Daily Summary
Formbook activity surged sharply on June 14, with 100 new samples detected, marking a 227% increase over the 7-day average of 31. This spike is driven by an unusual diversification in file types and a high number of new C2 servers, indicating a shift in operational tempo rather than a single large campaign.
7-Day Trend
Today’s sample count of 100 deviates significantly from the 7-day average of 31, representing a 227% increase. This is not a gradual uptick but a clear surge, warranting immediate attention from SOC teams monitoring for emerging distribution waves.
New Samples Detected
The file type distribution shows notable diversification beyond typical Formbook executables. While .exe files remain dominant with 64 samples, the presence of 20 .js files, 4 .vbs files, and 4 .com files indicates a shift toward script-based delivery mechanisms. Additionally, rare extensions were observed: .7307 (1), .49147133 (1), and .lnk (1) suggest targeted or experimental payloads. This mix may indicate an attempt to bypass endpoint detection rules that focus only on standard executable formats.
C2 Infrastructure
Exactly 100 new C2 servers were identified today, matching the sample count precisely. This 1:1 ratio is unusual for Formbook, which often reuses infrastructure across multiple samples. The parallel surge in both samples and C2 endpoints could indicate a coordinated infrastructure shift, possibly from a single threat actor rotating domains to disrupt existing blocklists. SOC teams should expect rapid C2 address churn in the coming days.
IOC Highlights
Among the 200 new IOCs, the appearance of the 1 .lnk file and the extension-less .7307 and .49147133 files are notable. These non-standard formats often evade typical signature-based detections. The large volume of new C2 servers (100) also creates a high-confidence IOC set for immediate blocking.
Security Analysis
The 1:1 ratio of samples to C2 servers is atypical for Formbook, which historically maintains a smaller pool of reused infrastructure. This could indicate a publisher-driven campaign where each victim is assigned a unique C2 endpoint, reducing the risk of mass takedowns. Alternatively, it may reflect automated infrastructure generation via domain generation algorithms (DGAs) or short-lived bulletproof hosting addresses.
Actionable Recommendation: Implement behavioral detection rules for script-based execution chains, specifically monitoring .js and .vbs files that initiate outbound connections. Since Formbook often uses script downloaders to pull secondary payloads, correlate script execution logs with network connections to .exe downloads or unusual IPs. Deploy immediate blocking of the 100 new C2 IPs/domains and set a 30-minute TTL for host-based C2 blocklists, as these addresses are likely short-lived.