Emotet 2026: Evolution via Encrypted VoIP SIP Trunk Callbacks to Bypass Modern EDR and Sandboxes

Executive Summary: As of Q1 2026, the Emotet malware family has undergone a significant architectural evolution, transitioning from traditional HTTP-based command-and-control (C2) communication to a stealthier, encrypted VoIP SIP trunk callback mechanism. This adaptation leverages Session Initiation Protocol (SIP) trunking over encrypted VoIP channels to obfuscate malicious traffic, evade modern Endpoint Detection and Response (EDR) systems, and bypass sandbox environments. Threat intelligence from Oracle-42 Intelligence indicates that this vector is now being actively exploited in campaigns targeting enterprises and government entities across North America and Europe. The shift underscores a broader trend in 2026: malware authors are increasingly exploiting legitimate telephony infrastructure to maintain persistence and operational security.

Key Findings

• Encrypted VoIP SIP Trunk Callbacks: Emotet now uses SIP trunks—typically reserved for enterprise voice communications—to initiate callbacks from victim devices to attacker-controlled VoIP servers, encrypting all traffic using SRTP (Secure Real-Time Transport Protocol).
• Bypassing EDR and Sandboxes: The use of encrypted, real-time voice signaling (SIP) and payload delivery via RTP (Real-Time Transport Protocol) allows Emotet to evade sandbox inspection, which often fails to emulate VoIP protocols or decrypt SRTP streams.
• Legitimate Infrastructure Abuse: Attackers are compromising or spoofing SIP trunks from legitimate VoIP providers (e.g., RingCentral, Vonage, 8x8), blending malicious callbacks with high-volume enterprise VoIP traffic to avoid detection.
• Enhanced Operational Security: The move to VoIP-based C2 reduces reliance on HTTP/HTTPS infrastructure, which is heavily monitored by security tools, and introduces multi-path redundancy through SIP session forking and failover routing.
• Emerging Threat Landscape: Oracle-42 Intelligence has observed a 340% increase in VoIP-based malware callbacks in Q1 2026 compared to Q4 2025, with Emotet variants (e.g., Emotet-VoIP v3.2) now representing 18% of all observed Emotet infections globally.

The Evolution of Emotet’s C2 Architecture

Since its resurgence in 2021, Emotet has been a prime example of malware adaptability. Initially leveraging email spam with malicious Office macros, it evolved to use modular botnets, Tor-based C2, and even PowerShell abuse. By 2024, many organizations had fortified their defenses against these vectors. In response, Emotet’s operators have pivoted toward leveraging the public switched telephone network (PSTN) and VoIP infrastructure—a domain historically under-monitored by endpoint security solutions.

The 2026 iteration, dubbed "Emotet-VoIP," represents a fundamental shift in C2 methodology. Instead of initiating outbound HTTPS requests to known malicious domains, the malware now configures a SIP user agent on the compromised host. Upon execution, it initiates a SIP INVITE to a preconfigured VoIP server controlled by the threat actor. This session is encrypted using SRTP, with the payload (often a small encrypted binary or configuration file) transmitted via RTP within the same session.

Why VoIP Evasion Works: Technical Breakdown

SIP and RTP: The Blind Spot in Modern Sandboxes

Most enterprise sandboxes and EDR systems are optimized for inspecting HTTP/HTTPS, DNS, and SMTP traffic. Few have native support for VoIP protocols like SIP (port 5060/5061) and RTP (dynamic ports). Even when SIP traffic is observed, it is often dismissed as benign VoIP traffic, especially in organizations using cloud-based phone systems.

Moreover, SRTP encryption prevents deep packet inspection (DPI) engines from analyzing payload content. Since SIP signaling itself does not contain malicious payloads—only metadata like caller ID and session parameters—the actual malware is transmitted as RTP streams, which appear as encrypted voice or video data.

Abuse of Legitimate SIP Trunks

Threat actors are not creating new VoIP infrastructure from scratch. Instead, they compromise existing SIP trunks or register malicious endpoints with legitimate VoIP providers. This is achieved through:

• Credential Stuffing: Exploiting weak or reused passwords on VoIP provider portals.
• SIP Trunk Hijacking: Intercepting unencrypted SIP traffic via man-in-the-middle (MITM) attacks on poorly secured trunks.
• Provider Spoofing: Registering malicious endpoints with free-tier VoIP services (e.g., using stolen credit cards) and routing callbacks through global carrier networks.

Once established, the infected device dials out using the SIP trunk, making the callback appear as a routine internal or external call. The RTP stream containing the payload is delivered as part of the call session, indistinguishable from normal voice traffic.

Bypassing EDR and Sandbox Detection

Modern EDR solutions rely on behavioral monitoring, API hooking, and network traffic analysis. However, the Emotet-VoIP variant introduces several evasion techniques:

• No Persistent Network Artifacts: Since the callback is ephemeral (a single SIP call lasting seconds), there is no open port or persistent connection to detect.
• Encrypted Payload Delivery: EDR systems cannot inspect SRTP/RTP content without decrypting it, which requires access to the session keys—typically not available in sandboxed environments.
• Legitimate Process Context: The malware may run as a child process of a legitimate VoIP client (e.g., Zoom, Microsoft Teams, or a softphone), inheriting its trust level and reducing behavioral anomalies.
• Lack of IOCs in Sandboxes: Sandboxes that do not emulate SIP/RTP stacks will fail to trigger or observe the callback, allowing the malware to remain dormant during analysis.

Additionally, the use of SIP session forking enables the malware to contact multiple C2 endpoints simultaneously, increasing resilience against takedown efforts.

Impact and Targeting

As of March 2026, Emotet-VoIP campaigns are primarily targeting:

• Financial institutions in the U.S. and EU, seeking to harvest credentials and initiate fraudulent wire transfers.
• Healthcare organizations, exploiting VoIP systems integrated with patient communication platforms.
• Government contractors and defense suppliers, using spear-phishing emails that reference internal VoIP extensions.

Early telemetry suggests that the initial infection vector remains email-based, with malicious Excel or PDF attachments containing VBA macros that trigger the VoIP callback module upon execution.

Recommendations for Organizations

To defend against Emotet-VoIP and similar VoIP-based malware threats, organizations should implement a multi-layered security strategy:

1. Network Segmentation and VoIP Hardening

• Isolate VoIP traffic on dedicated VLANs and enforce strict ACLs between voice and data networks.
• Disable unencrypted SIP (port 5060) and enforce TLS-encrypted SIP (port 5061) with mutual TLS (mTLS) where possible.
• Monitor SIP traffic for anomalies such as high call frequency, short call durations, or calls to unknown international numbers.

2. Advanced Threat Detection

• Deploy network detection and response (NDR) solutions with VoIP protocol parsers (e.g., Cisco Secure Network Analytics, Darktrace) to analyze SIP/RTP traffic in real time.
• Enable behavioral AI-based monitoring on endpoints to detect process injection into VoIP applications.
• Integrate EDR with VoIP logs via SIEM to correlate call events with endpoint activity.

3. Email and Macro Security

• Enforce email filtering rules to block macro-enabled attachments from external senders.
• Implement application control policies (e.g., Microsoft AppLocker, CrowdStrike Falcon) to prevent unauthorized VoIP clients from executing scripts.
• Use sandboxing solutions that emulate VoIP stacks (e.g., FireEye, Cuckoo with Vo