Tag: formbook

11 Attack Reports | 0 Vulnerabilities

Attack reports

FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, A…
formbook
dll side-loading
obfuscated javascript
2026-04-22
data-stealing
mandark
mandark loader
ntdll mapping
panthomvai
phishing campaigns
syscall evasion
Published: April 22, 2026
Downloadable IOCs: 1

How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload

A high-severity phishing campaign targeting old version Office Application users exploits CVE-2017-0199 vulnerability to deliver FormBook malware. The attack begins with an email containing a malicious Excel attachment. When opened, it triggers the vulnerability, downloading and executing a malicio…
phishing
autoit
formbook
CVE-2017-0199
2025-06-05
hta
information-stealer
Published: June 5, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing a…
screenconnect
phishing
stealer
government
pdf
remote-access
formbook
domain-spoofing
2025-06-04
credential-harvesting
Published: June 4, 2025
Downloadable IOCs: 2

FormBook Malware Distributed via Horus Protector Using Word Docs

Forcepoint X-Labs researchers have identified a phishing campaign where attackers distribute the FormBook information-stealing malware using Horus Protector, a malware distribution service designed to evade detection. The campaign employs malicious Microsoft Word documents that exploit the CVE-2017…
phishing
formbook
CVE-2017-11882
2025-04-29
maldoc
horus
Published: April 29, 2025
Downloadable IOCs: 101

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downlo…
phishing
infostealer
formbook
CVE-2017-11882
process hollowing
2025-04-22
fileless malware
microsoft equation editor
Published: April 22, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 7

Uncovering .NET Malware Obfuscated by Encryption and Virtualization

This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage p…
obfuscation
xworm
encryption
.net
formbook
agent tesla
sandbox evasion
xloader
2025-03-03
virtualization
static analysis
Published: March 3, 2025
Downloadable IOCs: 11

Technical Analysis of Xloader Versions 6 and 7 P2

The latest versions of the Xloader malware, known as Formbook, use advanced obfuscation techniques to mask critical parts of its code and data, as part of a two-part technical analysis.
c2 server
formbook
base64
xloader
2025-02-14
c2 traffic
dword xor
dwords
decoy c2
pushdo
Published: February 14, 2025
Downloadable IOCs: 261

Technical Analysis of Xloader Versions 6 and 7

This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code a…
obfuscation
encryption
formbook
information stealer
process injection
xloader
2025-01-28
api resolution
ntdll hook evasion
Published: January 28, 2025
Downloadable IOCs: 261

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

CVE-2024-38213: From Crumbs to Full Compromise in a Stealthy Cyber Attack

A targeted email campaign exploiting CVE-2024-38213 has been uncovered, disguised as communication related to the Gas Infrastructure Europe Annual Conference in Munich. The attack bypasses standard security protocols to deploy LummaStealer malware, stealing sensitive data. The vulnerability, known …
xworm
phishing
asyncrat
venomrat
formbook
CVE-2024-38213
2024-11-08
copy2pwn
darkgate rat
lummastealer
Published: November 8, 2024
Downloadable IOCs: 0

Files with TXZ extension used as malspam attachments

A recent report describes a malspam campaign distributing malware payloads in attachments with TXZ file extensions. The attachments were RAR archives with renamed extensions, likely attempting to exploit native TXZ support in Windows 11. Two campaigns distributed the payloads, one with GuLoader mal…
malspam
2024-05-28
formbook
guloader
Published: May 28, 2024
Downloadable IOCs: 2
Click here to see more Attack Reports