Daily Summary
Formbook activity surged today, with 28 new samples representing a 161% increase over the 7-day average of 11. This sharp rise is accompanied by a significant expansion of C2 infrastructure, indicating a potentially coordinated distribution push.
New Samples Detected
JavaScript (.js) files dominate today’s submissions, accounting for 16 of the 28 samples. The remaining samples show a highly fragmented set of file extensions, including several numeric extensions (e.g., .17095, .95677465) likely used for obfuscation, alongside expected types like .exe, .hta, and .vbs.
Distribution Methods
The prevalence of .js files suggests heavy reliance on malicious scripts delivered via phishing emails or compromised websites. The single .zip file indicates possible payload delivery through archived attachments. The presence of .hta and .scr files points to continued use of disguised application files to trick users into execution.
Detection Rate
Current detection rates for the new variants are mixed. While core Formbook signatures are well-established, the use of heavily obfuscated scripts and novel file extensions is likely lowering initial detection for some engines, particularly for the non-standard file types.
C2 Infrastructure
A substantial 55 new C2 servers were registered today, far exceeding the typical daily volume. This rapid infrastructure churn is a hallmark of Formbook campaigns, complicating blocking efforts. Geographic data for these servers was not provided in today’s feed.
7-Day Trend
Today’s spike breaks a period of relatively steady, low-volume activity observed over the past week, signaling a new distribution campaign or a testing phase for updated payloads.
Security Analysis
The current batch’s heavy skew toward .js files, paired with bizarre numeric extensions, represents a shift from more common double-extensions (.pdf.js). This may be an attempt to bypass filters looking for that specific pattern. The simultaneous spike in samples and C2 servers suggests a “flash” campaign with a short operational window. Recommendation: Enhance email and web filtering to flag executable scripts (.js, .vbs, .hta) with anomalous or numeric extensions, even when delivered in archives. Implement application allowlisting to prevent execution of scripts from user-writable locations like Downloads or Temp directories.