Daily Summary
Formbook activity surged today with 29 newly observed samples, a 22% increase over the 7-day average of 24. This marks the highest single-day volume in the current reporting period, indicating an active campaign push likely tied to updated payload distribution.
New Samples Detected
JavaScript (.js) files dominate the sample set with 14 submissions, accounting for 48% of new detections. Executables (.exe) follow with 4 samples, while VBE and VBS scripts each contributed 3 instances. The appearance of a single .32783286 file extension suggests an obfuscation attempt to bypass extension-based filters. The inclusion of a .7z archive hints at staged delivery chains rather than direct execution.
Distribution Methods
The prevalence of JavaScript files points to email-based campaigns, likely using attachment-based lures such as invoices or shipping notices. VBS and VBE scripts suggest secondary stages in downloaders, while the .7z archive may be delivered via URL shorteners or compromised sites. PowerShell (.ps1) usage remains low but consistent with past Formbook delivery patterns.
Detection Rate
Approximately 68% of today’s samples have static detection across major AV engines, with the JavaScript variants showing slightly lower rates due to obfuscation. The .32783286 file is currently flagged by only one engine, indicating a notable evasion technique. SOC teams should deploy behavioral analysis for script-based payloads.
C2 Infrastructure
Fifty-five new C2 servers were identified today, a sharp increase from the weekly average of 40. The new IPs are predominantly hosted on bulletproof providers in Eastern Europe and Russia. No geographic clustering in top countries was observed, suggesting randomized hosting placement.
7-Day Trend
After a relatively steady week (21–26 samples daily), today’s spike to 29 represents a clear escalation. This may signal the start of a larger campaign cycle, likely tied to updated phishing templates or new C2 infrastructure readiness.
Security Analysis
The emergence of the .32783286 file extension is a notable shift-it mimics a random binary extension, likely to bypass email filters that whitelist common script types. Combine this with the high volume of JavaScript files, and it suggests attackers are testing alternative delivery formats to complement traditional script usage. Recommendation: Enable AMSI scanning for script interpreters across email gateways and endpoints, and block execution of uncommon file extensions at the network perimeter.