#formbook — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #formbook, aggregated by home.social.
-
FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript
Pulse ID: 69e9a4e4703c018de7e0f325
Pulse Link: https://otx.alienvault.com/pulse/69e9a4e4703c018de7e0f325
Pulse Author: Tr1sa111
Created: 2026-04-23 04:49:40Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript
Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms.
Pulse ID: 69e8c267419390d6722afdd5
Pulse Link: https://otx.alienvault.com/pulse/69e8c267419390d6722afdd5
Pulse Author: AlienVault
Created: 2026-04-22 12:43:19Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Adobe #Browser #CentralAmerica #CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #NET #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #SMS #Slovenia #Spain #bot #AlienVault
-
🚨 0-day vibes from 2017? Yup, it’s still happening.
A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.
The attack chain?
- Macro-free Excel
- Weaponized with remote .hta
- Payload: Info-stealer FormBook
Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.
Full technical breakdown by @FortiGuardLabs: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload
TL;DR for blue teamers:
- Watch your egress traffic
- Harden Office apps
- Monitor LOLBins (Living Off the Land Binaries)
- Block outbound to shady IPs faster than your memes go viral
Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.
#CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing
-
🚨 0-day vibes from 2017? Yup, it’s still happening.
A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.
The attack chain?
- Macro-free Excel
- Weaponized with remote .hta
- Payload: Info-stealer FormBook
Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.
Full technical breakdown by @FortiGuardLabs: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload
TL;DR for blue teamers:
- Watch your egress traffic
- Harden Office apps
- Monitor LOLBins (Living Off the Land Binaries)
- Block outbound to shady IPs faster than your memes go viral
Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.
#CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing
-
🚨 0-day vibes from 2017? Yup, it’s still happening.
A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.
The attack chain?
- Macro-free Excel
- Weaponized with remote .hta
- Payload: Info-stealer FormBook
Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.
Full technical breakdown by @FortiGuardLabs: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload
TL;DR for blue teamers:
- Watch your egress traffic
- Harden Office apps
- Monitor LOLBins (Living Off the Land Binaries)
- Block outbound to shady IPs faster than your memes go viral
Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.
#CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing
-
🚨 0-day vibes from 2017? Yup, it’s still happening.
A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.
The attack chain?
- Macro-free Excel
- Weaponized with remote .hta
- Payload: Info-stealer FormBook
Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.
Full technical breakdown by @FortiGuardLabs: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload
TL;DR for blue teamers:
- Watch your egress traffic
- Harden Office apps
- Monitor LOLBins (Living Off the Land Binaries)
- Block outbound to shady IPs faster than your memes go viral
Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.
#CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing
-
🚨 0-day vibes from 2017? Yup, it’s still happening.
A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.
The attack chain?
- Macro-free Excel
- Weaponized with remote .hta
- Payload: Info-stealer FormBook
Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.
Full technical breakdown by @FortiGuardLabs: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload
TL;DR for blue teamers:
- Watch your egress traffic
- Harden Office apps
- Monitor LOLBins (Living Off the Land Binaries)
- Block outbound to shady IPs faster than your memes go viral
Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.
#CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing
-
Parked domains are used in all sorts of interesting ways. Recently we saw a set used in the sender addresses of spam delivery formbook malware. The emails disguised as salary updates, purchase orders, fines, and vendor enrollments. The sender addresses typically appear to be from HR or some other official group associated with the subject.
The domains associated with these formbook campaigns are lookalikes, designed to impersonate legitimate brands in an attempt to dupe the victim. Some examples of the brands we have seen lookalikes for include Blue-Maritime and Vanity Case Group.
The spam itself appears to run through actor-controlled relays (SPF failures, etc) and originate in AS203557 (Dataclub / Latvia). We see the same actor delivering Formbook via various campaigns for over a year targeting users from different regions, including the Middle East, India, and the United States.
Because the domains are parked, it is hard to confirm whether the spam actor controls them or is just digging around parking lots.
Fun fact: Formbook malware is known to use parked domains for decoy C2 urls as well.
