Daily Summary
Formbook activity remained relatively stable on 2026-06-21 with 38 new samples, slightly below the 7-day average of 43 (an 11% decrease). No significant spike or drop in volume was observed, though the distribution of file types this week shows a notable shift toward script-based payloads.
New Samples Detected
Of the 38 new samples collected today, script-based formats dominated, with JavaScript (.js) accounting for 18 samples and VBScript (.vbs) for 7. This marks a continuation of a pattern observed over the past week where script-based payloads have surpassed executable (.exe) files in volume. Only 7 .exe samples were recorded today, alongside 4 batch files (.bat), 1 PowerShell script (.ps1), and 1 screensaver file (.scr). The prominence of .js files may indicate attempts to evade initial detection by static signature-based tools, as script-based payloads can be easily obfuscated and modified at runtime.
C2 Infrastructure
A total of 88 new C2 servers were added to the tracker, representing a moderate increase from the typical daily intake. While no specific geographic clusters were identified today, the volume of new C2 addresses suggests active infrastructure rotation. This aligns with known Formbook behaviors where threat actors frequently cycle through short-lived domains and IPs to maintain operational security and avoid sinkholing. Analysts should prioritize monitoring any emerging patterns in second-level domain naming or TLS certificate issuers that may emerge over the next 48 hours.
IOC Highlights
126 new IOCs were recorded today, a volume consistent with the 7-day average. Given the increase in script-based payloads, several IOCs appear tied to obfuscation tools or downloader domains used in initial stages of infection. Particularly noteworthy are a cluster of .js files that share similar variable naming conventions and string obfuscation routines, suggesting a common developer or toolkit. These overlapping patterns could aid in attribution or pre-emptive blocking of future samples.
Security Analysis
The continued dominance of script-based .js and .vbs payloads over traditional .exe files in this wave suggests threat actors are leaning closer to living-off-the-land (LotL) techniques, making detection harder for endpoint protection platforms that rely heavily on binary analysis. Security teams should enforce execution policy controls on script interpreters, particularly for JavaScript via Windows Script Host, and enable AMSI (Antimalware Scan Interface) monitoring for in-memory script execution. Additionally, blocking outbound connections from wscript.exe and cscript.exe to newly observed C2 domains can help disrupt the infection chain before payload delivery is complete.