Daily Summary
Formbook activity declined sharply on June 28, with only 37 new samples observed against a 7-day average of 45, marking a 19% drop. This is the lowest daily count in the past week, driven primarily by a steep reduction in .js-based samples. No geographic anomalies or major new campaigns were flagged.
New Samples Detected
The file-type breakdown today deviates from recent norms. JavaScript samples still dominate at 23 (62% of total), but this share is lower than the typical 75-80% seen over the past week. Batch files (.bat) and VBScripts (.vbs) each contributed 5 samples, a notable increase for these scripting formats, which normally appear in much smaller numbers. HTA files surfaced with a single isolated sample. The three .exe executables are likely packer-wrapped variants, consistent with Formbook’s ongoing AV-evasion tweaks.
C2 Infrastructure
Analysts recorded 76 new C2 servers today, a sharp increase from the weekly daily average of roughly 45 new servers. This suggests a rotation or expansion of infrastructure, possibly to replace flagged nodes or support a targeted push. No geographic clustering was observed, with IPs distributed across cloud providers in the US, Netherlands, and Singapore.
IOC Highlights
Of the 113 total new IOCs, 80 are C2 IPs or domains, and 33 are file hashes. The IP range 185.130.44.0/24 appears in 5 distinct C2 addresses, hinting at a shared hosting block. Additionally, three domains registered within the past 48 hours (formback-[random].com, updater-[random].net, syslog-[random].org) match patterns seen in previous Formbook phishing lures using fake software updater names.
Security Analysis
The simultaneous drop in sample volume and surge in C2 server count is unusual for Formbook. Historically, this pattern correlates with operational shifts rather than campaign decay, such as migrating to new hosting providers or preparing a new loader variant. Defenders should prioritize blocking the 185.130.44.0/24 range and monitor for .bat and .vbs attachments in email traffic over the next 48 hours, as these scripting formats often precede a loader change.