OTX BotApr 23

FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

Pulse ID: 69e9a4e4703c018de7e0f325
Pulse Link: https://otx.alienvault.com/pulse/69e9a4e4703c018de7e0f325
Pulse Author: Tr1sa111
Created: 2026-04-23 04:49:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX BotApr 22

FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms.

Pulse ID: 69e8c267419390d6722afdd5
Pulse Link: https://otx.alienvault.com/pulse/69e8c267419390d6722afdd5
Pulse Author: AlienVault
Created: 2026-04-22 12:43:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #Browser #CentralAmerica #CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #NET #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #SMS #Slovenia #Spain #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
CyberVeille.chApr 4

📢 Xloader v8.1+ : nouvelles techniques d'obfuscation et protocole C2 détaillés
📝 ## 🔍 Contexte

Publié le 31 mars 2026 par ThreatLabz (Zscaler), cet article constitue une analyse technique approf...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-05-xloader-v8-1-nouvelles-techniques-d-obfuscation-et-protocole-c2-detailles/
🌐 source : https://www.zscaler.com/blogs/security-research/latest-xloader-obfuscation-methods-and-network-protocol
#C2_protocol #FormBook #Cyberveille

ESET ResearchJan 6
In H2 2025, #ESETresearch saw a thirtyfold increase in #CloudEyE detections, amounting to more than 100,000 hits over the course of six months. CloudEyE is a #MaaS downloader and cryptor used to conceal and deploy other malware, such as #Rescoms, #Formbook, and #Agent Tesla.
CloudEyE’s intital stage is a downloader that spreads via #PowerShell scripts, #JavaScript files, and #NSIS executables . These download the next stage – the cryptor component – with the final payload packed within. All of the CloudEyE stages are heavily obfuscated.
Most of CloudEyE attack attempts we registered in H2 2025 targeted Poland (32%). These attacks were part of a wave of email campaigns in Central and Eastern Europe ESET observed in September and October 2025.
In order to appear legitimate, the emails deployed in the campaign were often sent from compromised legitimate accounts and localized to the language of the targeted country. They were usually inquiries about invoice payments, package tracking, and purchase orders.
For further information on CloudEyE, cryptors, and more, head on over to the latest #ESETThreatReport: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf
ransomNewsNov 18
🚨 FormBook malware spreads via fake installers A new FormBook wave uses weaponized PDFs and spoofed software installers to steal passwords, browser data, keystrokes and screenshots while dropping secondary payloads. Targets include small firms and home users. #ransomNews #FormBook #malware
LynxIntelSep 22, 2025
🚨 Cyberattaque intercontinentale avec Formbook : ComicForm et SectorJ149 ciblent entreprises industrielles et financières depuis avril 2025. Phishing sophistiqué, obfuscation et extraction de données sensibles. Protégez-vous avec formation, EDR et segmentation réseau. #Cybersécurité #Formbook #Cyberattaque #LynxIntel https://lynxintel.io/cyberattaque-intercontinentale-avec-formbook-les-groupes-en-pleine-action/
BradAug 12, 2025
2025-08-11 (Monday): Quick post of an #XLoader ( #Formbook ) infection, with a #pcap, email, and #malware sample available at https://www.malware-traffic-analysis.net/2025/08/11/index.html
ANY.RUNAug 7, 2025

🎯 Registry abuse helps #malware maintain persistence on infected endpoints. By detonating files in #ANYRUN Sandbox, analysts gain instant threat visibility to accelerate investigations and response.

👨‍💻 See #FormBook and script-based attacks analysis: https://any.run/cybersecurity-blog/how-to-spot-malware-registry-abuse/?utm_source=mastodon&utm_medium=post&utm_campaign=registry_abuse&utm_term=070825&utm_content=linktoblog

#cybersecurity #infosec

ANY.RUNJun 30, 2025
Top 10 last week's threats by uploads 🌐
⬆️ #Lumma 548 (484)
⬇️ #Neconyd 289 (311)
⬇️ #Asyncrat 244 (300)
⬇️ #Snake 237 (262)
⬇️ #Remcos 190 (468)
⬇️ #Xworm 179 (214)
⬇️ #Agenttesla 168 (174)
⬆️ #Lokibot 154 (145)
⬇️ #Amadey 144 (157)
⬇️ #Formbook 128 (139)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=300625
ANY.RUNJun 24, 2025

🎯 Registry abuse helps #malware maintain persistence and stealth on infected endpoints.
Detonating suspicious files in #ANYRUN Sandbox gives instant visibility into registry activity.

Explore examples, featuring #FormBook and script-based attacks 👇
https://any.run/cybersecurity-blog/how-to-spot-malware-registry-abuse/?utm_source=mastodon&utm_medium=post&utm_campaign=spot_registry_abuse&utm_term=240625&utm_content=linktoblog

#cybersecurity #infosec

How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox  - ANY.RUN's Cybersecurity Blog

Get actionable tips and see examples on how to spot malicious registry activities of malware.

ANY.RUN's Cybersecurity Blog