TWO phishing campaigns targeting organisations running Microsoft Windows use different stealthy infection techniques to deliver Formbook, a long‑running infostealer, with campaigns observed in Greece, Spain, Slovenia, Bosnia, Croatia and various South American countries. One campaign uses DLL sideloading via a phishing email that contains a RAR file with four files, three of which are DLLs and one a Windows executable.
The other campaign relies on obfuscated JavaScript and PDF files in phishing messages, dropping two image files that counsel PowerShell commands, ultimately loading a Windows executable that deploys a custom malware loader. This loader has previously been associated with other malware families including Remcos, XWorm, AsyncRAT and SmokeLoader, with the same Formbook payload delivered in this instance.
Security teams should monitor for suspicious archive‑based email attachments, anomalous DLL loading behaviour, PowerShell execution tied to user‑opened attachments, and signs of manual DLL mapping or direct syscall activity in memory, according to WatchGuard. By correlating these behaviours across the attack chain, organisations can improve their ability to detect and stop FormBook infections before sensitive data is compromised.