article featured image


Emotet is a virus infection that is propagated by spam email attachments that contain malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which is then used to steal email and install further malware.

Emotet used to install the TrickBot or Qbot trojans on affected devices. These Trojans would eventually install Cobalt Strike on an affected device or engage in other malicious activity.

Cobalt Strike is a legal penetration testing toolset that allows attackers to install “beacons” on compromised machines in order to undertake remote network surveillance or execute additional instructions.

Unfortunately, Cobalt Strike is particularly popular with threat actors who employ cracked versions as part of their network breaches, and it is frequently used in ransomware attacks.

As we’ve previously reported Emotet botnet has been reactivated by its previous operator, who was persuaded by members of the Conti ransomware group.

This happened after a lengthy period of malware loader scarcity and the decrease of decentralized ransomware operations, the botnet has resurfaced, allowing organized criminal syndicates to resurface.

What Happened?

BleepingComputer reports that the notorious Emotet malware is apparently now installing Cobalt Strike beacons directly.

This is concerning as it provides immediate network access to threat actors, therefore making ransomware attacks imminent.

Cryptolaemus, an Emotet research organization, reported that Emotet is now bypassing its core malware payload of TrickBot or Qbot in favor of directly installing Cobalt Strike beacons on affected devices.

Today, some infected computers received a command to install Cobalt Strike, a popular post-exploitation tool. Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware. While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable.


This is a significant shift in strategy since victims often had some time to notice the infection after Emotet placed its primary payload of TrickBot or Qbot before Cobalt Strike was released.

Threat actors might have rapid access to a network now that these early malware payloads have been bypassed, allowing them to propagate laterally, steal data, and swiftly release ransomware.

Cobalt Strike’s quick deployment will almost certainly help with the spread of ransomware on vulnerable networks. This is especially true for the Conti ransomware group, which persuaded the operators of Emotet to relaunch after they were taken down by law authorities in January.

How Can Heimdal™ Protect You?

Heimdal™ has always the most efficient solutions ready to help secure your organization’s critical infrastructure. You can use tools like Email Security and Email Fraud Prevention. The first protects against mail-delivered threats and supply chain attacks by means of a combination of proprietary e-mail threat prevention and Office 365 support, the second keeps Business Email Compromise (BEC), CEO fraud, and phishing away through its 125 vectors of analysis.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo