Emotet Epoch

1. The Emotet botnet is divided into several botnets. Researchers named them Era 1 and 2 because they received payload updates at different times.
2.  
3. Each epoch has its own unique RSA key that is used for C2 communication. On September 17, 2019, part of the epoch 1 botnet was split off into the epoch 3 botnet.
4.  
5. Each botnet connects to the C2 servers of its era. When a recipient is infected by an Emotet document belonging to epoch 1, the document downloads the Emotet loader from the epoch 1 infrastructure and then becomes part of epoch 1.
6.  
7. The current structure of the Emotet botnet’s Tier 1 C2 server is as follows:
8.  
9. Changes are first implemented in the E2 botnet. It is possible this was done as a test to ensure that in the event of changes introduced that do not work, only a portion of the entire botnet is lost.