FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript
Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms.
AI Analysis
Technical Summary
This threat involves two distinct phishing campaigns delivering the FormBook malware, a data-stealing trojan. The first campaign uses RAR archives containing legitimate executables that exploit DLL side-loading to load malicious DLL files. The second campaign uses heavily obfuscated JavaScript to drop encrypted PNG files, then uses Base64-encoded PowerShell scripts and a custom .NET loader named Mandark to inject the malware into the RegAsm process. The FormBook executable employs advanced evasion techniques by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct system calls. This enables the malware to steal credentials and browser data stealthily.
Potential Impact
The malware enables credential theft and data collection from browsers, potentially compromising sensitive information within targeted organizations. The advanced evasion techniques reduce the likelihood of detection by common security tools, increasing the risk of prolonged undetected presence. The campaigns specifically target companies in Greece, Spain, Slovenia, Bosnia, and Central American countries, indicating focused regional targeting.
Mitigation Recommendations
No patch or official remediation is indicated in the provided data. Organizations should focus on user awareness to prevent phishing, monitor for DLL side-loading behaviors, and detect obfuscated JavaScript and suspicious PowerShell activity. Endpoint detection and response solutions should be tuned to identify manual ntdll.dll mapping and direct syscall techniques. Since no vendor advisory or patch information is available, patch status is not yet confirmed — check vendor advisories for updates.
Affected Countries
Greece, Spain, Slovenia, Bosnia, Central American countries
Indicators of Compromise
- hash: 4140d26ecad2fd8a3ea326ee49f5dd8bda3696e0d1ae6e756db6d61d70bf3af4
- hash: 9601283e3153779f5a7e845365fdd87d
- hash: 3d1eaf0777aac4c76ff406b9ecf82af7d045b8f3
- hash: 872116260461fe63dd8664dbfbc7efa0
- hash: 8d79722188d998327dd7edf9924bffe2
- hash: ab0d213d4df3de06bbd2db524fb73282
FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript
Description
Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves two distinct phishing campaigns delivering the FormBook malware, a data-stealing trojan. The first campaign uses RAR archives containing legitimate executables that exploit DLL side-loading to load malicious DLL files. The second campaign uses heavily obfuscated JavaScript to drop encrypted PNG files, then uses Base64-encoded PowerShell scripts and a custom .NET loader named Mandark to inject the malware into the RegAsm process. The FormBook executable employs advanced evasion techniques by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct system calls. This enables the malware to steal credentials and browser data stealthily.
Potential Impact
The malware enables credential theft and data collection from browsers, potentially compromising sensitive information within targeted organizations. The advanced evasion techniques reduce the likelihood of detection by common security tools, increasing the risk of prolonged undetected presence. The campaigns specifically target companies in Greece, Spain, Slovenia, Bosnia, and Central American countries, indicating focused regional targeting.
Mitigation Recommendations
No patch or official remediation is indicated in the provided data. Organizations should focus on user awareness to prevent phishing, monitor for DLL side-loading behaviors, and detect obfuscated JavaScript and suspicious PowerShell activity. Endpoint detection and response solutions should be tuned to identify manual ntdll.dll mapping and direct syscall techniques. Since no vendor advisory or patch information is available, patch status is not yet confirmed — check vendor advisories for updates.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.watchguard.com/wgrd-security-hub/secplicity-blog/formbook-malware-analysis-phishing-campaigns-use-dll-side-loading"]
- Adversary
- null
- Pulse Id
- 69e8c267419390d6722afdd5
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash4140d26ecad2fd8a3ea326ee49f5dd8bda3696e0d1ae6e756db6d61d70bf3af4 | — | |
hash9601283e3153779f5a7e845365fdd87d | — | |
hash3d1eaf0777aac4c76ff406b9ecf82af7d045b8f3 | — | |
hash872116260461fe63dd8664dbfbc7efa0 | — | |
hash8d79722188d998327dd7edf9924bffe2 | — | |
hashab0d213d4df3de06bbd2db524fb73282 | — |
Threat ID: 69e8e9b919fe3cd2cdc882b4
Added to database: 4/22/2026, 3:31:05 PM
Last enriched: 4/22/2026, 3:46:24 PM
Last updated: 4/23/2026, 1:06:22 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.