January 25, 2026

Weaponized Zip Files and Several Scripts Used to Distribute Formbook Malware

daksh kataria November 15, 2025 0
image shows weaponized zip filess
Post Views: 186

Weaponized Zip Files and Several Scripts Used to Distribute Formbook Malware

A fresh wave of Formbook malware attacks has emerged, circumventing security measures with numerous script layers and weaponized ZIP packages.

Phishing emails with ZIP files containing VBS scripts masquerading as payment confirmation papers are the first step in the assaults.

These scripts set off a series of actions that cause the malware to be downloaded and installed on the systems of the victims.  Both security tools and analysts find it more difficult to identify the multi-stage method.

image shows zip files

When victims get emails with ZIP archives attached, the attack begins.  These archives contain a VBS file with names like “Payment_confirmation_copy_30K__20251211093749.vbs” that looks like a business document.

This VBS script initiates a meticulously designed infection procedure when it is opened.  The malware installs Formbook on the target computer by using a variety of programming languages, including VBS, PowerShell, and eventually executable files.

Only 17 out of 65 antivirus programs were able to identify the original VBS file, according to Internet Storm Center security researchers who discovered this operation.

The effectiveness of the obfuscation tactics is demonstrated by the low detection rate.  Each level was created by the virus authors to evade standard security tests and complicate security team research.

Multi-Stage Infection Mechanism

To conceal its true intent, the VBS script employs a number of techniques. Before doing anything dangerous, it first establishes a delay loop that waits nine seconds.

This easy approach helps evade detection by sandbox systems that search for unusual activity right away:

Dim Hump

Hump = DateAdd(“s”, 9, Now())

Do Until (Now() > Hump)

Wscript.Sleep 100

Frozen = Frozen + 1

Loop

The script then combines numerous short text segments to create a PowerShell command. Instead of utilizing plain text, numeric codes are used to conceal the word “PowerShell.” The VBS file uses a shell to execute the PowerShell script after it has been created using a Shell.Application object.

image shows Weaponized Zip Files

Another payload is downloaded from Google Drive by this PowerShell script, which then saves it to the user’s AppData folder. In the last stage, the Formbook malware is injected into msiexec.exe.

In order to obtain instructions, the virus then establishes a connection to its command server at 216.250.252.227 on port 7719.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Read More:

North Korean Hackers Use JSON Services to Disseminate Malware Covertly

About Author

daksh kataria

See author's posts

More Stories

An AI-driven Android malware clicking on disguised web advertisements, symbolized by a glowing skull and digital connections.

AI is Used by New Android Malware to Click on Disguised Web Advertisements

daksh kataria January 22, 2026 0
Severe WordPress Modular DS plugin vulnerability actively exploited by hackers to gain admin access, shown with broken security chains and WordPress logo

Severe WordPress Modular DS Plugin Vulnerability is Actively Exploited to Obtain Admin Access

daksh kataria January 16, 2026 0
Advanced Linux VoidLink malware attack targeting cloud and container environments with compromised servers, warning alerts, and security lock icons.

Advanced Linux VoidLink Malware Attacks Cloud and Container Environments

daksh kataria January 14, 2026 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Graphic showing massive data breach of 149 million online accounts affecting Gmail, Facebook, and Netflix with broken lock and password warning

Huge Data Leak of 149 Million Online Accounts: Gmail, Facebook, and Netflix

daksh kataria January 25, 2026 0
An AI-driven Android malware clicking on disguised web advertisements, symbolized by a glowing skull and digital connections.

AI is Used by New Android Malware to Click on Disguised Web Advertisements

daksh kataria January 22, 2026 0
Image Shows hacker-expolit-screen-sharing-app

Scammers Take Advantage of Screen-Sharing Apps to Steal Bank Accounts and Smartphones

daksh kataria January 21, 2026 0
Hooded hacker representing North Korean cyber attackers exploiting developers through malicious Visual Studio Code projects.

North Korean Hackers Attack Devs via Malicious vs Code Projects

daksh kataria January 21, 2026 0
Global PhaaS Surge: 17,500 Phishing Domains Target 316 Brands in 74 Countries

Global PhaaS Surge: 17,500 Phishing Domains Target 316 Brands in 74 Countries

daksh kataria January 21, 2026 0
en_USEnglish
en_USEnglish