Menu
Browse

Cyber Threat Actor: Emotet

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Germany
4 incidents
Profile

Heodo, also known as Emotet, is a threat actor that has been linked to malware operations originating from Germany. The actor is recognized for distributing the Emotet malware family, which operates under the Heodo alias, and has been observed in multiple publicly reported incidents across different regions. While the actor’s exact organizational structure is not detailed in the available sources, the repeated use of the Emotet payload indicates a sustained capability to develop and deploy modular malware.

The actor’s activities have affected a range of targets including a Japanese fishery cooperative’s mail‑order site, the United Nations, and the municipal government of Frankfurt. In the fishery cooperative incident, the malware led to potential exposure of customer information such as names, addresses, telephone numbers, and email addresses. The United Nations phishing campaign involved impersonation of Norwegian officials to deliver Emotet via malicious Word attachments, resulting in credential theft and the deployment of secondary malware including the TrickBot trojan, which is associated with ransomware threats. The Frankfurt case described an employee opening a malicious email attachment that delivered Emotet, prompting a preemptive shutdown of the city’s IT network to avert ransomware deployment and broader disruption. These examples show that the actor’s operations have been directed at both private sector entities and public institutions, with observed outcomes consistent with financial gain through data theft and ransomware, as well as intentional disruption of services.

Typical tactics observed in the referenced incidents include initial access through phishing emails containing malicious Microsoft Word documents that rely on macro execution to download the Emotet payload. Once installed, Emotet functions as a loader that can spread spam emails and download additional payloads, such as TrickBot, to extend the compromise. The actor’s tooling style emphasizes the use of socially engineered lures to trigger macro‑based infection chains, followed by modular malware distribution that enables further criminal activity. No explicit public attribution to a state sponsor or criminal consortium is provided in the source material, so such affiliations are not asserted. The highlighted campaigns—the UN phishing effort, the Frankfurt network shutdown, and the Atsugishi Fishery Cooperative breach—represent notable, publicly reported operations that illustrate the actor’s recurring use of Emotet‑based phishing to achieve financial and disruptive objectives.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
0 sources