Skip to main content
CybersecuritySocial Engineering

Formbook: Exclusive Devastating Phishing Risk

Formbook: Exclusive Devastating Phishing Risk

What links a small biotech lab in Minsk, a midsize tour operator in Almaty and a regional trading firm in Yekaterinburg? In recent months those disparate organizations — along with dozens of other targets across Belarus, Kazakhstan and Russia — were recipients of carefully crafted phishing messages that delivered a familiar commercial trojan: Formbook. The pattern, documented by cybersecurity firm F6, illustrates how a low-cost, widely available malware family combined with precise social engineering can yield high-impact results across sectors.

H2: Formbook remains a go-to commercial trojan for credential theft
F6’s analysis attributes this activity to a previously unreported actor it names ComicForm, active since at least April 2025. ComicForm executed a multi-stage attack chain designed to deliver Formbook into environments spanning industrial, financial, tourism, biotechnology, research and trade organizations. The campaign used tailored spear-phishing lures that led to malicious document attachments or links. Once victims opened the files, payloads executed, established persistence, and began exfiltrating credentials, system inventories and other sensitive artifacts back to attacker-controlled infrastructure.

The report also draws connections between the infrastructure used by ComicForm and activity tracked under the SectorJ149 label. That overlap suggests either operational cooperation, shared tooling, or a supplier-customer relationship—an increasingly common model in cybercrime where malware-as-a-service and phishing kits lower the barrier for new actors.

Why Formbook is effective
Formbook is not a novel piece of code. First documented years ago, it has been repeatedly used in commodity cybercrime for harvesting credentials, keystrokes, and system data. Its continued appearance in targeted campaigns underscores two persistent realities: social engineering remains powerful, and commoditized malware enables small or emergent groups to weaponize proven capabilities quickly.

For attackers, reusing battle-tested malware like Formbook minimizes development expense and shortens the time from reconnaissance to exfiltration. For defenders, its persistence is a reminder that focusing only on the newest zero-day vulnerabilities misses the bulk of real-world intrusions, which often rely on deception and operational reuse rather than sophisticated exploits.

Technical and human defenses: what works
Defending against campaigns that deliver Formbook requires both technical controls and sustained attention to human behavior.

– Technical: Monitor for suspicious downloader behavior, unusual child processes, and anomalous outbound connections to known command-and-control domains. Endpoint detection should look beyond static signatures and emphasize behavioral indicators, like credential dumping attempts, unusual API calls, and persistence mechanisms commonly abused by Formbook variants. Network defenders should deploy layered logging and correlation so that low-fidelity alerts from different systems can be stitched into a coherent incident picture.

– Human: Tailored spear-phishing messages—often mimicking local institutions, invoices, or business correspondence—erode the effectiveness of generic awareness training. Simulated phishing should be realistic and localized, and training should be reinforced by phishing-resistant authentication (MFA), zero-trust access policies, and least-privilege user rights to limit the blast radius of compromised accounts.

Broader implications for policy and industry
F6’s findings carry two strategic implications. First, the geographic focus on Belarus, Kazakhstan and Russia demonstrates that private-sector organizations remain vulnerable even in environments where state actors and policing are active. Criminal or semi-covert campaigns can operate with relative impunity, especially when they target businesses that may lack robust cybersecurity maturity.

Second, the campaign’s cross-sector targeting suggests two possible motives: opportunistic credential harvesting for resale on criminal markets, or selective intelligence collection with economic or strategic aims. Either scenario increases the value of stolen credentials and operational artifacts to a broad range of buyers and actors.

Attribution, response and the limits of traditional frameworks
When previously undocumented actors emerge using off-the-shelf malware like Formbook, traditional nation-state attribution becomes murkier. Should defenders and policymakers focus on takedowns of malware infrastructure, on disrupting crime markets that commoditize tools, or on pressuring states that tolerate or host malicious actors? Effective answers require coordination among private cybersecurity firms, national CERTs and international law-enforcement bodies—an often slow and politically fraught process.

Investigators can gain leads from the co-occurrence of ComicForm and SectorJ149 activity. Shared infrastructure, overlapping phishing templates, or repeated operational security mistakes could link disparate intrusions to a common operator or supplier. Tracking these overlaps remains one of the most practical ways to attribute and disrupt criminal ecosystems built around commodity malware like Formbook.

Practical takeaways and the road ahead
For organizations and administrators in affected regions and beyond, practical mitigations remain the most reliable short-term defenses: enforce multifactor authentication, restrict privileges, maintain up-to-date endpoint protections, and deploy behavioral detection across endpoints and networks. Regularly review inbound email protections, and harden processes that handle attachments and links from external sources.

F6’s report is a reminder that cyber threats evolve as much through social-engineering craft and operational reuse as through novel technical exploits. The appearance of ComicForm and its use of Formbook across Eurasia is not a single technical breakthrough; it is a businesslike demonstration of how persistent, commodity-driven threat activity exploits human and organizational gaps. In a landscape where malware is a commodity and phishing still works, the critical question remains: how many more ComicForm-style operations will emerge before the incentives that fuel them shift? Formbook’s ongoing role in these attacks suggests that until incentives change, defenders must treat basic hygiene and realistic human training as frontline necessities.