The Emotet banking trojan has been studied by many researchers since it was first discovered in 2014. In particular, the infection scheme and the Command & Control architecture are both pretty well documented. However, few researchers investigated the way the payloads were dropped on the compromised websites and how the polymorphism has been implemented. This presentation aims to focus on the latter aspect, describing how the payloads are dropped on the compromised websites and how the polymorphism has been implemented by the Emotet’s herders. New layers of the botnet architecture would be unveiled during the presentation.