Daily Summary
Formbook activity shows a decline today, with 11 new samples detected compared to the 7-day average of 14, representing a 21% decrease. The sample volume remains moderate, with no extreme spikes or drops noted.
New Samples Detected
Script-based delivery continues to dominate, with JavaScript (.js) files comprising nearly half of the new samples. The presence of VBScript (.vbs, .vbe) files reinforces this script-heavy approach. One sample with the non-standard extension .32783286 indicates ongoing attempts at obfuscation through file type masquerading, a common tactic to bypass user awareness and simple filters.
Distribution Methods
The exclusive use of script files (.js, .vbs, .vbe) strongly suggests distribution via phishing emails with malicious attachments. This aligns with Formbook’s long-standing modus operandi of relying on social engineering to lure users into executing the initial script payload, which then retrieves the final malware binary.
Detection Rate
Current variants show moderate detection rates by major AV engines. The consistent use of script files, which are easily modified, allows for frequent hash changes that can temporarily lower detection. The single oddly-named file (.32783286) may indicate a new packing or obfuscation test that could evade static signatures initially.
C2 Infrastructure
A significant surge in new C2 infrastructure was observed, with 55 new servers identified alongside 66 new IOCs. This high volume of new infrastructure, contrasting with the lower sample count, suggests attackers are preemptively scaling their backend resources, possibly in preparation for a new campaign or to rotate out compromised servers.
7-Day Trend
Today’s lower sample count continues a slight cooling trend observed over the past several days, moving from a recent peak toward the lower end of the weekly range. Activity appears to be in a consolidation phase.
Security Analysis
The current activity presents a divergence: a decline in sample volume paired with a sharp increase in C2 infrastructure. This may indicate a strategic shift where attackers are focusing on building resilient, decentralized command channels before deploying the next wave of payloads. Compared to known campaigns, this infrastructure surge is notable and warrants close monitoring for new phishing themes. Recommendation: Enhance email filtering to aggressively block or sandbox all incoming .vbe files and JavaScript attachments from untrusted sources, as these are the primary initial access vectors for this current Formbook activity.