FormBook Malware Distributed via Horus Protector Using Word Docs

April 29, 2025, 9 a.m.

Description

Forcepoint X-Labs researchers have identified a phishing campaign where attackers distribute the FormBook information-stealing malware using Horus Protector, a malware distribution service designed to evade detection. The campaign employs malicious Microsoft Word documents that exploit the CVE-2017-11882 vulnerability in the Equation Editor.

External References

https://otx.alienvault.com/pulse/681090cd8ad1f16f204a4b43
Tags
phishing
formbook
CVE-2017-11882
2025-04-29
maldoc
horus

Date

  • Created: April 29, 2025, 8:41 a.m.
  • Published: April 29, 2025, 8:41 a.m.
  • Modified: April 29, 2025, 9 a.m.

Indicators

  • cd3ce650f757c4414a70ab9a0b34153d94740ce72884089c152415b70362c4c2
  • 76e1dcf43d423b12bb11b59f25ba62e0597a9fd4a6e5464a882373169fd934b2
  • www.xxxvideosbox.xyz
  • www.smfrityhvde.info
  • www.shroom-topia.shop
  • www.shibsocial.xyz
  • www.natividade.tech
  • www.praxis-it.nrw
  • www.mm018.xyz
  • www.keys4health.net
  • www.link6-tesla-nd6.xyz
  • www.hellosweetie.net
  • www.enore.xyz
  • www.coreost.site
  • www.auctionringer.online
  • www.atepl.info
  • http://yenigercek.xyz/
  • http://xploitation.net/
  • http://www.xxxvideosbox.xyz/n8ev/
  • http://www.shibsocial.xyz/ib5p/
  • http://www.smfrityhvde.info/eck1/
  • http://www.shroom-topia.shop/ty2t
  • http://www.praxis-it.nrw/rw7d/
  • http://www.natividade.tech/xuyo/
  • http://www.mm018.xyz/d686/
  • http://www.hellosweetie.net/x21a/
  • http://www.link6-tesla-nd6.xyz/l25i/
  • http://www.keys4health.net/5jal/
  • http://www.auctionringer.online/4aby/
  • http://www.enore.xyz/sdi5/
  • http://www.coreost.site/r8ob/
  • http://www.atepl.info/lxq6/
  • http://sterlingproperties.net/
  • http://tipobetgirislinki.fit/
  • http://soportemx-findmy.click/
  • http://smfrityhvde.info/
  • http://siik18.boats/
  • http://qdkinv.casino/
  • http://pembiayaan.xyz/
  • http://ppostealeone.shop/
  • http://optimuminvestment.net/
  • http://mrguider.pics/
  • http://myhandyplanner.courses/
  • http://networkcomputing.tech/
  • http://mayaheonline.shop/
  • http://lawrax.ltd/
  • http://lamorenadiving.net/
  • http://kekisi.xyz/
  • http://hlkjhu.online/
  • http://jicode.xyz/
  • http://hasan94tanriverdi.xyz/
  • http://gunchenko.tech/
  • http://glorifyer.store/
  • http://fhm500166i.vip/
  • http://giadungtot04.online/
  • http://eja-online.org/
  • http://eioo.org/
  • http://desktitle.homes/
  • http://eferakiglobal.xyz/
  • http://5s5zz.icu/
  • http://conmoro.xyz/
  • http://vsilmhxj.tokyo/
  • http://southpaw.info/
  • http://mulher777.info/
  • http://astrologerritesh.click/
  • http://headset2.online/
  • yenigercek.xyz
  • xploitation.net
  • vsilmhxj.tokyo
  • tipobetgirislinki.fit
  • sterlingproperties.net
  • southpaw.info
  • soportemx-findmy.click
  • smfrityhvde.info
  • siik18.boats
  • qdkinv.casino
  • ppostealeone.shop
  • pembiayaan.xyz
  • optimuminvestment.net
  • networkcomputing.tech
  • mulher777.info
  • mrguider.pics
  • lawrax.ltd
  • mayaheonline.shop
  • lamorenadiving.net
  • kekisi.xyz
  • jicode.xyz
  • hlkjhu.online
  • headset2.online
  • hasan94tanriverdi.xyz
  • glorifyer.store
  • gunchenko.tech
  • giadungtot04.online
  • fhm500166i.vip
  • eja-online.org
  • eioo.org
  • eferakiglobal.xyz
  • desktitle.homes
  • astrologerritesh.click
  • 5s5zz.icu
  • conmoro.xyz
Download all indicators here!

Attack Patterns

  • FormBook

Additional Informations

  • myhandyplanner.courses