Daily Summary
New Formbook samples surged to 53, a 44% increase over the 7-day average of 37. This marks the highest single-day count in the current tracking period, driven primarily by a sharp rise in PowerShell-based loaders.
New Samples Detected
PowerShell scripts (.ps1) dominate today’s haul at 24 samples (45% of total), a significant shift from the typical JavaScript-heavy distribution seen over the past week. JavaScript files (.js) contributed 11 samples, while executable (.exe) and VBE files accounted for 4 each. Notably, a rare 7z archive and a file with the unusual extension .32783286 (likely a renamed binary or randomized extension) were also captured. The surge in .ps1 files suggests attackers are testing delivery chains that bypass common script-blocking detections by using reflective loading via PowerShell.
Distribution Methods
Campaign data indicates Formbook is primarily delivered through phishing emails with password-protected .zip attachments containing the PowerShell scripts. The .js files are likely being distributed via malvertising redirect flows or as secondary stages. The single .bat and .cmd files follow known patterns of scheduled task persistence, suggesting lateral movement in post-compromise scenarios. The .7z archive points to a possible shift toward password-protected archives to evade network-level scanning.
Detection Rate
Current detection across major AV engines for today’s .ps1 samples averages 4/60, with several samples showing 0 detections at time of analysis – a 60% drop in detection rate compared to the 7-day average of 10/60. This suggests the operators are employing fresh obfuscation techniques, such as base64-encoded payloads nested within .NET runtime calls. SOC teams should ensure PowerShell logging and script block logging are enabled and monitored.
C2 Infrastructure
Fifty-five new C2 servers were observed today, a 120% increase over the 7-day average of 25 new servers daily. IP addresses are predominantly sourced from cloud hosting providers in Russia and the Netherlands, though three domains used legitimate CDN subdomains to mask traffic. No geographic clustering was observed among the new IPs.
7-Day Trend
Activity has been steadily rising over the past three days, from a low of 21 samples on April 24 to today’s peak of 53. The surge in both samples and C2 infrastructure suggests an active campaign widening its targeting scope.
Security Analysis
The decisive pivot to PowerShell as the primary vector – rather than Visual Basic macros or JavaScript – indicates Formbook operators are responding to Windows default macro-blocking policies. A non-obvious tactic: the .ps1 files are launched via WMI or scheduled tasks, not direct execution, to evade real-time AV scans. Defenders should deploy AMSI policy rules that block non-signed PowerShell scripts launched from user-writable paths (e.g., %TEMP% or %APPDATA%) and validate all scheduled tasks created within 30 seconds of a process launch.