Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html\"><br \/>\n<meta property=\"og:title\" content=\"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/cover-emotet-using-unconventional-octal-hexadecimal-IP-addresses-spam-campaign-evasion-technique.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/cover-emotet-using-unconventional-octal-hexadecimal-IP-addresses-spam-campaign-evasion-technique.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.726905603231\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1029224563\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.2321428571429\">\n<div class=\"article-details\" role=\"heading\" readability=\"33.75\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We found waves of Emotet spam campaigns using unconventional IP addresses to evade detection.<\/p>\n<p class=\"article-details__author-by\">By: Ian Kenefick <time class=\"article-details__date\">January 21, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.040298507463\">\n<div readability=\"21.737313432836\">\n<p>We observed <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/c\/emotet-one-month-after-the-takedown.html\">Emotet<\/a> spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values to the dotted decimal quad representation to initiate the request from the remote servers. Users and businesses are cautioned to detect, block, and enable the relevant security measures to prevent compromise using Emotet for second stage delivery of malware such as TrickBot and Cobalt Strike.<\/p>\n<p><span class=\"body-subhead-title\">Routine using hexadecimal IP addresses<\/span><\/p>\n<p>The samples we found start with an email-attached document using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in Excel that malicious actors have <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/analysis-suspicious-very-hidden-formula-on-excel-4-0-macro-sheet\">abused<\/a> to deliver malware. Abuse of the feature in this case allows the malware to execute once the document is opened using the <i>auto_open<\/i> macro. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/figure1-emotet-spam-using-unconventional-octal-hexadecimal-IP-addresses-evasion-technique.png\" alt=\"fig1-emotet-spam-abuse-octal-hexadecimal-IP-addresses-evade-detection\"><figcaption>Figure 1. Attached document in the emails lures users into enabling the macros<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.741525423729\">\n<div readability=\"10.580508474576\">\n<p>The URL is obfuscated with carets and the host contains a hexadecimal representation of the IP address. Using <a href=\"https:\/\/gchq.github.io\/CyberChef\/\">CyberChef<\/a>, we converted the hexadecimal numbers to find the more commonly used dotted decimal equivalent, 193[.]42[.]36[.]245.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/figure2-emotet-spam-using-unconventional-octal-hexadecimal-IP-addresses-evasion-technique.png\" alt=\"fig2-emotet-spam-abuse-octal-hexadecimal-IP-addresses-evade-detection\"><figcaption>Figure 2. Using carets for obfuscation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/figure3-emotet-spam-using-unconventional-octal-hexadecimal-IP-addresses-evasion-technique.png\" alt=\"fig3-emotet-spam-abuse-octal-hexadecimal-IP-addresses-evade-detection\"><figcaption>Figure 3. Converting the hexadecimal numbers to dotted decimal representation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Once executed, the macro invokes <i>cmd.exe > mshta.exe<\/i> with the URL containing the hex representation of the IP address as an argument, which will download and execute an HTML application (HTA) code from the remote host.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/figure4-emotet-spam-using-unconventional-octal-hexadecimal-IP-addresses-evasion-technique.png\" alt=\"fig4-emotet-spam-abuse-octal-hexadecimal-IP-addresses-evade-detection\"><figcaption>Figure 4. Downloading and executing an HTA code<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><span class=\"body-subhead-title\">Routine using octal IP addresses<\/span><\/p>\n<p>Much like the hexadecimal representation sample, the document also uses Excel 4.0 Macros to run the malware once the document is opened and enabled. The URL is also obfuscated with carets but the IP contains an octal representation. We also used CyberChef to decode this IP address into a dotted quad format, 46[.]105[.]81[.]76.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/figure5-emotet-spam-using-unconventional-octal-hexadecimal-IP-addresses-evasion-technique.png\" alt=\"fig5-emotet-spam-abuse-octal-hexadecimal-IP-addresses-evade-detection\"><figcaption>Figure 5. Using similar techniques with the hex decimal routine but with octal representation for obfuscation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/figure6-emotet-spam-using-unconventional-octal-hexadecimal-IP-addresses-evasion-technique.png\" alt=\"fig6-emotet-spam-abuse-octal-hexadecimal-IP-addresses-evade-detection\"><figcaption>Figure 6. Converting the octal numbers to dotted decimal representation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>As observed in the process tree, once executed, the macro also invokes <i>cmd.exe > mshta.exe<\/i> with the URL as an argument to download and execute an HTA code from the remote host.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/figure7-emotet-spam-using-unconventional-octal-hexadecimal-IP-addresses-evasion-technique.png\" alt=\"fig7-emotet-spam-abuse-octal-hexadecimal-IP-addresses-evade-detection\"><figcaption>Figure 7. Downloading and executing an HTA file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Traces of Emotet were observed as arbitrarily dropping Cobalt Strike beacons between November and December 2021. Earlier this year, however, operators became noticeably selective on which targets the beacons were dropped. Evasion techniques like these could be considered evidence of attackers continuing to innovate to thwart pattern-based detection solutions.<\/p>\n<p>Moreover, the unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching. But in the same vein, the unusual technique in the command lines can be used as a detection opportunity, with security teams using filters as leverage that can be enabled to treat such IP addresses as suspicious and associate them with malware.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of compromise (IOCs)<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"4\">\n<tr>\n<td>SHA256<\/td>\n<td>Description<\/td>\n<td>Detections<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>e492f31ca20d99888b2434dcb4d9af1f93ed4c485b9bd2bc550ce8ae8021b9cd<\/td>\n<td>Hexadecimal IP address sample<\/td>\n<td>Trojan.XF.HIDDBOOK.SMTH<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>3e9701129f13f13f7b873f55dc3d43d04cbd1dd3f85814270bb1b177394926b5<\/td>\n<td>Octal IP address sample<\/td>\n<td>Trojan.XF.EMOTET.SMYXBLAA<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p>URLs<\/p>\n<p>193[.]42[.]36[.]245<\/p>\n<p>46[.]105[.]81[.]76<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We found waves of Emotet spam campaigns using unconventional IP addresses to evade detection. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":44917,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9513,9585],"class_list":["post-44916","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-spam"],"yoast_head":"\n<title>Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/cover-emotet-using-unconventional-octal-hexadecimal-IP-addresses-spam-campaign-evasion-technique.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware\",\"datePublished\":\"2022-01-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/\"},\"wordCount\":598,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Spam\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/\",\"name\":\"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png\",\"datePublished\":\"2022-01-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png\",\"width\":1197,\"height\":766},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/","og_locale":"en_US","og_type":"article","og_title":"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-01-21T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/cover-emotet-using-unconventional-octal-hexadecimal-IP-addresses-spam-campaign-evasion-technique.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware","datePublished":"2022-01-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/"},"wordCount":598,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Spam"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/","url":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/","name":"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png","datePublished":"2022-01-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware.png","width":1197,"height":766},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44916"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44916\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44917"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":44916,"date":"2022-01-21T00:00:00","date_gmt":"2022-01-21T00:00:00","guid":{"rendered":"urn:uuid:629ad3d2-a80f-8c63-6f52-a3cfa8ee84d8"},"modified":"2022-01-21T00:00:00","modified_gmt":"2022-01-21T00:00:00","slug":"emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/emotet-spam-abuses-unconventional-ip-address-formats-to-spread-malware\/","title":{"rendered":"Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware"},"content":{"rendered":"