Formbook Malware Campaign Uses Multiple Obfuscation Techniques

Two phishing campaigns, each using a different stealthy infection technique, are targeting organizations in attacks which aim to deliver data stealing malware to devices running on Microsoft Windows.

The goal of the campaigns is to install Formbook, a notorious form of infostealer which has been available as part of malware-as-a-service schemes since 2016.

The infostealer malware is designed to gather sensitive information including login credentials, browser data and screenshots. It is also equipped with advanced evasion techniques to avoid detection.

Ten years on from its initial release, Formbook is still an active cyber threat to organizations across a range of industries, with no sign of slowing down.

Cybersecurity threat researchers at WatchGuard have detailed at least two new Formbook campaigns.

As detailed in a blog post published on April 20, Formbook campaigns have been spotted targeting companies in Greece, Spain, Slovenia, Bosnia, Croatia and a range of countries in South America. The phishing lures appear to be disguised as common forms of business emails.

“What makes these campaigns especially noteworthy is not just the malware itself, but the diversity of methods used to evade detection and abuse legitimate software and trusted system processes,” said Watchguard.

DLL Sideloading and Obfuscated JavaScript

Both Formbook campaigns begin with phishing emails, but use different methods to hide and deliver the malware payload: one uses dynamic-link library (DLL) sideloading and while the other uses obfuscated JavaScript

The first campaign begins with a phishing email which uses an RAR file containing four files: three of them are DLLs, and one of them is a Windows Executable file (EXE).

By using DLL sideloading, a technique deployed by attackers which is used to execute malicious code by tricking a program into loading a harmful DLL instead of a legitimate one, the attackers can run a malicious payload while avoiding the system identifying it as malicious or unusual.

Meanwhile, a second campaign utilizes a different tactic for delivering Formbook malware. The initial stage is once again a phishing email, but this time the malicious payload is hidden inside JavaScript and PDF files, which uses obfuscated code to help it hide from detection.

When executed, the JavaScript drops two image files, which in turn drop PowerShell commands, obfuscated within long strings of code, which are ultimately used to run a Windows executable, which deploys a custom malware loader.

Forms of malware which have previously been identified as being distributed by this loader include Remcos, XWorm, AsyncRAT, and SmokeLoader. In this instance it is being used to distribute the same Formbook malware which is delivered by the first phishing campaign.

“Security teams should monitor for suspicious archive-based email attachments, anomalous DLL loading behavior, PowerShell execution tied to user-opened attachments, and signs of manual DLL mapping or direct syscall activity in memory,” advised WatchGuard.

“By correlating these behaviors across the attack chain, organizations can improve their ability to detect and stop FormBook infections before sensitive data is compromised,” the company added.

Formbook Malware Campaign Uses Multiple Obfuscation Techniques to Avoid Detection

Danny Palmer

DLL Sideloading and Obfuscated JavaScript

You may also like

Compromised WordPress Sites Deliver ClickFix Attacks in Global Infostealer Campaign

New Infostealer Uncovered in Phishing Scam Targeting Facebook Business Accounts

Red October cyber-espionage campaign used highly sophisticated infiltration techniques

Famous YouTube Channels Hacked to Distribute Infostealers

MacOS Infostealer AMOS Evolves with Backdoor for Persistent Access

What’s Hot on Infosecurity Magazine?

Hackers Leak Sexually Explicit Photos, Messages of WWE Star Paige

APK Malformation Found in Thousands of Android Malware Samples

How Security Leaders Can Safeguard Against Vibe Coding Security Risks

New Venom Stealer MaaS Platform Automates Continuous Data Theft

Commercial AI Models Show Rapid Gains in Vulnerability Research

US Nationals Jailed for Operating Fake Remote Worker Laptop Farms for North Korea

Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads

European Cybersecurity Agency ENISA Seeks Top-Tier Status in CVE Program

AI Security Institute Advocates Security Best Practices After Mythos Test

AI Companies to Play Bigger Role in CVE Program, Says CISA

Mirax Android Trojan Turns Devices Into Residential Proxy Nodes

The Death of the SIEM: Why Modern Security Demands a New Data Strategy

Why Resilience‑Focused Cloud Design Is Your Best Defense Against Modern Attacks

How To Enhance Security Operations with AI-Powered Defenses

How to Harness Advanced Intelligence Capabilities to Strengthen Cyber Defence

How to Recover From a Cyber-Attack: A Step-by-Step Playbook

How Trusted Time Strengthens Network Security

The Future of Fraud: Defending Against Advanced Account Attacks

AI Security and Governance Virtual Summit

Exclusive Interview with OpenClaw's Security Advisor

CDW's Walt Powell on CISO 3.0 and Translating Cyber Risk into Business Value

AI Companies to Play Bigger Role in CVE Program, Says CISA

When Agentic AI Becomes Your Riskiest Third Party

How Security Leaders Can Safeguard Against Vibe Coding Security Risks

Formbook Malware Campaign Uses Multiple Obfuscation Techniques to Avoid Detection

Written by

DLL Sideloading and Obfuscated JavaScript

You may also like

What’s Hot on Infosecurity Magazine?