Daily Summary
Formbook activity shows a significant decline today, with only 8 new samples detected. This represents a 40% decrease from the 7-day average of 13 samples. The drop is notable, though the family remains active with a substantial number of new C2 servers.
New Samples Detected
All 8 new samples were JavaScript (.js) files. This continues a recent pattern of exclusive reliance on script-based initial payloads, with no .exe, .doc, or .xls samples observed in today’s batch. The naming conventions appear randomized, lacking the fake invoice or shipping-themed lures seen in prior weeks.
Distribution Methods
The exclusive use of .js files strongly suggests distribution via phishing emails with malicious attachments or links to download these scripts. This method relies on social engineering to trick users into executing the script, which then typically downloads and runs the final Formbook payload from a remote server.
Detection Rate
Current .js variants are detected by approximately 75-80% of major AV engines upon submission. This indicates that while the core malware is well-known, the specific script wrappers may provide a brief window of evasion before signatures are updated, especially for newer C2 infrastructure.
C2 Infrastructure
A high volume of 55 new C2 servers was registered, which contrasts sharply with the low sample count. This indicates infrastructure preparation for future campaigns or a shift towards more dynamic, short-lived command and control nodes to avoid takedowns. The servers are geographically dispersed, with no single country dominating.
7-Day Trend
Activity has been cooling down this week, with today’s low sample count following a gradual descent from a peak of 19 samples three days ago. The decline in samples paired with a surge in C2 infrastructure suggests a potential lull between distribution campaigns.
Security Analysis
The current high C2-to-sample ratio is atypical and may indicate a testing or staging phase for a new wave. Attackers could be validating new infrastructure with low-volume traffic before a broader spam run. Compared to known campaigns, the lack of document lures points to a streamlined, script-focused initial access strategy. Defensive Recommendation: Enhance email filtering to flag .js files attached to emails, especially from untrusted sources, and consider blocking their execution from temporary internet directories commonly used by these scripts.