It turned out that someone replaced the malware loaded on the website with a harmless GIF animation

Emotet, which is extremely infectious and spreads and causes various malware infections when downloaded to a PC, has been regarded as a problem in recent years due to the extent of its damage. It has been reported that this Emotet malware file has been replaced with a GIF animation that is harmless to anyone.

Emotet being hijacked by another actor | by Kevin Beaumont | Jul, 2020 | DoublePulsar
https://doublepulsar.com/emotet-being-hijacked-by-another-actor-b22414352a7b

A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs | ZDNet
https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/

Mystery actor disrupts Emotet malware distribution botnet-Security-iTnews
https://www.itnews.com.au/news/mystery-actor-disrupts-emotet-malware-distribution-botnet-550855

'Emotet' is a Trojan horse malware that uses spam emails. The user's PC that downloaded Office files etc. from the link of the mail is infected with ransomware 'Ryuk', and all files on the PC are encrypted. In 2019, almost all systems in Lake City in the United States were hijacked, resulting in a ransom payment of approximately 54 million yen.

An American municipality that paid ransom of 54 million yen for ransomware dismissed one IT manager in the city-GIGAZINE

Emotet, which had caused serious damage and was regarded as a problem, had its activity reduced in 2020, but there are signs of reactivation such as 250,000 emails sent per day.

Emotet resurfaced in a massive campaign today after being quiet for several months.The new campaign sports longtime Emotet tactics: emails carrying links or documents w/ highly obfuscated malicious macros that run a PowerShell script to download the payload from 5 download links pic.twitter. com/FZJqDCJQGV

— Microsoft Security Intelligence (@MsftSecIntel) July 17, 2020

Meanwhile, a strange movement was seen around Emotet. According to Microsoft cybersecurity researcher Kevin Beaumont, the malware files distributed by Emotet have been rewritten by somebody into animated GIFs. This protects users from malware infections.

Mr. Beaumont discovered in 2019 that an attacker using Emotet hacked the Wordpress website and replaced the file with malware and deceived the user, but somebody found the Emotet payload as follows: It seems that they are replacing it with a GIF like this.

Opportunities to encounter this uncle at the site of #Emotet increased. pic.twitter.com/pozYFpPoiv

— Tike (@tiketiketikeke) July 22, 2020

GIF of actor James Franco and...

Somebody appears to be replacing Emotet payloads with this GIF of James Franco https://t.co/YCCSFwfTZb pic.twitter.com/oSPGka9l6g

— Kevin Beaumont (@GossiTheDog) July 22, 2020

Hackerman and others appearing in the 80's-style action movie ' Can Fury '.

There is no change in the trend of #Emotet installation sites in Japan.

choiphui[.]com
133.130.109.0
(PTR: v133-130-109-0[.]a038[.]g[.]tyo1[.]static[.]cnode[.]io.)

linhgiangcorp[.]com
133.130.97.61
(PTR: v133-130-97-61[.]a026[.]g[.]tyo1[.]static[.]cnode[.io.)

It has been replaced by the HACKERMAN gif. pic.twitter.com/efxnbfaGfc

— Tike (@tiketiketikeke) July 24, 2020

The replacement of data started slowly, but one-fourth of the daily Emotet activities have been replaced, causing a great deal of damage to attackers. Attackers are also taking measures, but it is reported that the activity as a whole tends to calm down.

Joseph Rosen of Cryptolaemus, who tracks activity on the Emotet botnet, said: ``As Ivan (administrator of Emotet) faced technical difficulties, Emotet activity dropped significantly this week, doing almost nothing. you could, 'said she says .

In addition, it is unknown who is interfering with Emotet, and it is possible that it is not only the vigilante but also a rival malware group.