The banking trojan Emotet has returned after a five-month hiatus. But, in an amusing twist, one cyber vigilante is thwarting the malware’s comeback. Researchers say a mysterious vigilante is fighting the threat actors behind the malware’s comeback by replacing malicious Emotet payloads with whimsical GIFs and memes.
“Emotet was finding default username and password WordPress installs and hosting its payload there. What our vigilante hero is doing is they’re going around finding those WordPress installs where the Emotet payload has been hosted,” Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, told Threatpost. Then, “They log in with that same username and password that the Emotet did, they delete a payload and they put up a hotlink to GIPHY.”