Emotet botnet hits quiet patch before Black Friday – the calm before the storm?

Next story
Rene Holt

Most wanted botnets – Emotet, Trickbot and Qbot. What are these bad amigos up to, and how do you stay safe?

Emotet and holidays like Black Friday are good pals. That’s because Emotet’s seasonal specialty is filling your inbox with holiday “deals” that aim to compromise your machine, steal valuable data and account credentials and open it up to subsequent attacks from other malicious actors. 

This year, we saw Emotet flooding inboxes with malicious emails in monthly campaigns running from August to October – campaigns that reached into the low tens of thousands of detections in ESET telemetry:

Figure 1: Monthly Emotet campaigns detected in ESET telemetry


Right around Halloween, and leading up to Black Friday, Emotet went quiet. It’s suspected by ESET researchers that Emotet’s operators are taking a little downtime before roaring the spam engine back to life for 2020’s Black Friday and the following pre-Christmas period. 

While Emotet’s writers have, in the past, placed a rude comment or two about ESET in their malware binaries, ESET protection has not been outdone. Dealing with Emotet’s attacks can be as simple as being cautious, by not clicking on links in emails, avoiding the “Enable Content” button in documents that arrive as attachments of suspicious, yet legitimate-looking, emails and using security software like ESET Internet Security that protects you when you accidentally click.

The other specials Emotet likes to offer are its friends, Qbot and Trickbot. Emotet is known to serve up both Trickbot and Qbot malware to its victims. Both these malevolent families are more than happy to help themselves to victims’ sensitive information, credentials and other valuable data, and often finish their nasty business by installing ransomware such as Ryuk or Conti.

Let’s see how busy Trickbot and Qbot – Emotet’s friends – have been in the past few months:

While Trickbot’s detection numbers remain in the hundreds – likely due to the recent disruption efforts – Qbot has been quite busy, with detection numbers for the malware reaching the low thousands from August to October. In fact, following Halloween, Emotet detection numbers subsided, while Qbot detection numbers kept their former levels. That would suggest that Qbot is also using other distribution channels to get into potential victims’ inboxes.

How to stay safe from malicious bots

Emotet and its buddies don’t just flood your inbox with dangerous malspam, but they also go after other devices in your network. Trickbot, for example, has been using hacked routers for a long time for command and control. Therefore, it is important to review the security settings of all your home devices.

  1. You can find some practical tips on how to configure your home router securely here.

  2. If you use child trackers and watches, smart doorbells, smart security cameras or smart home hubs, you can read up on the privacy and security considerations surrounding their use here.

  3. If you want to test your mettle against phishing emails or malspam, you can find a few options here.

  4. Finally, don’t forget to protect all your devices with security solutions like ESET Mobile Security for Android, ESET Internet Security for Windows or ESET Cyber Security for macOS. These offer multilayered protection that can detect and block Emotet’s efforts, whether fingerprinting victims’ machines, spreading laterally in a network or downloading payloads such as Trickbot and Qbot.