November 23, 2021
Anomali Threat Research

Mummy Spider's Emotet Malware is Back After a Year Hiatus; Wizard Spider's TrickBot Observed in Its Return

<p>Mummy Spider (TA542, Emotet) recently resumed their malicious activity with the notorious information-stealing malware, Emotet, after a year-long hiatus.<sup>[1] </sup>As part of this return, the Emotet malware has been observed delivered via the TrickBot malware, which is organized by the Wizard Spider (TrickBot, UNC1878) group.<sup>[2]</sup></p> <p>Emotet and Trickbot are dangerous families that have undergone numerous changes and upgrades over years, with Emotet being first discovered in 2014 and TrickBot in 2016.<sup>[3] </sup>The longevity of these malware families, even with international law enforcement taking down Emotet infrastructure as of January 2021, showcases the relentless nature of the threat actors behind them.</p> <p>To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two threat actor focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.</p> <p>Customers using ThreatStream, Anomali Match, and Anomali Lens are able to immediately detect any IOCs present in their environments and quickly consume threat bulletins containing machine-readable IOCs. This enables analysts to quickly operationalize threat intelligence across their security infrastructures, as well as communicate to all stakeholders if/how they have been impacted.</p> <p>Anomali recently added thematic dashboards that respond to significant global events as part of ongoing product enhancements that further automate and speed essential tasks performed by threat intelligence and security operations analysts. In addition to Mummy Spider and Wizard Spider, ThreatStream customers currently have access to multiple dashboards announced as part of our November quarterly product release.</p> <p>Customers can integrate the Mummy Spider and Wizard Spider dashboard, among others, in the “+ Add Dashboard” tab in the ThreatStream console:</p> <p><img alt="" src=""/></p> <p><img alt="" src=""/></p> <h2>Endnotes</h2> <p>[1] “#Emotet has almost doubled its botnet C2 infrastructure in the past 24 hours from 8 active C2s yesterday to 14 active C2s today…,”, accessed November 22, 2021, published November 16, 2021,; “Another Update on #Emotet E4 distro - We are now seeing URL based lures for the document downloads…,” Cryptolaemus, accessed November 22, 2021, published November 17, 2021,</p> <p>[2] Luca Ebach, “Guess who’s back,”, accessed November 22, 2021, published November 15, 2021,; “Emotet is back. Here’s what we know.,” Intel471 Blog, accessed November 22, published November 16, 2021,</p> <p>[3] Alina Georgiana Petcu, “Emotet Malware Over the Years: The History of an Infamous Cyber-Threat,” Heimdal Security Blog, accessed November 22, 2021, published April 29, 2021,; Hugh Aver, “New tricks of the Trickbot Trojan, Kaspersky Blog, accessed November 22, 2021, published October 19, 2021,,credentials%20for%20online%20banking%20services.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.