Daily Summary
Formbook activity shows a significant surge today, with 13 new samples representing a 69% increase over the 7-day average of 8. This rise is accompanied by a substantial expansion of command-and-control infrastructure, indicating a potentially coordinated distribution push.
New Samples Detected
JavaScript (.js) files are overwhelmingly dominant, comprising 9 of the 13 new samples. The remaining files are a mix of archive (.zip), executable (.exe), and obscure extensions (.5673, .pif), suggesting attackers are using a dual approach: mass distribution via scripts alongside targeted attempts with disguised or less common file types to bypass simple filters.
Distribution Methods
The prevalence of .js files points to ongoing malicious email campaigns where scripts are delivered as attachments or via download links. These scripts typically function as downloaders to retrieve the final Formbook payload. The single .zip file likely contains a malicious document or executable, while the .pif file is a known legacy format used for evasion.
Detection Rate
Current detection rates for the new .js variants are moderately high among leading AV engines due to known patterns. However, the use of the non-standard .5673 extension and the repackaged .exe may cause temporary detection lags in some engines, offering a brief evasion window for the malware.
C2 Infrastructure
A notable spike in new C2 servers was observed, with 55 added today. This scale of infrastructure expansion is atypical and suggests preparation for a high-volume campaign or a shift to a more resilient, decentralized server architecture to avoid takedowns.
7-Day Trend
Today’s sharp increase in samples and C2 servers breaks a period of relatively steady, moderate activity recorded over the past week, signaling a possible new campaign initiation.
Security Analysis
The concurrent surge in samples and C2 infrastructure, particularly the heavy use of .js downloaders, mirrors the pattern of large-scale credential-harvesting campaigns observed historically with Formbook. The addition of a rarely seen file extension (.5673) indicates ongoing testing of evasion techniques. Defensive teams should prioritize blocking .js files at the email gateway and consider implementing application allowlisting to prevent execution of files from suspicious extensions like .pif and .5673, which have no legitimate common use in enterprise environments.