After seven years of malicious activity, law enforcement have managed to seize the infrastructure of the notorious malware variant “Emotet,” and have scheduled a mass uninstallation event to occur on April 25. In their latest research, Digital Shadows discusses the significance of the shutdown, how the process unfolded, and what it means for the cybercriminal landscape. 

In late January 2021, Europol announced that the "Emotet" malware and botenet had been disrupted as a result of international collaborative action from eight law enforcement authorities. By successfully disrupting and seizing its infrastructure, law enforcement prevented the operators from conducting any further activity. The Ukranian police also arrested two individuals believed to be responsible for the malware and botnet's infrastructure. 

Later in January, a security researcher operating under the alias "milkcream" discovered that Emotet was installing a new module onto infected devices. This module, however, says Digital Shadows, was not designed by an incredibly successful entity, and other security researchers stated that the German Bundeskriminalamt (BKA) federal police agency was responsible. 

Malwarebytes confirmed that Emotet's special day was set for April 25, 2021 - meaning, on this dat, Emotet infections will be uninstalled from their victims' machines.

Though the seizure and uninstallation of Emotet represents a serious victory for law enforcement. Emotet was known to deliver Trickbot, Ryuk, and the QakBot banking trojan, all iterations of malware that have caused serious damage to organizations all over the world. In light of this, Digital Shadows examines this dynamic of international law enforcement efforts as well as what its analysts expect will fill the sizable gap in the cybercriminal landscape left by Emotet’s departure.

There has already been a surge in activity associated with the BazarCall and IcedID malware variants - BazarCall is known to distribute BazarLoader and BazarBackdoor, allowing for remote access to victim machines, says Digital Shadows. BazarBackdor is also known to deploy Ryuk ransomware. Given that technically sophisticated and operationally capable cybercriminals are likely opportunistic, we will likely see attempts made to fill the space left in Emotet’s wake.

"While the takedown of Emotet is a big win for all but cybercriminals, efforts made to replace it with malware such as BazarCall and IcedID demonstrate that cybercriminal outfits are increasingly organized, ambitious and professionalized," Digital Shadows says. "This will almost certainly remain the same in the future; the problem does not end with Emotet, but don’t let this convince you that defenders and law enforcement alike will be hot on the tails of any group ambitious enough to replace it."

For the full blog, please visit