Daily Summary
Formbook activity shows a notable decline today, with only 9 new samples detected against a 7-day average of 13. This represents a 30% decrease in volume. However, a significant surge in new C2 infrastructure was observed.
New Samples Detected
The sample set is heavily dominated by JavaScript files, with 8 .js samples compared to a single .exe. This indicates a strong preference for script-based initial access in current campaigns, with the lone executable likely representing a later-stage payload.
Distribution Methods
The prevalence of .js files strongly suggests ongoing phishing campaigns distributing malicious email attachments. These scripts typically function as downloaders, retrieving the final Formbook payload from a remote server after execution on the victim host.
Detection Rate
Current detection rates for these .js downloaders remain high among major AV vendors, as the obfuscation techniques are well-known. However, the rapid deployment of 55 new C2 servers suggests infrastructure churn aimed at evading network-based blocklists and detection rules.
C2 Infrastructure
A substantial 55 new C2 servers were registered, a high number relative to the low sample volume. This indicates active infrastructure preparation, likely for new campaigns or to rotate out compromised servers. Geographic data for these new servers was not available in today’s feed.
7-Day Trend
Today’s low sample count continues a cooling trend observed over the latter half of the week, following a period of higher activity. The decline may represent a lull between distribution cycles.
Security Analysis
The current high C2-to-sample ratio is atypical and suggests a strategic shift. Threat actors are potentially pre-staging a larger, more resilient infrastructure footprint for a forthcoming campaign, rather than deploying it reactively. Defensive teams should prioritize updating network monitoring rules with the 64 new IOCs, with particular focus on detecting outbound connections to newly registered domains that may not yet host malicious content but are being prepared for future use.