#formbook — Public Fediverse posts

FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms.

Pulse ID: 69e8c267419390d6722afdd5
Pulse Link: https://otx.alienvault.com/pulse/69e8c267419390d6722afdd5
Pulse Author: AlienVault
Created: 2026-04-22 12:43:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #Browser #CentralAmerica #CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #NET #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #SMS #Slovenia #Spain #bot #AlienVault

2025-08-11 (Monday): Quick post of an #XLoader ( #Formbook ) infection, with a #pcap, email, and #malware sample available at https://www.malware-traffic-analysis.net/2025/08/11/index.html

Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

Details at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-26-IOCs-for-XLoader-infection.txt

Campagne #Malware #Italy Week 29

☠️💣🔥👻
#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura

#mwitaly

We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about

Not sure when it happened, but #xloader / #formbook now appears to rotate through campaign ID's:

https://app.any.run/tasks/4cb7b5ef-5c1d-4565-a370-5d0cf1a5c255

The malware pays homage to the League of Legends character Jinx, prominently featuring the character on its advertising poster and command-and-control login panel. JinxLoader’s primary purpose is straightforward – loading malware.

#Cybersecurity #Formbook #JinxLoader #Malware #Xloader

https://cybersec84.wordpress.com/2024/01/01/jinxloader-new-malware-front-for-formbook-and-xloader-attacks/

📬 XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html

ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958