Daily Summary
Formbook activity shows a moderate increase today, with 20 new samples representing an 18% rise above the 7-day average of 17. The most significant data point is the registration of 55 new C2 servers, indicating a substantial expansion of operational infrastructure.
New Samples Detected
JavaScript (.js) files continue to dominate the delivery chain, comprising 60% of today’s samples. The remaining file types are diverse legacy formats (.arj, .com, .scr) and scripts (.vbs, .cmd), suggesting a continued testing of multiple initial infection vectors rather than a consolidated strategy.
Distribution Methods
The heavy use of .js files points to ongoing malicious spam campaigns delivering script-based downloaders. The presence of .zip archives likely contains these scripts or decoy documents. The single .arj sample is an outlier but aligns with Formbook’s historical use of less common archive formats to bypass static detection rules.
Detection Rate
Current variants remain well-detected by major AV engines due to Formbook’s established signatures. However, the rapid churn of C2 infrastructure and the use of lightly obfuscated scripts for initial access provide a brief window for new downloader variants to operate before detection is updated.
C2 Infrastructure
The registration of 55 new C2 servers is a notable surge, far exceeding the typical daily volume for this family. This scale of infrastructure expansion often precedes or accompanies a new spam campaign wave. Geographic data for these servers is unavailable, but Formbook typically utilizes global, compromised hosting.
7-Day Trend
Activity has been steadily rising through the week, moving from near-average counts to today’s elevated level. This, combined with the infrastructure surge, suggests a ramp-up in operational tempo.
Security Analysis
The current sample set reveals a focus on script-based execution (.js, .vbs, .cmd) over compiled binaries, emphasizing living-off-the-land techniques. This contrasts with some recent campaigns that used more executable payloads, indicating a tactical shift toward easier obfuscation and faster iteration of the initial loader. Defensively, organizations should enhance monitoring for child processes spawned from scripting hosts (wscript.exe, cscript.exe, cmd.exe) making unexpected network connections, as this can catch the downloader stage before the final Formbook payload is retrieved.