Daily Summary
Formbook activity on 2026-05-17 remained steady with 29 new samples, exactly matching the 7-day average of 29. The 1% deviation confirms no operational surge or drop, though the distribution of file types shows a tactical pivot toward script-based payloads. Analysts should note the absence of common macro-laden Office formats, which may indicate a shift in initial access lures.
New Samples Detected
Of the 29 new Formbook samples, 55 percent are JavaScript files, a significant uptick from recent weeks where hybrid formats like VBS and HTA dominated. The inclusion of .bat (4 samples) and .ps1 (1 sample) alongside only 3 .exe files suggests an ongoing preference for living-off-the-land binaries on Windows endpoints. The single .xls file is an outlier and may reflect a targeted campaign rather than broad phishing.
C2 Infrastructure
A total of 55 new C2 servers were added today, a figure that outpaces the sample count and suggests a churn-heavy infrastructure strategy. This pattern is consistent with Formbook operators rotating domains every 24–48 hours to evade sinkholes and blocklists. Analysts should expect these IPs to have short lifespans, making passive DNS monitoring critical for intercepting C2 calls.
Viral Variant Analysis
The ratio of new C2 servers to new samples (1.9:1) is elevated from the typical 1:1 or 1.2:1 observed in late April. This may indicate a multi-stage deployment where each sample contacts multiple fallback servers, or that operators are testing infrastructure resilience following recent takedown operations by private sector partners.
Security Analysis
Today’s heavy reliance on JavaScript (16 of 29 samples) mirrors tactics observed in early 2025 campaigns targeting logistics firms, where initial execution chain is email.zip > .js > powershell > Formbook. However, the near-complete absence of .docm and .xlsm files marks a departure from those historic patterns. This shift may be an attempt to bypass Office macro-blocking policies now common in enterprises. Defenders should prioritize application control policies that block script execution from untrusted paths (e.g., %TEMP% and Downloads folders) and enable AMSI logging for PowerShell and JScript interpreters to catch the loader stages before Formbook injects.