Security researchers are warning that the Emotet malware could be staging a return, as fresh samples are being captured in the wild.
German security vendor G Data said that several of its Trickbot Trojan Horse trackers had tried to download a dynamic link library (DLL) recently.
After analysis, G Data said it is confident that the DLL samples are indeed Emotet, a type of malware named by American authorities and law enforcement as very dangerous.
Email spam with malicious Emotet code was used to distribute the malware, which first ran as a banking information stealer, but was later reconfigured to distribute any executable code including the Ryuk ransomware.
The malware was thought disrupted and dormant after police action this year, but the samples G Data collected show Emotet has received further development, and appears to have new command and control server infrastructure.
Emotet was targeted by an unknown actor in July 2020, who took advantage of the malware having a very insecure payload distribution method, and replaced the malicious files with images.
In January this year, a Europol-coordinated joint operation saw police take control over several hundreds of servers around the world.
Police in Ukraine also arrested Emotet operators in a raid, seizing gold bars, cash and IT equipment in the process.
By taking over the infrastructure, law enforcement were able to send out a software update to delete Emotet.
The Trickbot network has also been the target of security and law enforcement disruption efforts, with Microsoft claiming in 2020 to have shut down 94 percent of that malware infrastructure.