Formbook Malware Campaign Uses Multiple Obfuscation Techniques

Staff Editor 2026-04-20
Formbook Malware Campaign Uses Multiple Obfuscation Techniques

Formbook Malware Campaign Uses Multiple Obfuscation Techniques

https://www.infosecurity-magazine.com/news/formbook-malware-multiple/

Publish Date: 2026-04-20 11:01:00

Source Domain: www.infosecurity-magazine.com

Two phishing campaigns, each using a different stealthy infection technique, are targeting organizations in attacks which aim to deliver data stealing malware to devices running on Microsoft Windows.

The goal of the campaigns is to install Formbook, a notorious form of infostealer which has been available as part of malware-as-a-service schemes since 2016.

The infostealer malware is designed to gather sensitive information including login credentials, browser data and screenshots. It is also equipped with advanced evasion techniques to avoid detection.

Ten years on from its initial release, Formbook is still an active cyber threat to organizations across a range of industries, with no sign of slowing down.

Cybersecurity threat researchers at WatchGuard have detailed at least two new Formbook campaigns.

As detailed in a blog post published on April 20, Formbook campaigns have been spotted targeting companies in Greece, Spain, Slovenia, Bosnia, Croatia and a range of countries in South America. The phishing lures appear to be disguised as common forms of business emails.

“What makes these campaigns especially noteworthy is not just the malware itself, but the diversity of methods used to evade detection and abuse legitimate software and trusted system processes,” said Watchguard.

DLL Sideloading and Obfuscated JavaScript

Both Formbook campaigns begin with phishing emails, but use different methods to hide and deliver the malware payload: one uses dynamic-link library (DLL) sideloading and while the other uses obfuscated JavaScript

The first campaign begins with a phishing email which uses an RAR file containing four files: three of them are DLLs, and one of them is a Windows Executable file (EXE).

By using DLL sideloading, a technique deployed by attackers which is used to execute malicious code by tricking a program into loading a harmful DLL instead of a legitimate one, the attackers can run a malicious payload while avoiding the system identifying…

Source

More Stories

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Staff Editor 2026-06-07
DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

Staff Editor 2026-06-07
Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy