Formbook Malware Campaign Exploits Multiple Obfuscation Techniques to Evade Detection

Cybercriminals have launched two distinct phishing campaigns, each employing a stealthy infection method, to target organizations running Microsoft Windows. The primary objective? To deploy Formbook, a notorious infostealer malware that has been a staple of malware-as-a-service operations since 2016.

Formbook is designed to harvest sensitive information—login credentials, browser data, and screenshots—while using advanced evasion techniques to slip past security tools. A decade after its debut, this threat remains active across industries, with no signs of slowing down.

How the Formbook Malware Campaign Works

Security researchers at WatchGuard have detailed two new Formbook campaigns in a blog post published on April 20. These attacks target companies in Greece, Spain, Slovenia, Bosnia, Croatia, and several South American countries. The phishing lures are disguised as routine business emails, making them hard to spot.

What sets these campaigns apart is the diversity of evasion methods. One relies on DLL sideloading, while the other uses obfuscated JavaScript. Both aim to deliver the same malicious payload: Formbook.

DLL Sideloading: A Classic Evasion Tactic

The first campaign starts with a phishing email containing an RAR file. Inside, there are four files: three dynamic-link libraries (DLLs) and one Windows executable (EXE). Attackers use DLL sideloading, a technique that tricks a legitimate program into loading a malicious DLL instead of a safe one. This allows the malware to run without triggering alarms.

This method is particularly effective because it abuses trusted system processes. Security teams often struggle to flag such behavior as suspicious, giving attackers a clear path to deploy Formbook.

Obfuscated JavaScript: A Modern Twist

The second campaign takes a different route. It also begins with a phishing email, but this time, the malicious payload hides inside JavaScript and PDF files. The code is heavily obfuscated to evade detection.

When executed, the JavaScript drops two image files. These images contain PowerShell commands, obfuscated within long strings of code. Ultimately, these commands run a Windows executable that deploys a custom malware loader. This loader has previously distributed other threats like Remcos, XWorm, AsyncRAT, and SmokeLoader. In this case, it delivers Formbook.

Why This Formbook Malware Campaign Matters

Formbook is not new, but its persistence and adaptability make it a serious concern. By using multiple obfuscation techniques, attackers can bypass traditional security measures. As a result, organizations must stay vigilant.

WatchGuard advises security teams to monitor for suspicious archive-based email attachments, anomalous DLL loading behavior, and PowerShell execution tied to user-opened attachments. They also recommend watching for signs of manual DLL mapping or direct syscall activity in memory.

Defending Against These Evasion Tactics

To counter these threats, companies should focus on behavior-based detection. Correlating activities across the attack chain—like email attachments, DLL loading, and PowerShell commands—can help identify Formbook infections before data is compromised.

Additionally, implementing robust email filtering and endpoint protection solutions can reduce the risk. Employee training on phishing awareness is also crucial, as these attacks often rely on human error.

Conclusion: Staying Ahead of Formbook

This Formbook malware campaign highlights the evolving nature of cyber threats. Attackers are constantly refining their methods, using DLL sideloading and obfuscated JavaScript to stay one step ahead. However, with the right security strategies, organizations can detect and stop these attacks.

By understanding how these evasion techniques work, security teams can better protect their networks. The key is to remain proactive, monitor for unusual behavior, and educate users about the risks of phishing.

Hackers Steal Student Data in Major Breach at Education Tech Giant Instructure

The education technology sector has been rocked by a significant security incident. Instructure, the company behind the widely used Canvas learning management system, has confirmed a data breach that exposed sensitive student information. The notorious hacking group ShinyHunters has taken credit for the attack, claiming to have accessed a trove of personal data.

What Was Stolen in the Instructure Data Breach?

According to the company’s official statement, the breach affected students’ private details. The hackers allegedly obtained names, personal email addresses, and messages exchanged between teachers and students. This matches the type of data Instructure admitted was compromised.

ShinyHunters shared a sample of the stolen information with TechCrunch, including records from two U.S. schools—one in Massachusetts and one in Tennessee. The Massachusetts data contained messages with names, email addresses, and some phone numbers. The Tennessee sample included full names and email addresses. Notably, passwords were not part of the leaked data, and Instructure confirmed that other sensitive data types remained unaffected.

ShinyHunters: The Group Behind the Attack

ShinyHunters has a track record of targeting universities and cloud database companies. This gang is financially motivated and often threatens to publish stolen data unless a ransom is paid. On its leak site, the group claimed the breach impacted nearly 9,000 schools worldwide and exposed data on 275 million individuals, including students, teachers, and staff. In an online chat, a ShinyHunters member told TechCrunch that the stolen data contained 231 million unique email addresses.

