Security Experts:

Connect with us

Hi, what are you looking for?



Hacker Replaced Emotet Payloads With GIF Images

Over the past several days, a hacker managed to replace the payloads typically delivered by the Emotet Trojan with GIF images.

Over the past several days, a hacker managed to replace the payloads typically delivered by the Emotet Trojan with GIF images.

Emotet, which resumed activity earlier this month following a five-month break, is hijacking legitimate email conversations to deliver spear-phishing emails to intended victims.

The most recent Emotet campaign would feature hundreds of thousands of spear-phishing emails daily, targeting industry verticals in the United States and the United Kingdom.

Within days after the campaign kicked off, however, security researchers noticed that a hacker managed to hijack Emotet’s delivery process and replace the payloads with GIF images.

This, security researcher Kevin Beaumont explains, is possible because the payload delivery method employed by Emotet is not secure, something that has been known for a while.

Specifically, Emotet’s operators use webshells and various techniques such as Word documents and payload executables, and a largely hacked infrastructure for distribution, with the passwords and techniques widely known, the researcher reveals.

“The Emotet payload distribution method is super insecure, they deploy an open source webshell off Github into the WordPress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving,” Beaumont said in December last year.

The hijacking was first observed on July 21, when the hacker was replacing only some of the Emotet payloads. Within several days, however, over a quarter of the payloads were being replaced.

“This is still happening today, about a quarter of payloads I check have been replaced with GIFs within the hour of Emotet pushing them,” Beaumont noted in a tweet. The next day, the payloads were being replaced within 20 minutes, suggesting an automated attack.

Cryptolaemus, a group of researchers tracking Emotet’s whereabouts, also noticed the hijacking, revealing that Emotet’s operators appeared to have a hard time keeping the intruder out.

The researchers also pointed out that the intrusion resulted in Emotet’s operators reducing the distribution volume as means to prevent the delivery of GIF images.

“I suspect the lack of updates this morning was related to the Emotet team attempting to stop their payloads from becoming ‘Hackerman’ [one of the images delivered]. To our surprise, we confirmed with @executemalware reports that even after distro started back up around 1900 UTC with 3 new docs on all epochs, he still saw some sites that were showing up with Hackerman,” Cryptolaemus noted.

Cryptolaemus later said the cybercriminals regained control and resumed sending out spam.

Emotet’s effectiveness took a hit during the time it was hijacked, but Beaumont pointed out that someone could have replaced the payloads with stealthier malware instead of harmless GIFs.

Related: Emotet Resumes Activity After Five Months of Silence

Related: Emotet Returns, Spreads via Hijacked Email Conversations

Related: Constant Vigilance Requires Looking Back as Well as Forward

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.