Daily Summary
Formbook activity shows a slight decline today, with 6 new samples detected versus a 7-day average of 8. This represents a 21% decrease, indicating a potential lull in distribution or a shift in operational tempo. The most notable data point is the significant surge in new C2 infrastructure.
New Samples Detected
JavaScript (.js) files dominate today’s submissions, accounting for 4 of the 6 samples. This is a shift from recent averages where executable files were more common. The remaining samples are a single DLL and a VBScript file, showing continued use of script-based initial access vectors.
Distribution Methods
The prevalence of .js and .vbs files strongly suggests ongoing phishing campaigns distributing malicious archives or documents with embedded scripts. This aligns with Formbook’s long-standing reliance on social engineering, where users are tricked into enabling scripts that fetch and execute the final payload.
Detection Rate
Current detection rates for these script-based initial droppers remain high among major AV vendors. However, the subsequent DLL payload may exhibit lower detection scores at submission time, indicating possible obfuscation updates. The rapid deployment of new C2 servers is a primary evasion tactic.
C2 Infrastructure
A notable surge in infrastructure was observed, with 55 new C2 servers identified. This high volume of new IOCs (61 total) suggests active preparation for new campaigns or rotation of compromised infrastructure to maintain persistence and evade blocklists.
7-Day Trend
Today’s sample count continues a pattern of moderate, slightly declining volume observed over the past week. However, the infrastructure surge contrasts with this, pointing to preparatory activity rather than a full-scale operational wind-down.
Security Analysis
The current pattern - lower sample volume paired with a large C2 infrastructure build-out - mirrors historical pre-campaign behavior. Actors may be staging new infrastructure before launching a larger phishing wave. The reliance on .js files indicates a focus on lightweight, easily-modified delivery mechanisms. Recommendation: Enhance monitoring and blocking for obfuscated JavaScript files originating from email or web downloads, particularly those that attempt to load remote resources or execute follow-on DLLs. Behavioral detection for script-based process chains leading to unusual network connections is critical.