Daily Summary
Today’s 39 new Formbook samples represent a 26% increase over the 7-day average of 31, continuing a rising trend observed in the last 48 hours. The shift toward script-based payloads is the most notable change in distribution patterns.
New Samples Detected
PowerShell scripts dominate at 25 samples (64% of today’s total), followed by five JavaScript files and three .exe executables. Two DLL loaders, two VBE scripts, one BAT, and one CMD file complete the sample set. The heavy reliance on .ps1 files suggests operators are favoring fileless execution paths to bypass application whitelisting.
Distribution Methods
The file type distribution indicates email-based campaigns are the primary delivery vector, particularly phishing attachments with obfuscated PowerShell commands. The presence of .vbe and .bat files alongside modern .ps1 and .js scripts suggests a mix of legacy and current infection chains. No single domain or IP pattern was identified in the delivery mechanisms.
Detection Rate
Approximately 68% of today’s samples received detection ratings below 50% across major AV engines, with several PowerShell-based variants showing only partial coverage. The heavy obfuscation in script samples is clearly reducing detection rates compared to well-known .exe variants.
C2 Infrastructure
Fifty-five new C2 servers were identified today, with IP addresses spread across Eastern Europe and Southeast Asia. No dominant hosting provider emerged, but several servers appeared on recently registered domains mimicking legitimate business sites.
7-Day Trend
Activity has climbed steadily from a week low of 26 samples to today’s 39, marking a 50% increase over the last four days. This ramp-up suggests either the start of a new campaign wave or seasonal targeting tied to end-of-month reporting cycles.
Security Analysis
The surge in .ps1 samples paired with the drop in traditional .exe payloads indicates Formbook operators are testing fileless techniques previously associated with more advanced malware families. This shift may reflect operators learning from detection avoidance tactics used by banking trojans like Ursnif. Defenders should prioritize enabling PowerShell script block logging and reviewing execution policies to block unsigned scripts from non-admin directories.