FormBook

This attack – known as ‘malvertising’ – is often aimed at users looking to download popular software applications.

SentinelLABS observed a cluster of virtualized .NET malware loaders distributed through malvertising attacks.

The campaigns in Italian analyzed by the TG Soft C.R.A.M. were grouped according to macro categories, obtained from the subject of the email message used for malware distribution (malspam).

15/06/2026 AgentTesla - spread through five campaigns themed around: ‘Documents’, ‘Invoices’, 'Orders' (two) and ‘Requests’. ... FormBook - spread through two campaigns themed around ‘Payments’ and ‘Requests’.

It establishes persistence, executes a hidden PowerShell stager via WMI...

persistence: drop Q78BmqBbKP.js + scheduled task "EmGqzwd3kD"

These archives contain script-based malware that ultimately infects a host with the final malware.

This script acts as a downloader, retrieving and executing a PowerShell script.

In most of the cases observed at the time of writing this article, PhantomVAI Loader injected the payload into the Microsoft Build Engine executable, MSBuild.exe.

Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable).

When a user searches for a related term and clicks through to the malicious site, the attackers check the Referer header to confirm the user has come from a search engine, and then entice them into downloading malware disguised as a legitimate software application.

The top-ranking samples this week are Script files accounting for 65,22%. MSIL files follow in second place with 20,65%. As for third place, we find Office documents (Word, Excel, PowerPoint) with 14,13%.

persistence: drop Q78BmqBbKP.js + scheduled task "EmGqzwd3kD"

Persistence: copies self to Startup folder

persistence: drop Q78BmqBbKP.js + scheduled task "EmGqzwd3kD"

"addinprocess32.exe... can be used for injection and launching malicious payloads"; "These events are typical for injecting code into a process. Virtual protect can be abused by malware authors to modify memory protection and writing bytes to an area in memory is typical in process injection techniques."

It then injects this payload into a target process that is also defined by a command-line parameter, using the process hollowing technique.

Persistence: copies self to Startup folder

Formbook, for example, has been in operation since 2021. But most recently, it has added sophisticated obfuscation techniques, designed to make sampling and analysis by security researchers more difficult.

This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications.

Other campaigns have impersonated brands like Adobe, Gimp, Slack, Tor, and Thunderbird, in order to infect users with AuroraStealer, RedLine, Vidar, FormBook, and more.

"addinprocess32.exe... can be used for injection and launching malicious payloads"; "These events are typical for injecting code into a process. Virtual protect can be abused by malware authors to modify memory protection and writing bytes to an area in memory is typical in process injection techniques."

It then injects this payload into a target process that is also defined by a command-line parameter, using the process hollowing technique.

In most of the cases observed at the time of writing this article, PhantomVAI Loader injected the payload into the Microsoft Build Engine executable, MSBuild.exe.

carve bytes between markers INICIO ... FIM ; transform '#'→'A' , reverse, Base64-decode

"The actor in this case has utilized a commonly abused LOLBIN (Living Off The Land Binary) here to execute the encoded script through ‘DeviceCredentialDeployment.exe’ in an attempt to avoid detection"; "another Living Off the Land technique for injection/execution... pass in arguments for the process ‘addinprocess32.exe’"

the malware detects the presence of user- and kernel-land debuggers using the NtQueryInformationProcess and NtQuerySystemInformation functions

Other techniques include: “Form grabbing,” which involves searching for logins that you may have entered into an online form, before it is send to a secure server Keylogging, which requires the malware to record every keystroke you make

Family = Formbook/XLoader ... capabilities: credential theft (browser/email/FTP)

Beyond that, it steals stored credentials and cookies from Chrome and Firefox

the malware detects the presence of user- and kernel-land debuggers using the NtQueryInformationProcess and NtQuerySystemInformation functions

Other techniques include: “Form grabbing,” which involves searching for logins that you may have entered into an online form, before it is send to a secure server Keylogging, which requires the malware to record every keystroke you make

Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.

The campaign arrives to victims as emails with attached archives.

Formbook and XLoader disguise real C2 traffic among smokescreen HTTP requests with encoded and encrypted content to multiple domains, randomly selected from an embedded list.

pulls a steganographic .NET injector ("Fiber") hidden inside a JPEG.

XLoader Activity ... C2 for data exfiltration ... hxxp[://]www.sixfiguredigital[.]group/aoc3/

A campaign is marked by an identifier that is present in HTTP POST and GET requests issued by the malware.

First, we see a call to a location in the stack ... that will execute the function InternetOpenUrlA, we also see the C2 it will use... the second shellcode downloads further malware.

Only one of the domains is the real C2 server and the rest are decoys.