{
	"id": "13e920aa-d8ce-4c18-b5fe-89e345c1691d",
	"created_at": "2026-04-06T01:30:38.973146Z",
	"updated_at": "2026-04-10T13:11:33.572001Z",
	"deleted_at": null,
	"sha1_hash": "b4ac7f5425f73cc33c968108460493f32deb0f80",
	"title": "‘FormBook Tracker’ unveiled on the Dark Web",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1526824,
	"plain_text": "‘FormBook Tracker’ unveiled on the Dark Web\r\nBy S2W\r\nPublished: 2021-01-29 · Archived: 2026-04-06 00:55:00 UTC\r\nExecutive Summary\r\nS2W LAB has found ‘FormBook Tracker’ — the operation site of the malicious code ‘FormBook’ — on the dark\r\nweb. The site contains information about 9,173 infected machines (as of 07/19) worldwide including affected\r\nmachines’ OS, IP, date of Infection and last activity date etc. China, USA, and Turkey are top 3 countries which\r\nhave the most infected machines based on the information from the site. All command and control (C\u0026C,\r\nhereafter C2) servers are using hosting services from USA and Netherlands.\r\nPress enter or click to view image in full size\r\nFigure 1: ‘FormBook Tracker’ site capture on the dark web\r\nPDF Download : https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU\r\nAbout FormBook\r\nFormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.\r\nThe malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard\r\ncontents, and extract data from HTTP sessions. The malware can also execute commands from a command and\r\ncontrol (C2) server. The commands include instructing the malware to download and execute files, start processes,\r\nshutdown and reboot the system, and steal cookies and local passwords.\r\nKey Statistics for FormBook Infection in 2020\r\nPress enter or click to view image in full size\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 1 of 8\n\nFigure 2: Geographical mapping on infected machine\r\nGeolocation of the infected machines were identified based on IP address. China (1,976), Turkey (647), USA\r\n(566), India (480), and Vietnam (344) are top 5 countries with number of infected machines.\r\nPress enter or click to view image in full size\r\nFigure 3: # of infected machine (unique IP address) by infection date (2020/01/01 to 2020/07/19)\r\nThe number of infected machines increased dramatically on July 2020. Not just number of infected machine, the\r\nspread of geographical region is mostly occurred in June ~ July period.\r\nPress enter or click to view image in full size\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 2 of 8\n\nFigure 4: 2020 FormBook infection status for Top 4 countries\r\nPress enter or click to view image in full size\r\nKey Statistics for FormBook Infection in 2020 — South Korea\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 3 of 8\n\nFigure 5: Geographical mapping on infected machine for South Korea\r\n311 machines have been identified in South Korea. Most of infection in concentrated in metro area.\r\nPress enter or click to view image in full size\r\nFigure 6: # of infected machine (unique IP address) by infection date for South Korea (2020/04/27\r\nto 2020/07/19)\r\nInfection of South Korea has started from April 27th. The infection speed drops on mid July; however, on July\r\n14th, the number of daily infection suddenly hit its peak, and many infected machines were still alive after then.\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 4 of 8\n\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn-depth analysis on infected machines from South Korea\r\nBot Lifetime analysis (Total = 311)\r\nIn general, bot lifetimes are comparably long. 57.2% of infected machines’ bot life-time is longer than 1 day. Only\r\n20 out of 311 machines have less than an hour lifetime, which can be assumed as a ‘Sandbox’.\r\nVictim operating system (Total = 311)\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 5 of 8\n\nAmong the victims, Windows 10 is the most common operating system used. FormBook seems to target Windows\r\nOS and affect all versions including the most recent one.