The Emotet malware is under constant development and this new variant can check if the recipient’s/victim’s IP address is blacklisted or on a spam list maintained by services like Spamhaus, SpamCop, or SORBS. Some of the malspam contain direct links to the malware pasted directly into the email body. The malware is “overwhelmingly hosted on compromised websites
Source: security