Daily Summary
Formbook sample volume declined sharply to 13 new samples on 2026-05-03, a 63% drop from the 7-day average of 35. This represents the lowest single-day count in the observed period, with no geographic concentration in delivery.
New Samples Detected
PowerShell scripts (.ps1) dominate today’s submissions, accounting for 4 of 13 samples, followed by JavaScript (.js) and equal counts of executables (.exe) and dynamic link libraries (.dll) at 2 each. Batch (.bat), command (.cmd), and VBScript encrypted (.vbe) files each appear once. The mix of script and binary formats suggests operators are testing multiple staging approaches, with PowerShell acting as the primary loader mechanism.
Distribution Methods
The file type distribution points to hybrid delivery chains. The PowerShell scripts and JavaScript files are likely used in phishing attachments or malicious email links, while the .exe/.dll samples may arrive through direct downloads or as second-stage payloads dropped by scripts. The presence of batch and command files indicates manual execution in targeted or lateral movement scenarios.
Detection Rate
With only 13 new samples and a declining trend, signature-based detection remains moderately effective. However, the reliance on script-based loaders (PS1, JS, VBE) may allow initial access to bypass static analysis, as these file types are often less scrutinized than executables. SOC teams should ensure behavioral detection rules are enabled for PowerShell and WMI execution chains.
C2 Infrastructure
Analysis identified 55 new C2 servers and 68 total IOCs today. The C2 count is disproportionately high relative to the low sample volume, suggesting infrastructure refresh may be decoupled from campaign activity or that operators are rotating endpoints to evade blocklists.
7-Day Trend
The 63% drop versus the 7-day average confirms a sustained cooling trend, with today’s figure marking the lowest point in the week. Activity has declined steadily since mid-week, with no signs of an imminent rebound.
Security Analysis
The sharp decline in Formbook samples coinciding with a high volume of new C2 servers suggests a tactical shift: operators may be stockpiling infrastructure for a future campaign rather than maintaining current distribution. This pattern mirrors Formbook’s historical behavior of periodic “quiet periods” before large-scale spam runs. Defenders should not reduce monitoring posture, as the current lull likely precedes a surge in phishing-based delivery using the accumulated C2 infrastructure.
Actionable recommendation: Proactively block all 68 newly identified IOCs and enable YARA rules targeting Formbook’s string obfuscation patterns in PowerShell loaders.