Formbook Malware Campaign Uses Multiple Obfuscation Techniques to Avoid Detection

Formbook has matured from a 2016 malware‑as‑a‑service offering into a resilient infostealer that remains attractive to cybercriminals. Its core capabilities—stealing login credentials, browser histories, and screen captures—make it a high‑value tool for credential‑flooding and espionage operations. Over the past decade, the malware’s codebase has been continuously refined, allowing operators to lease it on underground markets and integrate it with other payloads such as Remcos and AsyncRAT. This longevity reflects a broader trend where threat actors favor proven, modular tools that can be quickly re‑packaged for new campaigns.

The latest WatchGuard findings reveal two distinct infection chains. The first relies on DLL sideloading, where a seemingly innocuous RAR file delivers three malicious DLLs and an executable that hijacks a trusted Windows process. By masquerading as a legitimate library, the payload evades many signature‑based scanners. The second chain embeds heavily obfuscated JavaScript within PDF and image files; once opened, the script drops additional images that contain encoded PowerShell commands, which finally execute a custom loader to install Formbook. Both techniques exploit user‑initiated actions and the trust placed in common file types, complicating traditional email security controls.

For defenders, the takeaway is clear: static file analysis alone is insufficient. Organizations should implement behavior‑based monitoring that flags anomalous DLL loading patterns, unexpected PowerShell execution tied to user‑opened attachments, and the presence of archive‑based email payloads. Correlating these indicators across the attack lifecycle can surface hidden infections before data exfiltration occurs. Moreover, threat‑intelligence sharing about evolving Formbook tactics enables faster rule updates and more effective endpoint detection and response (EDR) strategies, helping to curb the malware’s impact on global enterprises.