However, experts caution that such groups often exaggerate their claims to attract media attention and pressure victims. TechCrunch could not independently verify the full scope of the breach.

Impact on Schools and the Canvas Platform

Instructure’s Canvas platform is a cornerstone for many educational institutions, enabling course management, assignments, and communication. The breach raises serious concerns about the security of student data on such platforms. Schools using Canvas should review their security protocols and consider tips for protecting student information.

ShinyHunters also released a list of approximately 8,800 schools allegedly affected. While Instructure claims over 8,000 institutional customers, TechCrunch could not confirm whether all listed schools were affected or were even Instructure clients. The company’s spokesperson, Kate Holmes, declined to answer specific questions and directed inquiries to the company’s official update page.

Restoration Efforts and Ongoing Investigation

As of Tuesday, Instructure reported that some products, including Canvas, were restored for customers after undergoing maintenance. The company is continuing to investigate the breach and update its response. For those seeking more information, Instructure’s cybersecurity best practices for schools guide offers additional guidance.

This incident underscores the growing threat of cyberattacks on educational institutions. Schools must remain vigilant and implement robust security measures to safeguard sensitive data.

ZionSiphon Malware: A New Cyber Threat to Water Treatment and Desalination Plants

Security researchers have uncovered a new strain of malware, dubbed ZionSiphon, that specifically targets water treatment and desalination infrastructure. Discovered by Darktrace, this malicious software combines traditional endpoint hacking techniques with capabilities designed to interfere with industrial control systems (ICS). The discovery signals a worrying trend in cyberattacks aimed at critical infrastructure.

This ZionSiphon malware water infrastructure threat is not just another piece of code—it’s a sophisticated tool that could potentially disrupt essential services. In this article, we break down how it works, what it targets, and why it matters for global cybersecurity.

How ZionSiphon Malware Targets Water Systems

The malware includes hardcoded references to specific infrastructure components, such as desalination plants and wastewater systems. It also checks for software linked to reverse osmosis and chlorine control. This targeting logic ensures that the malware only activates under precise geographic and environmental conditions.

For example, the code restricts execution to IP ranges associated with Israel. It also embeds politically charged messages, hinting at the motivations behind the campaign. However, these strings do not affect execution—they simply provide context for the attackers’ intent.

Sabotage Functions and ICS Network Scanning

Once deployed in a qualifying environment, ZionSiphon attempts to manipulate local configuration files tied to industrial processes. It appends predefined values related to chlorine dosing and system pressure. If successful, this could disrupt water treatment operations, leading to unsafe water quality or system failures.

In addition, the malware includes a network discovery routine that scans local subnets for ICS devices. It probes common industrial protocols, including Modbus, DNP3, and S7comm. Darktrace observed that the Modbus-related functionality is the most developed, allowing the malware to read and potentially modify register values. However, implementations for DNP3 and S7comm appear incomplete, suggesting partial development or testing stages.

Key Capabilities of the Water Infrastructure Malware

ZionSiphon exhibits several notable features designed to compromise water infrastructure:

• Subnet-wide scanning for ICS devices using common OT protocols
• Attempts to modify chlorine dosing and pressure parameters
• Propagation via removable media using disguised executables
• Persistence through registry modifications and hidden file placement

Despite these capabilities, the analyzed sample contains a flaw in its country validation logic. This error prevents the malware from correctly identifying intended targets. As a result, it may fail to activate its payload and instead trigger a self-deletion routine.

Indicators of Early-Stage OT Malware Development

The incomplete elements within ZionSiphon point to a tool still under development or not fully operational at the time of analysis. Errors in execution logic and partially implemented protocol support limit its immediate effectiveness. Even so, the structure of the malware reflects a growing interest among threat actors in developing tools capable of interacting directly with industrial processes.

Its combination of IT-based infection methods and OT-specific targeting illustrates an evolving approach to critical infrastructure attacks. While this version may not pose an immediate operational threat, it demonstrates how adversaries are experimenting with techniques that could, in more mature forms, disrupt physical systems and essential services.

For more on OT security, check out our article on OT cyber threats and learn how to protect your industrial control systems.

What This Means for Water Sector Cybersecurity

This discovery underscores the urgent need for enhanced cybersecurity measures in the water sector. As malware like ZionSiphon evolves, utilities must prioritize network segmentation, regular patching, and employee training to mitigate risks. Collaboration between government agencies and private companies is also crucial to share threat intelligence and develop robust defenses.

In conclusion, while ZionSiphon may be an early-stage threat, it serves as a stark reminder that critical infrastructure remains a prime target for cyberattacks. Staying vigilant and proactive is the best defense against such emerging dangers.