If you have saved credit card details on the Google Chrome browser, then there are high chances you are under the target of a new infostealing campaign launched by Emotet botnet to infect users with credit card stealing malware.

After obtaining the credit card information (i.e., name, expiration month and year, and card numbers), the malware will transfer it to a separate set of command-and-control (C2) servers than the Emotet card stealer module.

"On June 6, the Proofpoint Threat Insights team spotted a new #Emotet module being distributed by the E4 botnet," they disclosed.

"Surprisingly, it was a credit card stealer whose main target was the Chrome browser. Once card information was gathered, it was exfiltrated to C2 servers distinct from the module loader."

Cryptolaemus security research group observed this shift in behavior following an increase in activity in April and a move to 64-bit modules.

One week later, Emotet began utilizing Windows shortcut files (.LNK) to run PowerShell commands on infected computers, moving away from Microsoft Office macros, which will be disabled by default beginning in early April 2022.

In 2014, as a banking trojan, the Emotet malware was developed and deployed in assaults. It has become a botnet that the TA542 threat group aka Mummy Spider employs to deliver second-stage payloads.

It also enables its operators to collect user information, monitor compromised networks, and move laterally to vulnerable devices.

Emotet is notorious for dropping Qbot and Trickbot malware trojan payloads on hacked PCs, which are then used to spread additional malware, such as Cobalt Strike beacons and ransomware such as Ryuk and Conti.

The infrastructure of Emotet was shut down at the start of 2021 as part of an international law enforcement operation that also resulted in the arrest of two individuals.

On April 25, 2021, German law enforcement utilized Emotet's own infrastructure against the botnet, delivering a module that removed the malware from infected devices.

The botnet returned in November 2021 with TrickBot's pre-existing infrastructure when Emotet research group Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel spotted TrickBot malware being used on an Emotet loader.

ESET stated on Tuesday that Emotet's activity has increased dramatically since the beginning of the year, " with its activity jumping more than 100-fold compared to T3 2021."