Formbook - Distribution Methods
File types, delivery vectors, and hosting infrastructure used to distribute Formbook.
Last updated: 2026-04-18
Understanding how Formbook reaches victims is critical for prevention. This page breaks down the file types used in distribution, the hosting infrastructure serving malicious payloads, and URLs tracked by URLhaus. Data is updated daily.
What Distribution Data Tells You
Shifts in file type distribution often signal changes in delivery tactics. For example, a move from .exe to .msi files may indicate operators adapting to Windows SmartScreen or email gateway filtering. A surge in .js or .vbs files suggests script-based delivery through phishing emails. Monitoring these patterns helps you tune your email security gateway rules and endpoint protection policies to block the current delivery method before it reaches end users.
Hosting Infrastructure
The hosting data below shows which domains and servers are actively distributing Formbook payloads. Add these to your DNS blocklists, web proxy deny rules, and firewall policies. Hosting infrastructure tends to rotate frequently as takedowns occur, so check this page regularly. All URL data is sourced from URLhaus. For hash-based indicators, see the IOC page. For sample details, see Formbook samples.
File Types (104 samples)
Malicious Distribution URLs (60)
http://www.vame.be/csi/update.ps1 https://stylegeneration.ma/sirdee.ps1 http://172.245.155.94/27/greatattitudeforme.hta http://66.63.170.9/129/goodthingsforbetterforme.hta https://github.com/Hyperbolic531/Makethen/raw/refs/heads/main/FD-830-0054.pif https://github.com/Hyperbolic531/Makethen/raw/refs/heads/main/bin.exe https://github.com/Hyperbolic531/Makethen/raw/refs/heads/main/client.exe https://github.com/Hyperbolic531/Makethen/raw/refs/heads/main/bvx1TflM4CXqqX8.pif https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fjs.txt?alt=media&token=09ada575-efa9-4dc8-b331-404723b5997a https://pastefy.app/xG06xOb9/raw https://crowe-avvens.site/newoworkable/newoworkable.txt https://crowe-avvens.site/newoworkable/aegbFib.txt https://accessible-peach-termite.myfilebase.com/ipfs/QmVcz1Lehhbv5V72FZqhKicrAFKg9j1erVeSHXLs2QMqCP https://accessible-peach-termite.myfilebase.com/ipfs/QmWHGWhRiZ1Fp5tMV32NUNcNkozWxETxQAc38xn7DuvyXR https://wintecs.store/file/anaAcac.txt https://pastefy.app/vLd5jkAz/raw https://shardaherbals.com/ooci/bin.dat https://drive.google.com/uc?export=download&id=1NayRbYneT5PFVrSCoJbr1-pmIRv08ky1 https://gateway.lighthouse.storage/ipfs/bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq https://drive.google.com/uc?export=download&id=1my4Utq51Pb4qletOe1oX63ugWvUAAxrs https://gateway.lighthouse.storage/ipfs/bafybeiahu62lb53vvmvkppzxtjfftylicgzfz67immb5yf6pyqencjug7m https://gateway.lighthouse.storage/ipfs/bafybeifbptcev25ovccag6aiwvcnhfu6nqlgpsh6ojkoxqkhd7gltf3akq http://91.92.242.3/noesisllc.online/fisherzxcc/fisherxx/tgckftbiqazqkklwtwtu7vhhnh6foxc.js https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/SV%2FPrince%20Denrik.txt?alt=media&token=a161f2b0-9ad8-4d6e-a621-ea9f4a944d6a https://firebasestorage.googleapis.com/v0/b/mis-archivos-2026-4b0c7.firebasestorage.app/o/tumfuf.txt?alt=media&token=1fcca767-bf37-4570-9a19-e24cdf9ba210 https://gitlab.com/risuyhksadjd-group/risuyhksadjd-project/-/raw/main/cryprodaaa.txt?inline=fal https://firebasestorage.googleapis.com/v0/b/mis-archivos-2026-4b0c7.firebasestorage.app/o/class.txt?alt=media&token=f1fda03a-6259-44d8-9bfc-013db5668695 http://fil.ydns.eu/emAAbmj/emAAbmj.txt https://bildify.co/ENCRYPT.Ps1 https://katz.adv.br/po/PO-453002.bat https://katz.adv.br/po/PO978600.exe https://katz.adv.br/po/EmscoIpEjfgFrxV.exe https://katz.adv.br/po/PO345657.exe https://katz.adv.br/dhl/PO-453002.bat https://www.kotojuki.com/upload/upl/aIh2Q8_tdPWA9w6hskn5/539869.pdf http://147.124.212.141/dd/bin.e https://au72nuxzv2.ufs.sh/f/4LhV5B1sDCwIYWWUZQpbSAVwYF8Qr21pjZDLd0EK49n7XgHx https://pub-6f7fb0d0ae0f40fbad68520fce393d92.r2.dev/222.txt https://ia600506.us.archive.org/11/items/amd_msi/optimized_MSI.png https://kariyersokagi.com.tr/files/Enquiry.js https://miriamgualda.com.br/oga/freshone.js http://almacensantangel.com/ENCRYPT.Ps1 https://almacensantangel.com/ENCRYPT.Ps1 https://minel-lights.rs/arquivo_20260218132428.txt https://minel-lights.rs/arquivo_20260218132454.txt https://minel-lights.rs/arquivo_20260217224211.txt https://minel-lights.rs/arquivo_20260217224158.txt https://minel-lights.rs/arquivo_20260217222806.txt http://91.92.241.197:5124/3/ENCRYPTED%20(5).ps1 https://minel-lights.rs/arquivo_20260217222345.txt https://minel-lights.rs/arquivo_20260217223017.txt http://77.83.39.185/file/omo/ENCRYPTED.ps1 https://au72nuxzv2.ufs.sh/f/4LhV5B1sDCwIjNcNG07VdvsCnBHP7OxqIceR2zSU4AgaG8VY http://91.92.241.197:5124/3/ENCRYPTED%20(4).ps1 http://91.92.241.197:5124/3/jAbFora.txt http://192.210.186.236/img/234878e8ew7r87qe8r7q8ewr8w7r8wer8we7r8w.txt http://192.109.200.5/webb/johnn.ps1 https://www.mediafire.com/file/48msgc60kmmhvrx/ http://91.92.241.197:5124/3/ENCRYPTED.ps1 http://91.92.243.254:7777/91.92.243.254/khadifaz/ENCRYPTED.ps1
Source: URLhaus (abuse.ch). Updated: 2026-04-18
Hosting Infrastructure
| Host | URLs |
|---|---|
| minel-lights.rs | 7 |
| katz.adv.br | 5 |
| github.com | 4 |
| firebasestorage.googleapis.com | 4 |
| 91.92.241.197 | 4 |
| gateway.lighthouse.storage | 3 |
| pastefy.app | 2 |
| crowe-avvens.site | 2 |
| accessible-peach-termite.myfilebase.com | 2 |
| drive.google.com | 2 |
| au72nuxzv2.ufs.sh | 2 |
| almacensantangel.com | 2 |
| www.vame.be | 1 |
| stylegeneration.ma | 1 |
| 172.245.155.94 | 1 |
| 66.63.170.9 | 1 |
| wintecs.store | 1 |
| shardaherbals.com | 1 |
| 91.92.242.3 | 1 |
| gitlab.com | 1 |