Skip to content
July 13, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • Check Point Research: Emotet Trojan reappear
  • Malware

Check Point Research: Emotet Trojan reappear

Do Son July 26, 2018 4 minutes read
Emotet Bank Trojans
Add Daily CyberSecurity as a preferred source on Google
If you want to give a name to the malware, write a small biography, then the Emotet Trojan will be able to occupy a seat. The news has been there for many years: from the sizeable malspam infection bank in Germany in 2014 to the infection of the computer network in New Hampshire in July this year.
The initial goal of the tricky Emotet Trojan was bank vouchers, but it has recently discovered that Trojans have changed its strategy and goals, drawing the attention of researchers and law enforcement. Check Point Research mentioned in a report released on Tuesday:
“This includes deployment of endpoint, email and web-gateway protection technologies, as well as firewalls and vulnerability assessment solutions. Always keep these security solutions up-to-date with the latest protection capabilities.”
It turns out that these Trojans are useful in transmitting and can also successfully injure victims. In the official technical data of the US Department of Homeland Security, after Emotet infects national and local governments, the average cost of repairs per request is as high as $1 million.
Researchers at Symantec and Check Point said that the Emote Trojan has evolved new technologies and has become a communicator for distributing other threatening software and secretly blaming third-party open source code. Importantly, its core functionality has also changed. In 2017, the Trojan gave up its banking module and made it the most critical component. The move symbolises the expansion of its goals and the spread of threat strategies. Initially discovered by Trend Micro in 2014, the malware is now available as a downloader or distributor for other bank Trojan horses after acquiring devices through spam campaigns.
Emotet’s self-propagating ability is outstanding, so once it appears on the computer, it will download and execute an extension module. It has a list of passwords that are used to force access to other computers on the same network. Emotet can also be propagated to other computers through a spam module installed on an infected victim computer.
Malware currently uses five known extension modules: NetPass.exe (a legitimate utility that recovers all network passwords stored on the system), WebBrowserPassView (a password recovery tool that captures passwords stored by the browser, including the Internet) Explorer and Firefox Mozilla), Mail PassView (password recovery tool for various email clients, including Microsoft Outlook and Windows Mail), Outlook knife (a tool for removing names and email addresses from the victim’s Outlook account) and Credential enumerator.
This year, Symantec researchers discovered the link between Emotet and the dangerous organisation Mealybug, which has been active on the Internet since 2014. Mealybug seems to have expanded the capabilities and goals of Trojans and is what Symantec researchers call “end-to-end service for delivery of threats.”
“Mealybug’s shift from distributing its own banking trojan to a relatively small number of targets, to acting primarily as a global distributor of other groups’ threats, is interesting, and backs up an observation we made… that threat actors are evolving and refining their techniques and business model to maximize profits.”
For example, since February 2018, Emotet has been using its loader feature to spread the Quakbot family of malware, which behaves like a network worm. Also, malware is still distributing Ransom.UmbreCrypt ransomware.
Emotet has also enhanced its capabilities and strategies, including the use of third-party open source components. For example, malware builds a communication protocol on Google’s prototype, which uses Lempel-Ziv-Markov (LZMA) compression. LZMA is a chain algorithm for performing lossless data compression. Checkpoint researchers point out that “Easy access to third-party libraries is a powerful stimulant in any development process, and the design of the relevant design must have its benefits, and of course it is flawed. But who knows? Maybe we will see it in a few years. To enterprise-class malware written in Java, they call for more malware resources and cryptocurrency.
At the end of 2017, Emotet was found to spread the virus and spread the bank Trojan IDicID on the target system. In early July this year, officials in Portsmouth, New Hampshire, said that Emotet malware would cost $156,000 to remove after phishing emails were transmitted to the city’s entire computer network.

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Earth Kasha Refines Spear-Phishing Tactics in Espionage Campaign Targeting Taiwan and Japan
  • UNC1151 Escalates Cyber Warfare: Attacks Target Ukrainian Defense Infrastructure
  • Boeing was attacked by ransomware and WannaCry becomes the most suspected object
  • Iranian Cyber Group Imperial Kitten Attacks Middle East
  • How Attackers Exploit and Then Patch a Vulnerability to Hide in Linux Systems
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Emotet Trojan

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-15511CVSS 9.8
    A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. Affected...
  • CVE-2026-56271CVSS 9.8
    Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default...
  • CVE-2026-56260CVSS 9.1
    Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker...
  • CVE-2026-61447CVSS 10.0
    PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that...
  • CVE-2026-61445CVSS 9.9
    PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in...
  • CVE-2026-60090CVSS 9.8
    PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the...
  • CVE-2026-57827CVSS 10.0
    The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload...
  • CVE-2026-57828CVSS 9.0
    The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file...
  • CVE-2026-14480CVSS 9.9
    OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the...
  • CVE-2026-20744CVSS 9.8
    The charging station websocket endpoint accepts connections without proper authentication, which could...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.