Emotet’s comeback is getting a boost from fellow botnet TrickBot

The two botnets spell trouble for 2022, researchers say.
An IT technician adjusts a cable in a server room in a British business office in London, United Kingdom. (Photo by In Pictures Ltd./Corbis via Getty Images)

The resurgence of the botnet Emotet after a law enforcement takedown earlier this year is getting a boost from fellow crime group TrickBot, researchers at Check Point have found.

Since November, Check Point has identified 113 new Emotet targets in the first week of December, nearly half its infection right before it was taken down.

Emotet attempted to infect 657 new organizations (219 per week) during January 2020. And it was already at 113 new targets in the first week of December 2020. This means that in 3 weeks since its comeback, Emotet already gained 50% of its infection rate before it was taken down.

The samples of the Emotet malware are being delivered via servers that TrickBot infected in mid-November. A number of other researchers have confirmed Emotet’s return and have observed TrickBot distributing the malware.


Emotet received a series of debilitating blows last year at the hands of law enforcement. In January, U.S. and European authorities took control of the botnet’s network of infected computers and arrested several of its operators. Authorities followed that January takedown with an operation to corrupt the malware in April. Emotet essentially disappeared off the map at that point.

TrickBot also suffered a blow ahead of the 2020 U.S. election. Both Microsoft and U.S. Cyber Command launched separate operations to disrupt TrickBot’s network. But unlike Emotet, TrickBot rebounded quickly. Since TrickBot’s takedown, Check Point has identified 140,000 victims across 149 countries. The majority of TrickBot’s victims are focused in Portugal and the United States. TrickBot has also been tied to other major malware families including Ryuk and Conti ransomware.

Emotet has piggybacked off that growing network for its own rapid ascent. Both groups are well known with renting out their infrastructure to ransomware groups, a bad sign for the state of ransomware in 2022.

“Emotet is our best indicator for future ransomware attacks. We should treat Emotet and Trickbot infections like they are ransomware,” Lotem Finkelstein, head of threat intelligence at Check Point Software said in a statement. “Otherwise, it is only a matter of time before we have to deal with an actual ransomware attack.”

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts