I created a visualization of how #emotet C2s are laid out for the E4 #botnet. Historically the entire set has been broken up into 3 clusters. One for the loader (the actual malware sample), the generic modules (the stealers and the system info modules), and finally the spam modules. The top left is the generic module cluster, the right is the loader and bottom left is spam. (Green nodes are the module IDs and red are the actual C2). There still seems to be 3 clusters but there are some minor differences… one of the stealer modules seems to still have localhost in it from testing, and before, a module in the cluster would connect to all the IPs in the cluster. This doesn’t seems to be the case anymore. They look a bit “patchy”. So it seems like things were deployed a bit hastily if I were to guess? Maybe something forced their hand to deploy their botnet at this time?