Listen to this Post
Introduction
The latest wave of cyberattacks shows once again how quiet the most dangerous threats can be. What begins as a harmless-looking email attachment turns into a deeply layered infection chain built to evade antivirus tools, confuse analysts, and silently plant one of today’s most notorious information stealers. This campaign targeting unsuspecting users reveals the modern reality of malware delivery, where attackers blend simple entry points with complex scripting tricks to bypass security controls. The story that follows is not simply about FormBook. It is about the evolving playbook used by threat actors who know exactly how to hide in plain sight.
Main Summary
A Simple Attachment Concealing a Complex Threat
The attack starts with what millions of employees see every day in their inbox, a ZIP file attached to a seemingly routine payment confirmation email. Inside that archive sits a VBS script named Payment_confirmation_copy_30K__202512110937495663904650431.vbs. Despite its innocent appearance, antivirus engines flagged it only 17 times out of 65 scans, revealing once again how skilled attackers have become at masking malicious intent.
Obfuscation as the First Layer of Defense
Once executed, the script does not behave like typical malware. It installs a nine-second delay loop using a date-based function instead of the familiar Sleep instruction. This trick is a calculated attempt to bypass heuristic engines that profile time-based behavior. The attackers also fragmented every critical string into scattered pieces that only reconstruct at execution time. Even the word “PowerShell” is hidden as a set of ASCII arithmetic operations.
Transition from VBS to PowerShell
After rebuilding its PowerShell command, the script launches a new PowerShell instance through a Shell.Application object. This step is intentional. It hides direct PowerShell invocation patterns that defenders often rely on. The PowerShell payload uses two heavily obfuscated helper functions, Microcoulomb and Blokbogstavers65. One extracts characters from encoded containers to reconstruct malicious fragments. The other executes them silently with Invoke-Expression. This dual-function technique not only hides the final code but also confuses static analysis tools that fail to unravel string-based masking.
Revealing Hidden .NET Abuse
Among the decoded fragments emerges a rebuilt keyword: nET.wEBClIent, a clear indicator that the script will fetch remote files using .NET’s built-in web functions. Attackers prefer built-in Windows libraries because they generate less suspicious noise than custom networking tools.
Payload Delivery Through Google Drive
The script reaches out to a hosted payload on Google Drive. The chosen link appears harmless at first glance, leveraging a trusted cloud platform that is rarely blocked by corporate firewalls. Once downloaded, the payload is written to the user’s roaming profile under the name budene.con. This “.con” extension imitates configuration or data files to blend in with common user content.
Second-Stage PowerShell Activation
The newly saved payload is decoded into yet another PowerShell script. Here, attackers shift from stealth to execution. The script extracts an executable file named bin.exe and injects it into msiexec.exe, a legitimate Windows installer tool. Using msiexec is a strategic move. Security tools trust system processes, especially those tied to installation or maintenance functions.
Arrival of the Final Payload: FormBook
Once injected, the final binary reveals its identity, a variant of FormBook. This well-documented information stealer is capable of collecting keystrokes, credentials, clipboard content, browser data, and screenshots. It communicates with its command-and-control server located at 216.250.252.227:7719. FormBook’s popularity stems from its efficiency. It is small, adaptable, and heavily obfuscated, making it one of the most persistent threats in the cybercriminal ecosystem.
A Campaign Built on Layered Evasion
Every stage of this chain is constructed to minimize detection. Obfuscated VBS functions disguise intentions. PowerShell scripts hide within trusted system components. Payloads arrive from a legitimate cloud service. Injection leverages a sanctioned process. By the time the final malware activates, defenders have lost sight of the many small breadcrumbs that led to the infection.
A Reminder for Analysts and Defenders
This incident underscores a critical lesson. Modern malware is no longer just a malicious executable. It is a sequence of scripts, cloud links, trusted processes, and encoded fragments working together to deliver something harmful. Reverse engineering cannot stop at the final EXE. It must start with the very first script and inspect every layer between. Attackers have learned to play the long game, and defenders must match that patience with deep analysis.
What Undercode Say:
Why Multi-Stage Attacks Continue to Dominate
Threat actors choose multi-stage chains because they exploit a universal flaw in cybersecurity ecosystems. Most defense tools analyze single events. But attackers distribute their logic across steps that appear harmless in isolation. A VBS script that sleeps and launches PowerShell does not trigger the same alarms as a standalone malware binary. This fragmentation reduces visibility and increases the chance of a successful breach.
The Role of Legitimate Services in Malware Delivery
Google Drive is not used accidentally. Cloud storage providers offer a level of trust that attackers cannot create on their own. Blocking Google Drive entirely is unrealistic for businesses. This creates a perfect channel for delivering malicious payloads without raising network alarms. The entire threat landscape is slowly shifting toward abusing trusted cloud platforms because they blend perfectly into regular traffic patterns.
PowerShell’s Enduring Abuse
PowerShell remains a favorite among threat actors for one reason. It is powerful, preinstalled, scriptable, and deeply trusted. Even when heavily monitored, attackers find clever ways to hide commands through string encoding, reflection, and fragment reconstruction. The Microcoulomb and Blokbogstavers65 functions exemplify a mature approach to evasion, where execution is hidden behind layers of scripted transformation.
Living Off the Land in Every Stage
The repeated use of native tools like msiexec.exe, .NET WebClient, and Shell.Application fits perfectly into a modern tactic known as “living off the land”. By using what already exists in the operating system, attackers dramatically reduce their fingerprint. They avoid dropping suspicious libraries or calling external binaries. This turns infected hosts into the perfect staging ground, where malicious behavior looks like routine Windows activity.
Why FormBook Is Still Relevant in 2025
FormBook has survived for years because cybercriminals understand the economics of malware. It is light enough to inject quickly, powerful enough to steal valuable data, and flexible enough to evade multiple detection methods. Its persistence proves that attackers prefer proven tools rather than reinventing malware every year. The focus shifts instead to crafting more sophisticated delivery chains, which is exactly what this campaign showcases.
Implications for Enterprises
Companies must rethink security monitoring. The real threat is not the malware at the end. It is the unnoticed VBS script at the beginning. Attackers rely heavily on the assumption that no one monitors user-level script execution or outbound cloud downloads. Without visibility into these stages, defenders remain blind to the early indicators of compromise.
Why This Campaign Matters
This attack demonstrates the increasing reliance on script-based loaders in the wild. VBS, PowerShell, and legitimate binaries form the backbone of malware campaigns targeting organizations worldwide. By chaining these tools together, threat actors bypass signature-based defenses and overwhelm behavioral systems that are designed to look for larger anomalies.
🔍 Fact Checker Results
The described payload is confirmed to be a FormBook variant based on binary analysis. ✅
The infection used Google Drive as the delivery channel for its next stage. ✅
No evidence suggests the campaign targeted a specific organization or region. ❌
📊 Prediction
Cybercriminals will continue shifting toward multi-stage script-based loaders because they bypass endpoint defenses more effectively than standalone binaries. 🔮
Expect an increase in campaigns abusing trusted cloud platforms such as Google Drive and Dropbox. 📁
FormBook, despite its age, will likely remain a top information-stealing threat due to its low footprint and constant updates. ⚠️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
