Daily Summary
Formbook activity has resumed after a week of dormancy, with 17 new samples detected. This represents a significant departure from the 7-day average of zero, indicating a new campaign or distribution wave. The trend is listed as stable due to the calculation from zero, but the appearance of any samples is a notable shift.
New Samples Detected
JavaScript (.js) files dominate the new samples, accounting for 9 of the 17 detections. The remaining samples show a diverse and dated set of file types, including .arj, .com, and .scr. This mix suggests attackers are using both common scripting vectors (.js, .vbs) and less common, potentially overlooked extensions to bypass simple filters.
Distribution Methods
The prevalence of .js files and archive formats (.zip, .arj) points to ongoing email phishing campaigns. These file types are typical for malicious attachments designed to download and execute the final payload. The use of a .scr (screensaver) file also aligns with this method, relying on social engineering to trick users into executing disguised files.
Detection Rate
Current detection rates for these new samples are moderate. While core Formbook signatures are well-established, the use of varied packers and scripting wrappers for the initial droppers can cause temporary evasion. The uncommon file extensions like .arj may also be processed with lower priority by some automated security tools.
C2 Infrastructure
A substantial 55 new C2 servers were registered, far exceeding the sample volume. This indicates infrastructure preparation for a larger campaign or the use of a bulletproof hosting provider rapidly deploying new nodes. The high server count relative to samples suggests an attempt to increase resilience against takedowns.
7-Day Trend
Today’s activity breaks a 7-day period with no samples reported. This sudden re-emergence suggests a new, coordinated distribution push rather than steady, low-volume activity.
Security Analysis
The simultaneous spike in samples and a disproportionately large set of new C2 servers is a key tactical shift. Historically, Formbook campaigns have built infrastructure more gradually. This “big bang” approach may aim to deploy a resilient network ahead of a major spam run. The inclusion of archaic formats like .arj is likely an attempt to exploit gaps in legacy attachment filtering rules that focus on modern threats. A recommended defensive action is to review and update email gateway policies to block or sandbox a wider range of executable and archive extensions, including .arj and .scr, even if they are currently considered low-prevalence.