Daily Summary
Formbook activity shows a notable decline today, with 14 new samples detected compared to a 7-day average of 18, representing a 24% decrease. The drop in volume is accompanied by a significant surge in new C2 infrastructure, indicating a potential shift in operational security or preparation for new campaigns.
New Samples Detected
JavaScript (.js) files dominate today’s submissions, accounting for 8 of the 14 samples. The remaining files are a diverse mix of executable (.exe), script (.vbs, .cmd), screen saver (.scr), and archive (.zip) types. This distribution suggests a continued reliance on script-based initial access vectors, with the single .zip file likely containing one of the other observed file types.
Distribution Methods
The prevalence of .js files points to ongoing malicious spam (malspam) campaigns delivering script loaders. These scripts typically download and execute the final Formbook payload. The presence of .scr and .vbs files aligns with campaigns using disguised email attachments, while the .exe and .zip files may be distributed through fraudulent software cracks or downloaders.
Detection Rate
Current detection rates for these variants remain high among major AV vendors due to Formbook’s well-documented signatures. However, the heavy use of obfuscated JavaScript loaders provides an initial layer of evasion, potentially delaying detection on endpoints without behavioral monitoring until the final payload is fetched.
C2 Infrastructure
A substantial 55 new C2 servers were registered today, a high number relative to the sample volume. This rapid infrastructure churn is a hallmark of Formbook’s operational security, making sinkholing and blocking efforts more difficult. The servers are typically geographically dispersed, often using bulletproof hosting services.
7-Day Trend
Today’s lower sample count interrupts a period of relatively steady activity observed over the past week. This could represent a tactical pause by operators or a shift in focus toward infrastructure renewal, as evidenced by the high C2 registration.
Security Analysis
The inverse correlation today between low sample volume and high C2 server registration is a notable tactical pattern. It suggests operators are cycling infrastructure proactively between distribution waves rather than in response to takedowns. This “infrastructure-first” approach ensures fresh domains are ready for the next spam run. Defensively, this highlights the importance of proactive threat hunting: security teams should prioritize blocking the newly registered 55 C2 domains/IPs in network security controls immediately, as they are highly likely to be leveraged in imminent campaigns.