Infostealer Malware FormBook Spread via Phishing Campaign – Part II | Community Portal

Date: 05/28/2025

Severity: High

Summary

We detailed the campaign’s launch through a phishing email that exploited the CVE-2017-11882 vulnerability to run a 64-bit DLL. This DLL then downloaded and decrypted a FormBook variant concealed in a fake PNG file. Finally, we explained how the DLL used process hollowing to inject the FormBook payload into ImagingDevices.exe and execute it.

Indicators of Compromise (IOC) List

Domains\URLs :

http://www.arwintarim.xyz/shoy/

http://www.promutuus.xyz/bpae/

http://www.218735.bid/3f5o/

http://www.vivamente.shop/xr41/

http://www.segurooshop.shop/wcz8/

http://www.hugeblockchain.xyz/1dpy/

http://www.crazymeme.xyz/78bm/

http://www.extremedoge.xyz/372c/

http://www.685648.wang/3k4m/

http://www.shibfestival.xyz/8538/

http://www.promoconfortbaby.store/1pxl/

http://www.balivegasbaru2.xyz/cfze/

http://www.themutznuts.xyz/ks15/

http://www.kpilal.info/9o26/

http://www.dogeeditor.xyz/x5dz/

http://www.adjokctp.icu/3ya5/

http://www.kasun.wtf/u4ue/

http://www.031235246.xyz/ml07/

http://www.intention.digital/h6z3/

http://www.prepaidbitcoin.xyz/rcx4/

http://www.ddvids.xyz/uiki/

http://www.zhuanphysical.shop/zcro/

http://www.theweb.services/fb40/

http://www.sdwd.wang/sfv4/

http://www.lucynoel6465.shop/1i64/

http://www.nhc7tdkp6.live/d9kr/

http://www.ciptaan.xyz/fjwa/

http://www.gluconolmx.shop/8370/

http://www.shlomi.app/5nwk/

http://www.garfo.xyz/35rt/

http://www.caral.tokyo/plub/

http://www.meritking.cloud/gakd/

http://www.grcgrg.net/jxyu/

http://www.nullus.xyz/pf7y/

http://www.actionlow.live/0a0g/

http://www.dangky88kfree.online/11lg/

http://www.szty13.vip/abhi/

http://www.arryongro-nambe.live/h108/

http://www.dqvcbn.info/iby8/

http://www.svapo-discount.net/s956/

http://www.yueolt.shop/je6k/

http://www.sigaque.today/u2nq/

http://www.manicure-nano.sbs/xkx8/

http://www.laohuc58.net/zyjq/

http://www.iighpb.bid/jfhd/

http://www.fjlgyc.info/txra/

http://www.sbualdwhryi.info/dbdy/

http://www.xrrkkv.info/eg97/

http://www.08081.pink/2wr9/

http://www.jyc11.top/xz2s/

http://www.kdjsswzx.club/h3ut/

http://www.gnlokn.info/lmor/

http://www.btbjpu.info/pjhe/

http://www.bellysweep.net/gr1r/

http://www.dilgxp.info/7qht/

http://www.leveledge.sbs/asbs/

http://www.ethereumpartner.xyz/xou3/

http://www.choujiezhibo.net/pu7t/

http://www.domuss.asia/yf4f/

http://www.seasay.xyz/xwy3/

http://www.tumbetgirislinki.fit/i8hk/

http://www.ef4refef.sbs/f88b/

http://www.aicycling.pro/4m7q/

http://www.autonomousrich.xyz/iej0/

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains\Urls 1:

