Formbook Infostealer Campaigns Use DLL Sideloading and Obfuscated JavaScript to Evade Detection
Two active phishing campaigns are delivering the Formbook infostealer to Windows systems using DLL sideloading via RAR attachments and obfuscated JavaScript hidden in PDF files, targeting organizations across Europe and South America.
Two distinct phishing campaigns are actively distributing the Formbook infostealer infostealer to Windows systems, employing sophisticated evasion techniques to bypass security controls. Researchers at WatchGuard have detailed the campaigns in a blog post published on April 20, noting that the attacks target organizations in Greece, Spain, Slovenia, Bosnia, Croatia, and several South American countries. The phishing lures are disguised as common business correspondence, making them difficult for recipients to identify as malicious.
Formbook is a well-established infostealer that has been available as a malware-as-a-service offering since 2016. It is designed to harvest sensitive information including login credentials, browser data, and screenshots. The malware also incorporates advanced evasion techniques to avoid detection by antivirus and endpoint protection solutions. Despite being a decade old, Formbook remains a persistent threat across multiple industries.
The first campaign begins with a phishing email containing a RAR archive. Inside the archive are four files: three dynamic-link libraries (DLLs) and one Windows executable (EXE). The attackers exploit DLL sideloading, a technique that tricks a legitimate program into loading a malicious DLL instead of a legitimate one. This allows the malicious payload to execute while appearing as a normal system process, thereby evading detection.
The second campaign employs a different infection chain. The initial phishing email contains JavaScript and PDF files that use heavily obfuscated code to hide their malicious intent. When the JavaScript is executed, it drops two image files, which in turn drop PowerShell commands embedded within long strings of obfuscated code. These PowerShell commands ultimately run a Windows executable that deploys a custom malware loader. This same loader has previously been used to distribute other malware families including Remcos, XWorm, AsyncRAT, and SmokeLoader.
WatchGuard researchers emphasized the diversity of techniques used in these campaigns. "What makes these campaigns especially noteworthy is not just the malware itself, but the diversity of methods used to evade detection and abuse legitimate software and trusted system processes," the company stated. The use of both DLL sideloading and obfuscated scripts demonstrates the attackers' intent to bypass traditional signature-based detection methods.
The impact of these campaigns is significant, as Formbook can exfiltrate a wide range of sensitive data from compromised systems. Organizations in the targeted regions should be particularly vigilant. WatchGuard advised security teams to monitor for suspicious archive-based email attachments, anomalous DLL loading behavior, PowerShell execution tied to user-opened attachments, and signs of manual DLL mapping or direct syscall activity in memory. "By correlating these behaviors across the attack chain, organizations can improve their ability to detect and stop FormBook infections before sensitive data is compromised," the company added.
This campaign highlights the ongoing threat posed by commodity malware that has been available for years. While new malware families often capture headlines, established threats like Formbook continue to evolve their delivery mechanisms to remain effective. Organizations should ensure that their security controls are configured to detect the specific techniques used in these campaigns, including DLL sideloading and obfuscated script execution.