Formbook phishing turns stealth into scale

Two separate phishing campaigns are hitting organisations with Formbook, a long-running information stealer that continues to adapt its delivery methods to slip past traditional Windows defences. The latest activity shows attackers pairing ordinary email lures with layered obfuscation, trusted system tools and DLL side-loading, giving a familiar malware family fresh room to operate inside corporate environments.

Stealthy Formbook waves target Windows users

Security researchers tracking the campaigns say each attack chain uses a different infection route, but both are designed to end in the same outcome: the quiet delivery of credential-stealing malware to Microsoft Windows devices. One path centres on obfuscated JavaScript delivered through a phishing email and compressed archive. After execution, the script copies files into public directories, sets up a scheduled task for persistence, launches PowerShell, decrypts hidden data and injects a malicious. NET DLL into MSBuild. exe, a legitimate Microsoft build utility, before the final Formbook payload is deployed. The chain also tampers with ETW and AMSI, two Windows monitoring and anti-malware interfaces, making detection harder for defenders relying on standard telemetry.

The second path relies on DLL side-loading, a technique that abuses the way Windows applications load dynamic-link libraries. When a program loads a DLL without a fully qualified path, Windows searches a defined sequence of directories. If an attacker can place a malicious DLL where the system looks first, the operating system may load the rogue file instead of the legitimate one. That allows malicious code to run inside a trusted process, often reducing suspicion and helping the malware blend into normal activity.

That matters because Formbook has never needed cutting-edge novelty to remain dangerous. First identified in 2016, it has built a durable reputation as a malware-as-a-service tool sold on underground forums and repeatedly repackaged for mass phishing. Its core business model is simple: steal credentials, keystrokes, clipboard contents and other sensitive data from infected machines, then exfiltrate that data to command infrastructure controlled by the attacker. Over time, it has also been linked to downloader functions, process injection, encrypted communications and a variety of persistence mechanisms.

The appeal to cybercriminals is straightforward. Formbook remains relatively cheap, widely understood and effective against organisations that still depend heavily on email attachments, archive files and user-triggered execution. Its operators do not need to break new ground when they can wrap an established infostealer in fresh delivery layers. That pattern has shown up repeatedly in the wider threat landscape, where established malware families are being paired with increasingly evasive loaders, encrypted delivery channels and abuse of legitimate Windows tools.

The broader backdrop is not encouraging for defenders. WatchGuard’s latest threat reporting said new malware rose every quarter in 2025 and then jumped 1,548% from the third quarter to the fourth. It also said 23% of detected malware evaded traditional signature-based detection and that 96% of blocked malware arrived over TLS-encrypted connections. Those figures help explain why campaigns built around obfuscated scripts, living-off-the-land binaries and hidden payloads continue to prosper even when the malware family itself is well known.

For security teams, the operational lesson is that attachment filtering on its own is no longer enough. Analysts tracking the JavaScript-led chain said defenders should watch for untrusted scripts running from user-accessible folders, unusual scheduled tasks, suspicious PowerShell execution, abuse of MSBuild. exe, DLL injection behaviour and any attempts to patch or disable ETW and AMSI. Behaviour-based monitoring, endpoint detection and response, and tighter controls over scripting engines and developer utilities are becoming more important than simple hash or signature matching.

User awareness still matters, but the burden cannot sit only with employees opening email. Many Formbook campaigns are designed to look routine, businesslike and unremarkable, often using compressed files, invoice-style lures or common document formats to coax a click. Once launched, the malware chain moves quickly into areas of the system that can appear legitimate to less mature security stacks. That makes layered defence, stricter execution policies and faster isolation of suspicious endpoints essential, especially in sectors where stolen credentials can be converted rapidly into financial fraud, follow-on intrusion or wider compromise.