Daily Summary
Formbook activity declined today with 18 new samples, 26% below the 7-day average of 24. This marks a continuation of the cooling trend observed over the past 72 hours. No notable spike or surge in samples was detected.
New Samples Detected
JavaScript files dominate today’s submissions, accounting for 9 of 18 samples (50%). Executable files (.exe) follow with 4 samples, while VBS (2), HTA (1), DLL (1), and PowerShell (1) round out the rest. The shift toward script-based loaders, particularly .js, suggests threat actors are attempting to bypass application control policies that block executables. No new naming patterns were identified beyond common random alphanumeric strings.
Distribution Methods
File type distribution indicates delivery via phishing campaigns using email attachments or download links. The heavy use of .js scripts aligns with known Formbook distribution chains where JavaScript acts as a downloader for the main payload. The absence of macro-enabled Office documents is notable, suggesting a pivot away from macro-based lures as Microsoft disables macros by default. HTTPS links embedded in scripts are the likely delivery vector.
Detection Rate
Current AV detection coverage for these variants appears adequate for the core .exe payloads, but script-based loaders (.js, .vbs) may have slightly lower initial detection rates due to their polymorphic nature. Analysts should verify that their EDR solutions are configured to monitor script execution events.
C2 Infrastructure
55 new C2 servers were recorded today, a significant number relative to sample volume. This may indicate reusing infrastructure across multiple Formbook campaigns or pre-staging for future activity. No clear geographic concentration was observed in the new IOCs (73 total), though non-standard ports continue to be favored.
7-Day Trend
Activity peaked mid-week and is now declining, with today’s 18 samples 25% below the weekly average. This appears to be a routine lull rather than a strategic shift.
Security Analysis
A notable observation is the persistent use of JavaScript as the primary initial access vector despite the declining overall sample count. This suggests Formbook operators may be testing new JavaScript-based obfuscation techniques on a smaller scale before wider deployment. Defenders should review email gateway rules to block .js attachments with suspicious naming patterns and enforce strict execution policies for scripting hosts.