Daily Summary
Formbook activity registered 31 new samples today, slightly above the 7-day average of 27 (+15%). The trend remains stable, with no sudden spike or drop observed. Sample volume continues to fluctuate within a narrow band, suggesting sustained but measured operational tempo by threat actors.
New Samples Detected
JavaScript (.js) files dominate today’s haul, accounting for 15 of the 31 samples, a >200% increase over typical daily volume. Executables (.exe) and VBScript variants (.vbe, .vbs) represent a combined 11 samples, while a lone .ps1 file and a .7z archive suggest diversification in payload delivery. The presence of an anomalous file extension (.32783286) may indicate a test payload or a corrupted sample.
Distribution Methods
The surge in .js samples strongly points to email-based phishing campaigns that leverage JavaScript attachments to download the Formbook loader. VBScript payloads (.vbe, .vbs) are often used in macro-enabled documents or as secondary stages. The .7z archive suggests potential use of password-protected containers to evade initial AV scanning. No bulk distribution via exploit kits or malvertising was observed in today’s data.
Detection Rate
Most current variants maintain moderate detection rates on major AV platforms. The .js samples, when obfuscated with common techniques (e.g., base64 encoding, variable renaming), can achieve transient evasion windows of 4-8 hours before signature updates catch up. The .32783286 extension sample shows lower detection, indicating possible use of custom packers or crypter-generated payloads.
C2 Infrastructure
A total of 55 new C2 servers were identified today, typical for Formbook’s churn rate. No strong geographic clustering is evident, with IPs spread across North America, Europe, and Southeast Asia. Several domains use randomized subdomains (e.g., xyz[.]example[.]com) to complicate reputation-based blocking.
7-Day Trend
Activity over the past week has remained flat, with daily counts fluctuating between 24 and 33 samples. Today’s count is consistent with this plateau, indicating no active campaign pivot or operational shift.
Security Analysis
A notable tactic today is the sharp increase in JavaScript payloads, which may be a deliberate shift away from traditional VBA macro-based delivery as Microsoft continues to disable macros by default in Office. This suggests threat actors are testing alternative scripting languages for initial access. Defenders should treat any inbound .js file from external sources as suspicious, enforce script execution restrictions via AppLocker or WDAC, and deploy robust email attachment scanning that recursively inspects JavaScript content.