Now, moving to Emotet...

May 20, 2022

Researchers report that Emotet, an advanced, self-propagating, modular Trojan, remains the most prevalent malware this month, affecting 6% of organizations worldwide. It is the only one that remains in its position and the rest of the list has indeed changed: Tofsee and Nanocore are out and have been replaced by Formbook and Lokibot, which are now the second and sixth most prevalent malware, respectively.

Emotet's 10% increase in March will be mainly due to specific Easter-themed scams, but April's decline could also be explained by Microsoft's decision to disable macros associated with Office files, which affects how that Emotet is usually distributed. In fact, there are reports highlighting a new delivery method: the use of phishing emails containing a OneDrive URL. Emotet has many uses once it manages to bypass a computer's protections and also offers other malware to cybercriminals on Darknet forums, including banking Trojans, ransomware, botnets, etc. As a result, once Emotet finds a breach, the consequences can vary depending on the malware that manages to get in.

On the other hand, Lokibot, a Stealer, has re-entered the list in sixth place after a high-impact spam campaign that distributed the malware via xlsx files that looked like legitimate invoices. Added to this is the rise of Formbook and both have had a strong effect on the position of other malware, such as the AgentTesla Advanced Remote Access Trojan (RAT), which has dropped to third place.

In late March, critical vulnerabilities were found in the Java Spring Framework, known as Spring4Shell, and since then, numerous cybercriminals have exploited the threat to spread Mirai, the ninth most prevalent malware this month.

“With the ever-evolving cyber threat landscape, and with large corporations like Microsoft influencing the parameters in which cybercriminals can operate, threat actors are having to be more creative in how they distribute malware, which is evident in the new delivery method that Emotet now employs,” says Eusebio Nieva, Technical Director of Check Point Software for Spain and Portugal. “Furthermore, this month we have seen the Spring4Shell vulnerability make headlines. Although it is not yet in the list of the ten main threats, it should be noted that it has affected more than 35% of companies around the world in its first month alone, so it is foreseeable that it will climb positions in the coming months”, Snow concludes.

In April, the Education/Research sector continues to be the most attacked worldwide. “Git web server information disclosure” has been the most exploited and common vulnerability –it has affected 46% of companies worldwide-, closely followed by “Apache Log4j Remote Code Execution”. “Apache Struts ParametersInterceptor ClassLoader Security Bypass” soars in the index, rising to third place with an overall impact of 45%.

Alarming fact

Emotet –Advanced, self-propagating and modular Trojan. Emotet used to function as a banking Trojan, but has evolved to distribute other malicious programs or campaigns. In addition, it stands out for using multiple evasion methods and techniques to avoid detection. It can be spread through spam campaigns in attachments or malicious links in emails. This malware has affected 5.53% of companies in Spain.


  • Domínguez, M. (May 19, 2022). Emotet lidera el Top Malware y afecta al 6% de las empresas a nivel mundial. Retrieved from:

Authored by

Jorge Daniel Tejeda