/app-68002_6401.jpg)
Wissenschaftler der Universität Paderborn entwickeln App, die sicheres digitales Verhalten fördert
![Featured image for “HP Wolf Security-Studie: Sicherheitslücken bedrohen Unternehmen in jeder Phase des Gerätelebenszyklus”](https://www.all-about-security.de/wp-content/uploads/2024/12/Depositphotos_10846788_S.jpg)
HP Wolf Security-Studie: Sicherheitslücken bedrohen Unternehmen in jeder Phase des Gerätelebenszyklus
![Featured image for “Neue Studie deckt Anstieg der SAP-Automatisierung bei zunehmender S/4HANA-Migration auf”](https://www.all-about-security.de/wp-content/uploads/2024/11/Depositphotos_525824074_S.jpg)
Neue Studie deckt Anstieg der SAP-Automatisierung bei zunehmender S/4HANA-Migration auf
![Featured image for “Studie belegt API-Sicherheitsvorfälle bei 84 Prozent der deutschen Sicherheitsexperten im vergangenen Jahr”](https://www.all-about-security.de/wp-content/uploads/2024/01/comics-151341_640.png)
Studie belegt API-Sicherheitsvorfälle bei 84 Prozent der deutschen Sicherheitsexperten im vergangenen Jahr
Whitepaper
![Featured image for “PQC-Verschlüsselung – Was die neue Bekanntmachung des NIST für die Umstellung bedeutet”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_108766172_S.jpg)
PQC-Verschlüsselung – Was die neue Bekanntmachung des NIST für die Umstellung bedeutet
![Featured image for “Allianz Risk Barometer 2025”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_1272614_S.jpg)
Allianz Risk Barometer 2025
![Featured image for “Start der elektronischen Patientenakte: 65% der Deutschen fühlen sich schlecht informiert”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_170397486_S.jpg)
Start der elektronischen Patientenakte: 65% der Deutschen fühlen sich schlecht informiert
![Featured image for “Globaler Ausblick auf die Cybersicherheit 2025 – Orientierung in der zunehmenden Cyberkomplexität”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_127153934_S.jpg)
Globaler Ausblick auf die Cybersicherheit 2025 – Orientierung in der zunehmenden Cyberkomplexität
![Featured image for “CISA und US-amerikanische und internationale Partner veröffentlichen Leitfaden zu vorrangigen Überlegungen bei der Produktauswahl für OT-Eigentümer und -Betreiber”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_312417314_S.jpg)
CISA und US-amerikanische und internationale Partner veröffentlichen Leitfaden zu vorrangigen Überlegungen bei der Produktauswahl für OT-Eigentümer und -Betreiber
Hamsterrad-Rebell
![Featured image for “Network Access Enforcement”](https://www.all-about-security.de/wp-content/uploads/2025/01/Watchguard_Titel_jiw.jpg)
Network Access Enforcement
![Featured image for “Maximale Sicherheit und Produktivität: Worauf es bei der Einführung von Microsoft Copilot ankommt”](https://www.all-about-security.de/wp-content/uploads/2025/01/Varonis_Titel_jiw.jpg)
Maximale Sicherheit und Produktivität: Worauf es bei der Einführung von Microsoft Copilot ankommt
![Featured image for “Vertrauen in große Anbieter: Realität oder Illusion”](https://www.all-about-security.de/wp-content/uploads/2024/12/Exeon_Dezember_titel_jiw.jpg)
Vertrauen in große Anbieter: Realität oder Illusion
![Featured image for “Wie lasse ich meine SAP Systeme in der Cloud laufen, damit die Kosten übersichtlich bleiben?”](https://www.all-about-security.de/wp-content/uploads/2024/12/Alina_Dezember_24_jiw.jpg)
Wie lasse ich meine SAP Systeme in der Cloud laufen, damit die Kosten übersichtlich bleiben?
![Featured image for “Wie kann man mit Pentera wie ein Angreifer denken?”](https://www.all-about-security.de/wp-content/uploads/2024/11/Pentera_Titel_Nov_jiw.jpg)