Daily Summary
Formbook activity surged today with 43 new samples collected, a 126% increase over the 7-day average of 19. This sharp rise indicates an active campaign push or automated sample generation, warranting heightened alert for SOC teams monitoring initial access vectors.
New Samples Detected
JavaScript (.js) files dominate today’s sample set, accounting for 21 of the 43 submissions (49%). Executables (.exe) number only 5, while script-based payloads (.vbe, .vbs, .hta, .ps1) total 9, suggesting a continued shift toward lightweight, script-driven delivery. Notably, two non-standard extensions (.32783286 and .17095) appear, likely representing obfuscated or renamed executables to bypass extension-based filters.
Distribution Methods
The heavy reliance on JavaScript files (21 samples) and script-based formats points to email-based phishing campaigns as the primary distribution method. These scripts often serve as initial downloaders that fetch additional payloads from remote servers. The presence of .7z and .dll files indicates potential multi-stage delivery, where compressed archives or side-loading techniques are used to evade perimeter defenses.
Detection Rate
Given today’s high sample volume and the prevalence of script-based variants, static AV detection is likely below 60% for these samples. Formbook’s use of obfuscated JavaScript and unique file extensions suggests a concerted effort to evade signature-based detection. Behavioral detection rules focusing on script execution patterns and outbound connections to unknown domains will be more effective.
C2 Infrastructure
55 new C2 servers were observed today, representing a significant expansion of operational infrastructure. This volume suggests either a resupply of previously burned servers or preparation for a sustained campaign. Geographic analysis of these C2s is not yet available, but the sheer number indicates a diversified hosting strategy to resist takedown efforts.
7-Day Trend
Today’s 126% spike breaks a relatively steady week where daily counts hovered near the 19-sample average. This surge likely signals the start of a new campaign wave, and activity may remain elevated for the next 48–72 hours.
Security Analysis
Formbook’s shift to a JavaScript-heavy delivery mix (49% of samples) marks a departure from its historical reliance on malicious macros or executables. This tactic reduces file-size detection thresholds and aligns with broader industry trends favoring script-based initial access. Actionable recommendation: Deploy or tighten PowerShell execution policies and enable AMSI (Anti-Malware Scan Interface) on endpoints to block inline script payloads. Additionally, monitor for outbound HTTP connections to recently registered domains, as these are common in Formbook’s C2 handshake process.