Daily Summary
Formbook activity dropped sharply on 2026-05-05 with only 13 new samples detected, representing a 49% decline compared to the 7-day average of 26. This marks the lowest single-day volume in the current tracking window, suggesting a possible campaign pause or shift in distribution channels.
New Samples Detected
JavaScript files dominated today’s submissions with 7 of 13 samples (54%), followed by executable files (2), PowerShell scripts (2), one VBS script, and one DLL. The heavy reliance on .js loaders continues a pattern observed over the past week, though the proportion of script-based payloads increased from the 7-day average of 41%. No unusual naming conventions were noted most samples used randomized alphanumeric strings.
Distribution Methods
Based on file type distribution, Formbook is primarily delivered via email attachments today, with JavaScript and VBS files acting as initial downloaders. The 2 .ps1 samples suggest some campaigns rely on PowerShell-based infrastructure for in-memory execution. The single .dll sideloading variant indicates persistence-focused delivery is present but not dominant. No macro-enabled Office documents were observed, which is consistent with a broader industry shift away from VBA-based attacks.
Detection Rate
Current detection rates for today’s Formbook samples appear moderate, with the JavaScript loaders being the most consistently flagged component across major AV engines. The .dll and .ps1 variants show slightly lower detection, likely due to packing or obfuscation differences. Defenders should verify endpoint detection rules specifically cover script-based execution chains, as these remain the primary evasion vector.
C2 Infrastructure
55 new C2 servers were identified today, a substantial increase relative to the small sample volume. This unusual ratio (4.2 servers per sample) suggests either infrastructure churn or preparation for a larger campaign. No geographic clustering was observed, though follow-up analysis of IP range overlaps may reveal hosting provider consolidation.
7-Day Trend
Today’s 13 samples continue a multi-day cooling trend, with the 7-day average dropping from 31 on May 3 to 26 today. This suggests Formbook operators may be in a quiet period, possibly rotating delivery infrastructure or testing new packers before a resurgence.
Security Analysis
The inverse relationship between sample volume and new C2 server count is noteworthy. Historically, Formbook operators pre-deploy infrastructure before scaling deliveries, meaning the 55 new C2 hosts today could signal an imminent return to average or above-average activity within 48-72 hours. SOC teams should prioritize hunting for callback traffic to the newly identified C2 IPs and domain patterns, as these are likely staging for fresh payloads. Recommendation: implement DNS sinkholing for the 68 new IOCs and monitor for outbound connections to TCP ports 443 or 8080 from systems with recent script execution events.