Daily Summary
Formbook activity dropped sharply to 16 new samples, a 42% decline from the 7-day average of 28. This marks a significant cooling period after sustained moderate volume, with no indication of an impending spike in distribution.
New Samples Detected
JavaScript files dominate today’s haul, accounting for 8 of the 16 samples (.js: 8, .exe: 3, .vbs: 2, .hta: 1, .dll: 1, .ps1: 1). The .js prevalence suggests campaign operators continue to favor script-based downloaders as initial payloads. The single .hta and .ps1 samples indicate targeted supplementation rather than a systematic shift. File naming patterns show an uptick in innocuous-sounding filenames like “invoice_0052.js” and “update_patch.exe”, likely mimicking standard business communications.
Distribution Methods
Delivery remains consistent with phishing campaigns. The heavy reliance on .js files implies email attachments or malicious links leading to hosted scripts. These scripts typically fetch the Formbook executable or DLL from a remote server. The presence of .vbs and .hta samples points to secondary download mechanisms used when initial .js execution fails in restricted environments. No new distribution vectors (such as malvertising or drive-by download) are evident today.
Detection Rate
Current Formbook samples maintain a moderate detection rate on major AV engines. The .js variants are generally caught by scanning engines that handle obfuscated scripts, but some polymorphic .exe variants may achieve short-lived evasion windows. The low number of new samples suggests attackers are testing specific evasion techniques rather than deploying large-scale campaigns with highly detectable builds.
C2 Infrastructure
55 new C2 servers were identified today, a high number relative to sample volume. This aggressive infrastructure churn indicates attackers are rapidly spinning up and discarding servers to evade blocklists. Geographic patterns show a concentration of C2 IPs in Eastern Europe (Ukraine, Russia) and Southeast Asia, with a few new domains using .top and .xyz TLDs.
7-Day Trend
Activity is cooling down after a mid-level week. The today’s count of 16 is the lowest in the 7-day period, suggesting either a campaign break or a shift in preparation for a larger wave. The spike in new C2 servers against declining samples hints at infrastructure buildup for future campaigns.
Security Analysis
The contrast between falling samples and rising C2 servers is a non-obvious indicator. Attackers may be testing multiple C2 endpoints with small sample batches to identify reliable infrastructure before a larger deployment. This pattern mirrors pre-burst staging observed in prior Formbook campaigns from early 2025. Defenders should prioritize blocking the newly identified C2 domains and IPs completely, as they are likely to be reused in future waves. Recommend implementing alert rules for any .js file execution triggered from email, combined with network-level C2 detection for the listed IOC domains.