[π½TA] UAC-0041 (π΄): Used with Formbook as loader
FormBook
FormBook, also widely associated with the XLoader lineage, is a long-running Windows information-stealing malware family sold through a malware-as-a-service model and frequently used in commodity cybercrime campaigns.
Profile source: Mallory opens in a new tabFormBook
Family profile
FormBook, also widely associated with the XLoader lineage, is a long-running Windows information-stealing malware family sold through a malware-as-a-service model and frequently used in commodity cybercrime campaigns. It is best known for harvesting sensitive data from infected systems, including keystrokes, clipboard contents, and data entered into web forms, and it has repeatedly appeared in large-scale malspam operations as well as more selective spearphishing activity.
FormBook is commonly delivered through phishing emails carrying malicious attachments such as ZIP archives, script files, Office documents, or batch files. It has also been observed in campaigns using malvertising and multi-stage loader chains, including delivery through HTA, VBScript, PowerShell, AutoIt, steganographic payload concealment, and image-embedded stages. Other malware loaders and distribution services have also been used to deploy it, including GuLoader and PhantomVAI Loader. In targeted operations, FormBook has been delivered through business-themed phishing lures aimed at sectors such as maritime shipping and related supply-chain organizations.
On execution, FormBook uses layered obfuscation and staged unpacking to hinder analysis. Observed samples have used Base64 encoding, decompression and reversal logic, embedded PE extraction, and .NET-based intermediate loaders. Related delivery ecosystems and neighboring tooling have shown process injection and process hollowing techniques, and FormBook tradecraft has been associated with use of legitimate Windows processes for stealthy execution. The malware ultimately functions as an infostealer focused on collecting user input and system data and transmitting stolen information to attacker-controlled infrastructure, including exfiltration via SMTP in some samples.
FormBook remains prevalent in global credential-theft and surveillance-oriented malware campaigns and is often clustered operationally with families such as Agent Tesla, Remcos, LokiBot, AsyncRAT, XWorm, and other commodity stealers and RATs. It has been observed in campaigns targeting organizations and users across multiple regions, including Italy through recurring malspam waves and South Korea in maritime-themed spearphishing. Its longevity, flexible delivery through third-party loaders, and continued use by both broad and targeted phishing operators have made it one of the most persistent infostealer families in the criminal ecosystem.
Capabilities
- Credential Theft
- Exfiltration
- Keylogging
Reported operators
Threat actors
5 named in public reporting[π½TA] UAC-0041 (π΄): Used with Formbook as loader
"...families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."
...Deploy Formbook Malware in Eurasian Cyberattacks
...Deploy Formbook Malware in Eurasian Cyberattacks
Exploited software
Vulnerabilities linked to FormBook
5 CVEsMITRE ATT&CK
FormBook in ATT&CK
89 distinct techniquesTechniques
89 techniquesReporting
Research mentioning FormBook
Still Circling: Blind Eagle's Toolkit Keeps Evolving
a commented-out line in that final stage: #XLOADER ... is a builder artifact, suggesting that this RunPE template was copied or licensed from the XLoader/FormBook loader ecosystem
ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul
FormBook7
Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul
FormBook7
RedLine C2 Pivot Reveals Seven Fraudulent Domains Used in Maritime Phishing Attacks
Pivoting on that port number, combined with server banner information, led researchers to additional RedLine and Formbook command and control nodes sharing the same infrastructure style.
AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign
LevelBlue SpiderLabs has identified this campaign delivering Remcos and AsyncRAT, but it is likely that it also distributes other malware families, such as FormBook and Lumma.
A single RedLine C2 from UniqueSignal pivots into a maritime spear-phishing cluster and attacker-owned infrastructure.
The emails carried attached ZIP files which delivered Formbook, a long-running form-grabber and infostealer also sold as MaaS.
Malicious GST Debit Note Attachment Deploys Remcos RAT Through Multi-Stage Loader
Further investigation revealed that similar samples linked to the same infrastructure were also delivering Agent Tesla, Phantom Stealer, Dark Cloud, Red Line Stealer, MassLogger variants, Formbook, xworm, and Snake keyloggers.
News - Malware & Hoax - TG Soft Cyber Security Specialist
This week was characterised by Password Stealers from the following families: AgentTesla, FormBook, Cloud_Extension, PureHVNC and Remcos.