\r\nBot version (Total = 311)\r\nFormBook version 4.1 is dominating the victim population which known to be the latest version and this might be\r\nthe first report of its successful debut.\r\nKey Findings\r\n1. Operation FormBook is an ongoing threat campaign.\r\n2. The operator behind the campaign has leveraged the dark web to monitor the compromised PCs and servers.\r\n3. The operation has compromised at least 9,000 PCs/Servers worldwide, and at least 44 C2 servers has been\r\noperational.\r\n4. A quick analysis on the operation site implicates that the potential secondary damage can be done as the life-time of communication between C2 and the compromised ones lasts more than a week.\r\n5. Possible cases of malware communication,\r\n5–1. A beacon lifetime of C2 and the target node is long that eventually\r\ncompromised the node.\r\n5–2. FormBook malware is preserved on the sandbox or in the same virtual\r\nmachine image(identical SID) to monitor live C2 servers on purpose used by\r\nsecurity team to counteract the malware.\r\n5–3. Some of the victims appear to be the honeypots or relevant to security\r\ndevices owned by business and public institutions.\r\nSecurity advisory\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 6 of 8\n\nIt is recommended to the response team must update C2 domains and cut down the analyzing time/period that this\r\ntype of operational page encourages attackers to advertise and capitalize their system to potential hackers/buyers\r\nby alluring them with those live information.\r\nWe will continue tracking ‘FormBook Tracker’ and report about new findings at www.s2wlab.com. Should you\r\nhave any information that you think might be valuable to our research, please contact us at info@s2wlab.com.\r\nAppendix — Identified C2 server list (updated on 2020–09–18)\r\nartiyonq[.]com\r\nbecouf[.]com\r\nchilogae[.]com\r\nclickstrackings[.]com\r\ndiscountsclicks[.]info\r\ndomaky[.]com\r\nglamotd[.]com\r\nfunpexw[.]com\r\ngodhep[.]com\r\ngovaj[.]com\r\nhearxy[.]com\r\nhowcuty[.]com\r\nhowndey[.]com\r\niskovlay[.]com\r\njoomlas123[.]com\r\njoomlas123[.]info\r\nlodipytu[.]com\r\nmafov[.]com\r\nmansiobbok[.]info\r\nmansiobok[.]com\r\nmansiobok[.]info\r\nnacemo[.]com\r\nnorjax[.]com\r\nnyoxibwer[.]com\r\npatlod[.]com\r\nporcber[.]com\r\nregular123[.]com\r\nranges-xx[.]com\r\nregular8[.]info\r\nregulars5[.]com\r\nregulars6[.]com\r\nregulars7[.]info\r\nsalomdy[.]com\r\nsandrxy[.]com\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 7 of 8\n\nslacktracks[.]com\r\nspatren[.]com\r\nstilonf[.]com\r\nsudelt[.]com\r\nsulicet[.]com\r\ntrancus[.]com\r\ntromagy[.]com\r\nulxery[.]com\r\nunlimitedgiveaways[.]xyz\r\nutimake[.]com\r\nvinoblay[.]com\r\nworstig[.]com\r\nwritusp[.]com\r\nyofdyk[.]com\r\nmasionlex[.]info\r\nblindo[.]info\r\nPress enter or click to view image in full size\r\nAbout S2W LAB\r\nS2W LAB is a big data intelligence company specialized in the Dark Web and Crypto currencies. The company\r\ncaptures a massive amount of data from various channels and conducts analysis with a unique AI based multi-domain analytic engine. S2W LAB offers a threat intelligence solution ‘S2-XARVIS’ and crypto currency Anti\r\nMoney Laundering solution ‘S2-EYEZ’\r\nSource: https://link.medium.com/uaBiIXgUU8\r\nhttps://link.medium.com/uaBiIXgUU8\r\nPage 8 of 8\n\n  https://link.medium.com/uaBiIXgUU8 \nFigure 4: 2020 FormBook infection status for Top 4 countries\nPress enter or click to view image in full size \nKey Statistics for FormBook Infection in 2020-South Korea\n   Page 3 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://link.medium.com/uaBiIXgUU8"
	],
	"report_names": [
		"uaBiIXgUU8"
	],
	"threat_actors": [],
	"ts_created_at": 1775439038,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4ac7f5425f73cc33c968108460493f32deb0f80.pdf",
		"text": "https://archive.orkl.eu/b4ac7f5425f73cc33c968108460493f32deb0f80.txt",
		"img": "https://archive.orkl.eu/b4ac7f5425f73cc33c968108460493f32deb0f80.jpg"
	}
}