The Issue & Impact of Malspam in the U.S. Elections

Malspam, or malicious spam, is one of the most common and problematic attack vectors currently plaguing the cyber threat landscape. It is a very effective method for delivering emails in bulk that contain a phishing message directing victims to either click on an embedded link or download an infected attachment. Once opened, a hidden executable performs a malicious activity, such as downloading additional malware related modules in the background unannounced to the user.

Hacking Locks Showing Election Data 3d Illustration

Today, two of the most notorious spam-related botnets are TrickBot and Emotet. These were once considered banking trojans but have evolved over the years to become multipurpose malware downloaders offering spreading/dropping as a service. These downloaders are spread via Malspam campaigns and are often seen delivering third-party payload that ultimately results in a ransomware infection, which was a potential major threat for the election process in the United States this year.


After five months of silence from the botnet, Proofpoint published a blog detailing the return of Emotet. And, roughly four months after the return of Emotet, and one month prior to the 2020 U.S. election, researchers from Proofpoint once again discovered a timely adoption of political and election lures by the authors.

Proofpoint researchers report that TA542, the threat actors behind Emotet, historically have not directly leveraged political themes in their lures but on October 1st, Proofpoint researchers observed thousands of Emotet emails with the subject “Team Blue Take Action” sent to organizations in the United States. Furthermore, researchers discovered that this round of Malspam from Emotet delivered a second-stage payload containing Qbot and The Trick. Proofpoint believes that TA542 use of a politically themed lure is not driven by a specific political ideology or influence, but is designed to leverage in a current event to reach as many intended victims as possible.

[You may also like: A High-Level View of Today’s Cyber Threat Landscape]


Following the news of Emotet’s use of politically themed lures, on October 12th, Microsoft’s Defenders Team, NTT, Broadcom’s cyber-security division of Symantec, along with other companies and organizations, announced a coordinated and ongoing effort to disrupt Trickbot’s infrastructure. Through investigations and research, this alliance of tech companies was able to obtain a court order allowing them to legally do so.

To be clear, this operation was not designed to completely take down the botnet’s infrastructure. Rather, it was a coordinated legal effort designed to disrupt the threat actors during a critical moment. I think most of those involved with the disruption knew the authors behind TrickBot would rebuild their infrastructure and re-tool their capabilities, but something had to be done to counter the growing threat presented by TrickBot.

Outside of disruption, completely taking down TrickBot is a serious challenge. Because Trickbot is globally distributed and contains over 1 million infected devices, some of which include IoT devices, this presents a serious challenge when it comes to removing every infected device in a coordinated single action. Legally, the alliance of tech companies involved could only disrupt court-approved devices located in their jurisdictions, leaving infected devices unaffected in certain areas of the world. Because of TrickBot’s global distribution and rotation C2 IP address, disruption efforts are almost impossible since a malware server will always be online somewhere.


To further the issue and impact of Malspam during the election process in the United States, cybercriminals have been able to exploit election uncertainties since the U.S. did not converge on an instant or an uncontested result during the voting process. On November 4th, a day after the election, Malwarebytes Labs published a piece about social engineering and how threat actors are using the contested results as a lure to deliver the Qbot Trojan via Emotet. To note, this is not the first time we’ve seen Qbot or Emotet during the election process, but it demonstrates the threat actors’ ability to quickly leverage current events within hours for maximum impact.

Download Radware’s “Hackers Almanac” to learn more.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center