Overview
Formbook is an information-stealing malware that first appeared on underground hacking forums in early 2016, offered as a malware-as-a-service (MaaS) platform with weekly and monthly subscription pricing. Its author, known as “ng-Coder,” designed it as an advanced form grabber and credential stealer targeting Windows systems. In 2020, the malware was rebranded and evolved into XLoader, extending support to macOS. Formbook/XLoader has consistently ranked among the most prevalent malware families globally, frequently appearing in the top five of monthly threat reports from major security vendors. Its accessibility, low price point, and robust evasion capabilities have made it a favorite among both low-skilled cybercriminals and more sophisticated threat actors.
Capabilities
Formbook specializes in harvesting sensitive data from infected machines. Its core capabilities include form grabbing from web browsers to intercept credentials before encryption, keylogging, clipboard monitoring, and screenshot capture. It can steal saved passwords from over 90 applications including browsers, email clients, and FTP tools. The malware supports remote commands from its C2 panel including downloading and executing additional payloads, clearing browser cookies, rebooting or shutting down systems, and launching shell commands. Formbook employs advanced anti-analysis measures such as code injection into multiple processes, string obfuscation with hashing, detection of virtual machines and sandboxes, and randomized C2 communication patterns with decoy HTTP requests to legitimate sites.
Distribution Methods
Formbook is primarily distributed through phishing emails with malicious attachments. The most common delivery vectors include Microsoft Office documents exploiting known vulnerabilities such as CVE-2017-11882 (Equation Editor), compressed archives (ZIP, RAR, ACE) containing executables disguised as documents, PDF files with embedded links to payload hosting sites, and ISO disk image files. The malware is also delivered through exploit kits and drive-by download campaigns. Threat actors frequently leverage current events, shipping notifications, and financial document lures to trick recipients into opening the initial payload.
Notable Campaigns
Formbook has been used in campaigns targeting virtually every industry sector. During 2022-2023, it was the most widespread infostealer globally, surpassing even Agent Tesla in volume. Ukrainian CERT documented multiple waves targeting government and critical infrastructure using Formbook payloads. In 2024-2025, the XLoader variant expanded its macOS targeting, reaching enterprise environments through trojanized productivity applications. Formbook infrastructure has been linked to credential harvesting operations that fed initial access broker markets, supplying stolen credentials later used in ransomware attacks.
Detection & Mitigation
Formbook detection relies on identifying its distinctive behavioral patterns: process hollowing into explorer.exe or other system processes, characteristic HTTP POST requests to rotating C2 domains with specific URI patterns, and registry persistence mechanisms. Network detection can flag its decoy traffic pattern where legitimate site requests are interleaved with actual C2 communications. Endpoint protection should monitor for injection into ntdll.dll functions and suspicious clipboard access patterns. Mitigation includes patching Office vulnerabilities (especially CVE-2017-11882), implementing email attachment filtering for archive types, deploying browser isolation for high-risk users, and enforcing multi-factor authentication to reduce the impact of stolen credentials.