Skip to content
Malware family Windows

FormBook

FormBook, also widely associated with the XLoader lineage, is a long-running Windows information-stealing malware family sold through a malware-as-a-service model and frequently used in commodity cybercrime campaigns.

Profile source: Mallory opens in a new tab

FormBook

Family profile

FormBook, also widely associated with the XLoader lineage, is a long-running Windows information-stealing malware family sold through a malware-as-a-service model and frequently used in commodity cybercrime campaigns. It is best known for harvesting sensitive data from infected systems, including keystrokes, clipboard contents, and data entered into web forms, and it has repeatedly appeared in large-scale malspam operations as well as more selective spearphishing activity.

FormBook is commonly delivered through phishing emails carrying malicious attachments such as ZIP archives, script files, Office documents, or batch files. It has also been observed in campaigns using malvertising and multi-stage loader chains, including delivery through HTA, VBScript, PowerShell, AutoIt, steganographic payload concealment, and image-embedded stages. Other malware loaders and distribution services have also been used to deploy it, including GuLoader and PhantomVAI Loader. In targeted operations, FormBook has been delivered through business-themed phishing lures aimed at sectors such as maritime shipping and related supply-chain organizations.

On execution, FormBook uses layered obfuscation and staged unpacking to hinder analysis. Observed samples have used Base64 encoding, decompression and reversal logic, embedded PE extraction, and .NET-based intermediate loaders. Related delivery ecosystems and neighboring tooling have shown process injection and process hollowing techniques, and FormBook tradecraft has been associated with use of legitimate Windows processes for stealthy execution. The malware ultimately functions as an infostealer focused on collecting user input and system data and transmitting stolen information to attacker-controlled infrastructure, including exfiltration via SMTP in some samples.

FormBook remains prevalent in global credential-theft and surveillance-oriented malware campaigns and is often clustered operationally with families such as Agent Tesla, Remcos, LokiBot, AsyncRAT, XWorm, and other commodity stealers and RATs. It has been observed in campaigns targeting organizations and users across multiple regions, including Italy through recurring malspam waves and South Korea in maritime-themed spearphishing. Its longevity, flexible delivery through third-party loaders, and continued use by both broad and targeted phishing operators have made it one of the most persistent infostealer families in the criminal ecosystem.

Capabilities

  • Credential Theft
  • Exfiltration
  • Keylogging

Reported operators

Threat actors

5 named in public reporting
TA558

[πŸ‘½TA] UAC-0041 (🏴): Used with Formbook as loader

UAC-0041

[πŸ‘½TA] UAC-0041 (🏴): Used with Formbook as loader

RATicate

"...families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."

Exploited software

Vulnerabilities linked to FormBook

5 CVEs

MITRE ATT&CK

FormBook in ATT&CK

89 distinct techniques

Techniques

89 techniques
T1566 Phishing T1566.001 Spearphishing Attachment T1106 Native API T1082 System Information Discovery T1027.003 Steganography T1115 Clipboard Data T1140 Deobfuscate/Decode Files or Information T1056.003 Web Portal Capture T1056.001 Keylogging T1497.001 System Checks T1041 Exfiltration Over C2 Channel T1027 Obfuscated Files or Information T1218 System Binary Proxy Execution T1055 Process Injection T1105 Ingress Tool Transfer T1204.002 Malicious File T1555.003 Credentials from Web Browsers T1129 Shared Modules T1204 User Execution T1071.001 Web Protocols T1036 Masquerading T1583 Acquire Infrastructure T1598 Phishing for Information T1071 Application Layer Protocol T1568 Dynamic Resolution T1001 Data Obfuscation T1622 Debugger Evasion T1059.001 PowerShell T1127.001 MSBuild T1055.012 Process Hollowing T1059 Command and Scripting Interpreter T1560 Archive Collected Data T1047 Windows Management Instrumentation T1053.005 Scheduled Task T1001.002 Steganography T1555 Credentials from Password Stores T1547.001 Registry Run Keys / Startup Folder T1059.007 JavaScript T1036.005 Match Legitimate Resource Name or Location T1620 Reflective Code Loading T1497 Virtualization/Sandbox Evasion T1203 Exploitation for Client Execution T1112 Modify Registry T1547 Boot or Logon Autostart Execution T1614.001 System Language Discovery T1070.004 File Deletion T1566.002 Spearphishing Link T1027.013 Encrypted/Encoded File T1056.004 Credential API Hooking T1033 System Owner/User Discovery T1562 Impair Defenses T1113 Screen Capture T1059.005 Visual Basic T1185 Browser Session Hijacking T1059.003 Windows Command Shell T1027.007 Dynamic API Resolution T1564.001 Hidden Files and Directories T1562.006 Indicator Blocking T1574 Hijack Execution Flow T1205 Traffic Signaling T1090 Proxy T1074.001 Local Data Staging T1059.010 AutoHotKey & AutoIT T1027.001 Binary Padding T1583.006 Web Services T1562.001 Disable or Modify Tools T1102 Web Service T1132 Data Encoding T1057 Process Discovery T1583.001 Domains T1564.003 Hidden Window T1027.002 Software Packing T1027.010 Command Obfuscation T1055.002 Portable Executable Injection T1102.001 Dead Drop Resolver T1560.001 Archive via Utility T1497.003 Time Based Checks T1539 Steal Web Session Cookie T1036.004 Masquerade Task or Service T1583.004 Server T1189 Drive-by Compromise T1027.009 Embedded Payloads T1218.011 Rundll32 T1529 System Shutdown/Reboot T1055.009 Proc Memory T1573 Encrypted Channel T1053 Scheduled Task/Job T1568.002 Domain Generation Algorithms T1055.004 Asynchronous Procedure Call

Reporting

Research mentioning FormBook

Jul 17
Levelblue Spiderlabs

Still Circling: Blind Eagle's Toolkit Keeps Evolving

a commented-out line in that final stage: #XLOADER ... is a builder artifact, suggesting that this RunPE template was copied or licensed from the XLoader/FormBook loader ecosystem

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

FormBook7

Jul 7
Gurucul Threat Research

Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul

FormBook7

Jul 6
Cyber Security News

RedLine C2 Pivot Reveals Seven Fraudulent Domains Used in Maritime Phishing Attacks

Pivoting on that port number, combined with server banner information, led researchers to additional RedLine and Formbook command and control nodes sharing the same infrastructure style.

Jul 2
Levelblue Spiderlabs

AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign

LevelBlue SpiderLabs has identified this campaign delivering Remcos and AsyncRAT, but it is likely that it also distributes other malware families, such as FormBook and Lumma.

Jun 30
Vmray

A single RedLine C2 from UniqueSignal pivots into a maritime spear-phishing cluster and attacker-owned infrastructure.

The emails carried attached ZIP files which delivered Formbook, a long-running form-grabber and infostealer also sold as MaaS.

Jun 22
Cyber Security News

Malicious GST Debit Note Attachment Deploys Remcos RAT Through Multi-Stage Loader

Further investigation revealed that similar samples linked to the same infrastructure were also delivering Agent Tesla, Phantom Stealer, Dark Cloud, Red Line Stealer, MassLogger variants, Formbook, xworm, and Snake keyloggers.

Jun 8
Virit

News - Malware & Hoax - TG Soft Cyber Security Specialist

This week was characterised by Password Stealers from the following families: AgentTesla, FormBook, Cloud_Extension, PureHVNC and Remcos.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.