home.social

#formbook — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #formbook, aggregated by home.social.

  1. FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

    Pulse ID: 69e9a4e4703c018de7e0f325
    Pulse Link: otx.alienvault.com/pulse/69e9a
    Pulse Author: Tr1sa111
    Created: 2026-04-23 04:49:40

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111

  2. FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

    Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms.

    Pulse ID: 69e8c267419390d6722afdd5
    Pulse Link: otx.alienvault.com/pulse/69e8c
    Pulse Author: AlienVault
    Created: 2026-04-22 12:43:19

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Adobe #Browser #CentralAmerica #CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #NET #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #SMS #Slovenia #Spain #bot #AlienVault

  3. 🚨 0-day vibes from 2017? Yup, it’s still happening.

    A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.

    The attack chain?

    • Macro-free Excel
    • Weaponized with remote .hta
    • Payload: Info-stealer FormBook

    Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.

    Full technical breakdown by @FortiGuardLabs: fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Watch your egress traffic
    • Harden Office apps
    • Monitor LOLBins (Living Off the Land Binaries)
    • Block outbound to shady IPs faster than your memes go viral

    Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.

    #CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing

  4. 🚨 0-day vibes from 2017? Yup, it’s still happening.

    A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.

    The attack chain?

    • Macro-free Excel
    • Weaponized with remote .hta
    • Payload: Info-stealer FormBook

    Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.

    Full technical breakdown by @FortiGuardLabs: fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Watch your egress traffic
    • Harden Office apps
    • Monitor LOLBins (Living Off the Land Binaries)
    • Block outbound to shady IPs faster than your memes go viral

    Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.

    #CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing

  5. 🚨 0-day vibes from 2017? Yup, it’s still happening.

    A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.

    The attack chain?

    • Macro-free Excel
    • Weaponized with remote .hta
    • Payload: Info-stealer FormBook

    Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.

    Full technical breakdown by @FortiGuardLabs: fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Watch your egress traffic
    • Harden Office apps
    • Monitor LOLBins (Living Off the Land Binaries)
    • Block outbound to shady IPs faster than your memes go viral

    Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.

    #CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing

  6. 🚨 0-day vibes from 2017? Yup, it’s still happening.

    A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.

    The attack chain?

    • Macro-free Excel
    • Weaponized with remote .hta
    • Payload: Info-stealer FormBook

    Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.

    Full technical breakdown by @FortiGuardLabs: fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Watch your egress traffic
    • Harden Office apps
    • Monitor LOLBins (Living Off the Land Binaries)
    • Block outbound to shady IPs faster than your memes go viral

    Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.

    #CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing

  7. 🚨 0-day vibes from 2017? Yup, it’s still happening.

    A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.

    The attack chain?

    • Macro-free Excel
    • Weaponized with remote .hta
    • Payload: Info-stealer FormBook

    Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.

    Full technical breakdown by @FortiGuardLabs: fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Watch your egress traffic
    • Harden Office apps
    • Monitor LOLBins (Living Off the Land Binaries)
    • Block outbound to shady IPs faster than your memes go viral

    Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.

    #CyberSecurity #ThreatIntel #FormBook #CVE20170199 #Infosec #BlueTeam #MalwareAnalysis #HackerNews #Phishing

  8. Parked domains are used in all sorts of interesting ways. Recently we saw a set used in the sender addresses of spam delivery formbook malware. The emails disguised as salary updates, purchase orders, fines, and vendor enrollments. The sender addresses typically appear to be from HR or some other official group associated with the subject.

    The domains associated with these formbook campaigns are lookalikes, designed to impersonate legitimate brands in an attempt to dupe the victim. Some examples of the brands we have seen lookalikes for include Blue-Maritime and Vanity Case Group.

    The spam itself appears to run through actor-controlled relays (SPF failures, etc) and originate in AS203557 (Dataclub / Latvia). We see the same actor delivering Formbook via various campaigns for over a year targeting users from different regions, including the Middle East, India, and the United States.

    Because the domains are parked, it is hard to confirm whether the spam actor controls them or is just digging around parking lots.

    Fun fact: Formbook malware is known to use parked domains for decoy C2 urls as well.

    IOCs: blu-maritlme[.]com, thevenitycase[.]com
    Example filename: Gross Misconduct.rar
    Sha256: 09590f63531e7e5d7b8e86a55e1e3014cc86c99694c94a29c95215acac227c89

    #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #malware #formbook #spam

  9. Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

    The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

    Details at github.com/PaloAltoNetworks/Un

  10. Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

    The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

    Details at github.com/PaloAltoNetworks/Un

  11. Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

    The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

    Details at github.com/PaloAltoNetworks/Un

  12. Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

    The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

    Details at github.com/PaloAltoNetworks/Un

  13. Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

    The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

    Details at github.com/PaloAltoNetworks/Un

  14. Campagne #Malware #Italy Week 32
    🔥☠️💣👻

    #SnakeKeyLogger: Citazione
    #Guloader: Ordine
    #Formbook: Modulo bancario
    #AsyncRAT: Documento
    #RemcosRAT: Prezzi
    #AgentTesla: Preventivo
    #ModiLoader: Pagamento
    #StrRat: Ordine
    #RedLine: Quotazione
    #Vidar: Pagamento
    #Ousaban: Documento

    #mwitaly

  15. Campagne #Malware #Italy Week 29

    ☠️💣🔥👻
    #AgentTesla: Ordine
    #Formbook: Offerta
    #GuLoader: Fattura Elettronica
    #Remcos: Bank
    #Lokibot: Delivery
    #SmokeLoader: Pagamenti
    #Irata: Malware APK
    #RedLine: Offerta
    #Neshta: Ordine
    #Ousaban: Processo
    #SnakeKeylogger: Fattura

    #mwitaly

  16. We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld insights.infoblox.com/resource

  17. We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld insights.infoblox.com/resource

  18. We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld insights.infoblox.com/resource

  19. We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld insights.infoblox.com/resource

  20. We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld insights.infoblox.com/resource

  21. Hey there! I stumbled upon a fresh sample of Formbook info-stealer malware. During analysis I found this malware hides its payload into a vulnerable WordPress website.
    Read the article to know more.
    #FormBook #Stealer #MalwareAnalysis #MalwareResearch #CTI #ThreatIntel #InfoSec ashishranax.github.io/posts/Fo

  22. Some fresh encoded #formbook in an #opendir at:

    http://dianomefs .cfd/Ajai/

  23. The malware pays homage to the League of Legends character Jinx, prominently featuring the character on its advertising poster and command-and-control login panel. JinxLoader’s primary purpose is straightforward – loading malware.

    #Cybersecurity #Formbook #JinxLoader #Malware #Xloader

    cybersec84.wordpress.com/2024/

  24. I am going to be reviewing the Formbook malware and process hooking with the interns this morning before we break off and start working on stuff. LETS GO!
    #security #malware #formbook #processhooking

  25. I am going to be reviewing the Formbook malware and process hooking with the interns this morning before we break off and start working on stuff. LETS GO!
    #security #malware #formbook #processhooking

  26. I am going to be reviewing the Formbook malware and process hooking with the interns this morning before we break off and start working on stuff. LETS GO!
    #security #malware #formbook #processhooking