Daily Summary
Formbook activity remained essentially flat on 2026-05-31, with 27 new samples detected versus a 7-day average of 26 (a 3% increase). No surge or decline occurred, but a notable shift in file type distribution and a significant batch of new C2 infrastructure warrant closer examination.
New Samples Detected
The file type breakdown reveals a tactical adjustment: .exe samples totaled 12 (44%), which is slightly below the recent 7-day average of 14 (54%), while .js samples jumped to 7 (26%) from the average of 4 (15%). The increase in JavaScript loaders suggests a pivot toward initial-stage payloads that are more likely to bypass email gateway scans, particularly in environments where .exe attachments are aggressively blocked. The presence of .tar (1) and .ps1 (1) samples also indicates campaign operators are testing alternative delivery formats to evade static detection rules.
C2 Infrastructure
Analysts mapped 55 new C2 servers today, a 112% increase over the 7-day average of 26 new servers per day. This volume spike typically precedes a broader campaign rollout or load-balancing rotation. Notably, 18 of the 55 IPs resolved to ASNs hosted in Eastern Europe (primarily Russia and Ukraine), which aligns with a cluster observed during Formbook’s resurgence in Q1 2026. The remaining C2s were scattered across the Netherlands, Germany, and the United States, suggesting operators are diversifying their infrastructure footprint to reduce the impact of sinkholing.
IOC Highlights
Of the 82 new IOCs collected, 22 are domains following the pattern of [a-z]{8}.xyz, consistent with a DGA variant that briefly appeared in January 2026 but then went dormant. This re-emergence may indicate code reuse from older builder kits or an intentional callback to evade detection rules that were tuned to more recent DGA patterns. Analysts should prioritize adding these .xyz domains to blocklists immediately.
Security Analysis
The return of the January 2026 DGA pattern alongside a 112% surge in new C2 infrastructure suggests operators are reactivating legacy builder configurations, possibly to test whether security teams have removed older detection rules. Defenders should audit any automated feeds that might have aged out coverage for [a-z]{8}.xyz domains, as this campaign appears designed to exploit stale detection logic. Recommendation: Update SIEM rules to re-enable blocking for all low-entropy .xyz domains regardless of creation date, and deploy behavioral detection for script-based loaders (especially .js and .ps1) at the email gateway and endpoint levels.