Daily Summary
Formbook activity shows a significant surge today, with 16 new samples representing an 84% increase over the 7-day average of 9. The trend is sharply rising, supported by a substantial expansion in C2 infrastructure.
New Samples Detected
The sample set reveals a diverse and evolving delivery chain. JavaScript (.js) files are the dominant initial vector, comprising 6 samples. Notably, the presence of a PowerShell script (.ps1) and a batch file (.bat) suggests multi-stage deployment. The single file with a numeric extension (.15568) is an outlier, potentially indicating a custom or obfuscated payload.
Distribution Methods
The file type mix points to widespread phishing campaigns delivering malicious scripts (.js, .vbs) and archive files (.zip) containing executable payloads (.exe, .scr). The use of scripts allows for fileless execution techniques and living-off-the-land binaries to deploy the final stealer payload, a common pattern for this malware-as-a-service offering.
Detection Rate
Current variants show moderate detection rates by aggregate AV engines. However, the diversity in initial access files, especially new script-based loaders, often results in a lag in signature creation, providing a brief window for evasion before detection coverage improves.
C2 Infrastructure
A high volume of 55 new C2 servers was registered, indicating active infrastructure rotation to maintain resilience. This scale of deployment is consistent with large-scale campaigns and complicates blocking efforts through simple IP or domain denylists.
7-Day Trend
Today’s spike breaks a period of relatively steady, lower-volume activity observed over the past week, suggesting the start of a new, more aggressive campaign cycle.
Security Analysis
The current activity shows a tactical shift towards heavier use of scripting languages for initial compromise, moving beyond traditional executable attachments. This leverages trusted Windows processes for execution. Defenders should compare this script-heavy wave to recent Formbook campaigns that favored ISO or IMG container files. A key defensive recommendation is to enhance email filtering and endpoint logging to specifically flag and monitor the sequential execution of script files (.js, .vbs, .ps1) followed by unexpected network connections or process spawns, which is indicative of this multi-stage loader behavior.