domainname like "http://www.adjokctp.icu/3ya5/" or url like "http://www.adjokctp.icu/3ya5/" or siteurl like "http://www.adjokctp.icu/3ya5/" or domainname like "http://www.kasun.wtf/u4ue/" or url like "http://www.kasun.wtf/u4ue/" or siteurl like "http://www.kasun.wtf/u4ue/" or domainname like "http://www.btbjpu.info/pjhe/" or url like "http://www.btbjpu.info/pjhe/" or siteurl like "http://www.btbjpu.info/pjhe/" or domainname like "http://www.bellysweep.net/gr1r/" or url like "http://www.bellysweep.net/gr1r/" or siteurl like "http://www.bellysweep.net/gr1r/" or domainname like "http://www.685648.wang/3k4m/" or url like "http://www.685648.wang/3k4m/" or siteurl like "http://www.685648.wang/3k4m/" or domainname like "http://www.ddvids.xyz/uiki/" or url like "http://www.ddvids.xyz/uiki/" or siteurl like "http://www.ddvids.xyz/uiki/" or domainname like "http://www.dangky88kfree.online/11lg/" or url like "http://www.dangky88kfree.online/11lg/" or siteurl like "http://www.dangky88kfree.online/11lg/" or domainname like "http://www.manicure-nano.sbs/xkx8/" or url like "http://www.manicure-nano.sbs/xkx8/" or siteurl like "http://www.manicure-nano.sbs/xkx8/" or domainname like "http://www.laohuc58.net/zyjq/" or url like "http://www.laohuc58.net/zyjq/" or siteurl like "http://www.laohuc58.net/zyjq/" or domainname like "http://www.arwintarim.xyz/shoy/" or url like "http://www.arwintarim.xyz/shoy/" or siteurl like "http://www.arwintarim.xyz/shoy/" or domainname like "http://www.kdjsswzx.club/h3ut/" or url like "http://www.kdjsswzx.club/h3ut/" or siteurl like "http://www.kdjsswzx.club/h3ut/" or domainname like "http://www.sigaque.today/u2nq/" or url like "http://www.sigaque.today/u2nq/" or siteurl like "http://www.sigaque.today/u2nq/" or domainname like "http://www.dilgxp.info/7qht/" or url like "http://www.dilgxp.info/7qht/" or siteurl like "http://www.dilgxp.info/7qht/" or domainname like "http://www.meritking.cloud/gakd/" or url like "http://www.meritking.cloud/gakd/" or siteurl like "http://www.meritking.cloud/gakd/" or domainname like "http://www.zhuanphysical.shop/zcro/" or url like "http://www.zhuanphysical.shop/zcro/" or siteurl like "http://www.zhuanphysical.shop/zcro/" or domainname like "http://www.vivamente.shop/xr41/" or url like "http://www.vivamente.shop/xr41/" or siteurl like "http://www.vivamente.shop/xr41/" or domainname like "http://www.szty13.vip/abhi/" or url like "http://www.szty13.vip/abhi/" or siteurl like "http://www.szty13.vip/abhi/" or domainname like "http://www.nhc7tdkp6.live/d9kr/" or url like "http://www.nhc7tdkp6.live/d9kr/" or siteurl like "http://www.nhc7tdkp6.live/d9kr/" or domainname like "http://www.extremedoge.xyz/372c/" or url like "http://www.extremedoge.xyz/372c/" or siteurl like "http://www.extremedoge.xyz/372c/" or domainname like "http://www.ef4refef.sbs/f88b/" or url like "http://www.ef4refef.sbs/f88b/" or siteurl like "http://www.ef4refef.sbs/f88b/" or domainname like "http://www.seasay.xyz/xwy3/" or url like "http://www.seasay.xyz/xwy3/" or siteurl like "http://www.seasay.xyz/xwy3/" or domainname like "http://www.arryongro-nambe.live/h108/" or url like "http://www.arryongro-nambe.live/h108/" or siteurl like "http://www.arryongro-nambe.live/h108/" or domainname like "http://www.nullus.xyz/pf7y/" or url like "http://www.nullus.xyz/pf7y/" or siteurl like "http://www.nullus.xyz/pf7y/" or domainname like "http://www.grcgrg.net/jxyu/" or url like "http://www.grcgrg.net/jxyu/" or siteurl like "http://www.grcgrg.net/jxyu/" or domainname like "http://www.dqvcbn.info/iby8/" or url like "http://www.dqvcbn.info/iby8/" or siteurl like "http://www.dqvcbn.info/iby8/" or domainname like "http://www.kpilal.info/9o26/" or url like "http://www.kpilal.info/9o26/" or siteurl like "http://www.kpilal.info/9o26/" or domainname like "http://www.iighpb.bid/jfhd/" or url like "http://www.iighpb.bid/jfhd/" or siteurl like "http://www.iighpb.bid/jfhd/" or domainname like "http://www.08081.pink/2wr9/" or url like "http://www.08081.pink/2wr9/" or siteurl like "http://www.08081.pink/2wr9/" or domainname like "http://www.lucynoel6465.shop/1i64/" or url like "http://www.lucynoel6465.shop/1i64/" or siteurl like "http://www.lucynoel6465.shop/1i64/" or domainname like "http://www.tumbetgirislinki.fit/i8hk/" or url like "http://www.tumbetgirislinki.fit/i8hk/" or siteurl like "http://www.tumbetgirislinki.fit/i8hk/" or domainname like "http://www.dogeeditor.xyz/x5dz/" or url like "http://www.dogeeditor.xyz/x5dz/" or siteurl like "http://www.dogeeditor.xyz/x5dz/" or domainname like "http://www.shibfestival.xyz/8538/" or url like "http://www.shibfestival.xyz/8538/" or siteurl like "http://www.shibfestival.xyz/8538/" or domainname like "http://www.gluconolmx.shop/8370/" or url like "http://www.gluconolmx.shop/8370/" or siteurl like "http://www.gluconolmx.shop/8370/" or domainname like "http://www.promutuus.xyz/bpae/" or url like "http://www.promutuus.xyz/bpae/" or siteurl like "http://www.promutuus.xyz/bpae/" or domainname like "http://www.ciptaan.xyz/fjwa/" or url like "http://www.ciptaan.xyz/fjwa/" or siteurl like "http://www.ciptaan.xyz/fjwa/" or domainname like "http://www.caral.tokyo/plub/" or url like "http://www.caral.tokyo/plub/" or siteurl like "http://www.caral.tokyo/plub/" or domainname like "http://www.leveledge.sbs/asbs/" or url like "http://www.leveledge.sbs/asbs/" or siteurl like "http://www.leveledge.sbs/asbs/" or domainname like "http://www.xrrkkv.info/eg97/" or url like "http://www.xrrkkv.info/eg97/" or siteurl like "http://www.xrrkkv.info/eg97/" or domainname like "http://www.jyc11.top/xz2s/" or url like "http://www.jyc11.top/xz2s/" or siteurl like "http://www.jyc11.top/xz2s/" or domainname like "http://www.prepaidbitcoin.xyz/rcx4/" or url like "http://www.prepaidbitcoin.xyz/rcx4/" or siteurl like "http://www.prepaidbitcoin.xyz/rcx4/" or domainname like "http://www.promoconfortbaby.store/1pxl/" or url like "http://www.promoconfortbaby.store/1pxl/" or siteurl like "http://www.promoconfortbaby.store/1pxl/" or domainname like "http://www.218735.bid/3f5o/" or url like "http://www.218735.bid/3f5o/" or siteurl like "http://www.218735.bid/3f5o/"