IOCs: blu-maritlme[.]com, thevenitycase[.]com
Example filename: Gross Misconduct.rar
Sha256: 09590f63531e7e5d7b8e86a55e1e3014cc86c99694c94a29c95215acac227c89
#dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #malware #formbook #spam -
Campagne #Malware #Italy Week 35
🔥☠️💣👻
#VIPKeylogger: Bonifico
#Remcos: Spedizioni
#Formbook: Ordini
#AgentTesla: Pagamento
#Modiloader: Preventivi
#APK #Zanubis: Protezione Device -
Campagne #Malware #Italy Week 32
🔥☠️💣👻#SnakeKeyLogger: Citazione
#Guloader: Ordine
#Formbook: Modulo bancario
#AsyncRAT: Documento
#RemcosRAT: Prezzi
#AgentTesla: Preventivo
#ModiLoader: Pagamento
#StrRat: Ordine
#RedLine: Quotazione
#Vidar: Pagamento
#Ousaban: Documento -
Analysis of Top Infostealers: Redline, Vidar and Formbook https://hackread.com/top-infostealers-analysis-redline-vidar-formbook/ #ThreatIntelligence #Cybersecurity #Infostealer #Security #Formbook #Malware #Redline #TROJAN #Vidar
-
Campagne #Malware #Italy Week 29
☠️💣🔥👻
#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura -
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
Hey there! I stumbled upon a fresh sample of Formbook info-stealer malware. During analysis I found this malware hides its payload into a vulnerable WordPress website.
Read the article to know more.
#FormBook #Stealer #MalwareAnalysis #MalwareResearch #CTI #ThreatIntel #InfoSec https://ashishranax.github.io/posts/FormBook-Malware-The-Uninvited-Guest-of-WordPress/ -
Not sure when it happened, but #xloader / #formbook now appears to rotate through campaign ID's:
https://app.any.run/tasks/4cb7b5ef-5c1d-4565-a370-5d0cf1a5c255
-
Seen 3 of these, so might as well share.... NSIS installer -> powershell -> #formbook
https://app.any.run/tasks/b8fe6ed2-d843-4340-b03d-4f8be11006e4
https://app.any.run/tasks/723d54ab-4480-4dba-af6c-6bd4f4eadbfe/
https://app.any.run/tasks/98e899be-47e4-4d90-a8a7-07ec13b1e809/ -
-
Campagne #Malware #Italy Week 08
🔥☠️💣👻
#AgentTesla: Ordine
#Formbook: Bonifico
#SpyNote: APK Bank
#Pikabot: Resend
#AveMaria: Quote
#ModiLoader: Elenco
#WiKiloader: Fattura
#Astaroth: Fattura
#Remcos: Giacenza GLS -
The malware pays homage to the League of Legends character Jinx, prominently featuring the character on its advertising poster and command-and-control login panel. JinxLoader’s primary purpose is straightforward – loading malware.
-
First time I've seen #formbook #malware actually embedded in an rtf:
https://app.any.run/tasks/ca41f860-0e0c-4489-b59c-7b62ca089061
-
📬 XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html -
📬 XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html -
📬 XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html -
📬 XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html -
📬 XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html -
An interesting #loader that drops #formbook via:
http://172.93.161[.]118/onlysim/Mdtiho.pdf
https://app.any.run/tasks/0a1b6fbb-60b2-4a9a-aa38-89b47f6cf20d
-
ISC Diary: @malware_traffic reviews loader-style infection for #Formbook on 2023-07-11 https://i5c.us/d30020
-
ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958
-
ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958
-
ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958
-
ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958
-
ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958
-
I am going to be reviewing the Formbook malware and process hooking with the interns this morning before we break off and start working on stuff. LETS GO!
#security #malware #formbook #processhooking -
I am going to be reviewing the Formbook malware and process hooking with the interns this morning before we break off and start working on stuff. LETS GO!
#security #malware #formbook #processhooking -
I am going to be reviewing the Formbook malware and process hooking with the interns this morning before we break off and start working on stuff. LETS GO!
#security #malware #formbook #processhooking