Domains\Urls 2:

domainname like "http://www.segurooshop.shop/wcz8/" or url like "http://www.segurooshop.shop/wcz8/" or siteurl like "http://www.segurooshop.shop/wcz8/" or domainname like "http://www.hugeblockchain.xyz/1dpy/" or url like "http://www.hugeblockchain.xyz/1dpy/" or siteurl like "http://www.hugeblockchain.xyz/1dpy/" or domainname like "http://www.crazymeme.xyz/78bm/" or url like "http://www.crazymeme.xyz/78bm/" or siteurl like "http://www.crazymeme.xyz/78bm/" or domainname like "http://www.balivegasbaru2.xyz/cfze/" or url like "http://www.balivegasbaru2.xyz/cfze/" or siteurl like "http://www.balivegasbaru2.xyz/cfze/" or domainname like "http://www.themutznuts.xyz/ks15/" or url like "http://www.themutznuts.xyz/ks15/" or siteurl like "http://www.themutznuts.xyz/ks15/" or domainname like "http://www.031235246.xyz/ml07/" or url like "http://www.031235246.xyz/ml07/" or siteurl like "http://www.031235246.xyz/ml07/" or domainname like "http://www.theweb.services/fb40/" or url like "http://www.theweb.services/fb40/" or siteurl like "http://www.theweb.services/fb40/" or domainname like "http://www.sdwd.wang/sfv4/" or url like "http://www.sdwd.wang/sfv4/" or siteurl like "http://www.sdwd.wang/sfv4/" or domainname like "http://www.shlomi.app/5nwk/" or url like "http://www.shlomi.app/5nwk/" or siteurl like "http://www.shlomi.app/5nwk/" or domainname like "http://www.garfo.xyz/35rt/" or url like "http://www.garfo.xyz/35rt/" or siteurl like "http://www.garfo.xyz/35rt/" or domainname like "http://www.actionlow.live/0a0g/" or url like "http://www.actionlow.live/0a0g/" or siteurl like "http://www.actionlow.live/0a0g/" or domainname like "http://www.svapo-discount.net/s956/" or url like "http://www.svapo-discount.net/s956/" or siteurl like "http://www.svapo-discount.net/s956/" or domainname like "http://www.yueolt.shop/je6k/" or url like "http://www.yueolt.shop/je6k/" or siteurl like "http://www.yueolt.shop/je6k/" or domainname like "http://www.fjlgyc.info/txra/" or url like "http://www.fjlgyc.info/txra/" or siteurl like "http://www.fjlgyc.info/txra/" or domainname like "http://www.sbualdwhryi.info/dbdy/" or url like "http://www.sbualdwhryi.info/dbdy/" or siteurl like "http://www.sbualdwhryi.info/dbdy/" or domainname like "http://www.gnlokn.info/lmor/" or url like "http://www.gnlokn.info/lmor/" or siteurl like "http://www.gnlokn.info/lmor/" or domainname like "http://www.ethereumpartner.xyz/xou3/" or url like "http://www.ethereumpartner.xyz/xou3/" or siteurl like "http://www.ethereumpartner.xyz/xou3/" or domainname like "http://www.choujiezhibo.net/pu7t/" or url like "http://www.choujiezhibo.net/pu7t/" or siteurl like "http://www.choujiezhibo.net/pu7t/" or domainname like "http://www.domuss.asia/yf4f/" or url like "http://www.domuss.asia/yf4f/" or siteurl like "http://www.domuss.asia/yf4f/" or domainname like "http://www.aicycling.pro/4m7q/" or url like "http://www.aicycling.pro/4m7q/" or siteurl like "http://www.aicycling.pro/4m7q/" or domainname like "http://www.autonomousrich.xyz/iej0/" or url like "http://www.autonomousrich.xyz/iej0/" or siteurl like "http://www.autonomousrich.xyz/iej0/" or domainname like "http://www.intention.digital/h6z3/" or url like "http://www.intention.digital/h6z3/" or siteurl like "http://www.intention.digital/h6z3/"

Reference:

https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign

Infostealer Malware FormBook Spread via Phishing Campaign – Part II

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Infostealer Malware FormBook Spread via Phishing Campaign – Part II

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments