Formbook Malware Campaign Exploits Multiple Obfuscation Techniques to Evade Detection

Cybercriminals have launched two distinct phishing campaigns, each employing a stealthy infection method, to target organizations running Microsoft Windows. The primary objective? To deploy Formbook, a notorious infostealer malware that has been a staple of malware-as-a-service operations since 2016.

Formbook is designed to harvest sensitive information—login credentials, browser data, and screenshots—while using advanced evasion techniques to slip past security tools. A decade after its debut, this threat remains active across industries, with no signs of slowing down.

How the Formbook Malware Campaign Works

Security researchers at WatchGuard have detailed two new Formbook campaigns in a blog post published on April 20. These attacks target companies in Greece, Spain, Slovenia, Bosnia, Croatia, and several South American countries. The phishing lures are disguised as routine business emails, making them hard to spot.

What sets these campaigns apart is the diversity of evasion methods. One relies on DLL sideloading, while the other uses obfuscated JavaScript. Both aim to deliver the same malicious payload: Formbook.

DLL Sideloading: A Classic Evasion Tactic

The first campaign starts with a phishing email containing an RAR file. Inside, there are four files: three dynamic-link libraries (DLLs) and one Windows executable (EXE). Attackers use DLL sideloading, a technique that tricks a legitimate program into loading a malicious DLL instead of a safe one. This allows the malware to run without triggering alarms.

This method is particularly effective because it abuses trusted system processes. Security teams often struggle to flag such behavior as suspicious, giving attackers a clear path to deploy Formbook.

Obfuscated JavaScript: A Modern Twist

The second campaign takes a different route. It also begins with a phishing email, but this time, the malicious payload hides inside JavaScript and PDF files. The code is heavily obfuscated to evade detection.

When executed, the JavaScript drops two image files. These images contain PowerShell commands, obfuscated within long strings of code. Ultimately, these commands run a Windows executable that deploys a custom malware loader. This loader has previously distributed other threats like Remcos, XWorm, AsyncRAT, and SmokeLoader. In this case, it delivers Formbook.

Why This Formbook Malware Campaign Matters

Formbook is not new, but its persistence and adaptability make it a serious concern. By using multiple obfuscation techniques, attackers can bypass traditional security measures. As a result, organizations must stay vigilant.

WatchGuard advises security teams to monitor for suspicious archive-based email attachments, anomalous DLL loading behavior, and PowerShell execution tied to user-opened attachments. They also recommend watching for signs of manual DLL mapping or direct syscall activity in memory.

Defending Against These Evasion Tactics

To counter these threats, companies should focus on behavior-based detection. Correlating activities across the attack chain—like email attachments, DLL loading, and PowerShell commands—can help identify Formbook infections before data is compromised.

Additionally, implementing robust email filtering and endpoint protection solutions can reduce the risk. Employee training on phishing awareness is also crucial, as these attacks often rely on human error.

Conclusion: Staying Ahead of Formbook

This Formbook malware campaign highlights the evolving nature of cyber threats. Attackers are constantly refining their methods, using DLL sideloading and obfuscated JavaScript to stay one step ahead. However, with the right security strategies, organizations can detect and stop these attacks.

By understanding how these evasion techniques work, security teams can better protect their networks. The key is to remain proactive, monitor for unusual behavior, and educate users about the risks of phishing.

ZionSiphon Malware: A New Cyber Threat to Water Treatment and Desalination Plants

Security researchers have uncovered a new strain of malware, dubbed ZionSiphon, that specifically targets water treatment and desalination infrastructure. Discovered by Darktrace, this malicious software combines traditional endpoint hacking techniques with capabilities designed to interfere with industrial control systems (ICS). The discovery signals a worrying trend in cyberattacks aimed at critical infrastructure.

This ZionSiphon malware water infrastructure threat is not just another piece of code—it’s a sophisticated tool that could potentially disrupt essential services. In this article, we break down how it works, what it targets, and why it matters for global cybersecurity.

How ZionSiphon Malware Targets Water Systems

The malware includes hardcoded references to specific infrastructure components, such as desalination plants and wastewater systems. It also checks for software linked to reverse osmosis and chlorine control. This targeting logic ensures that the malware only activates under precise geographic and environmental conditions.

For example, the code restricts execution to IP ranges associated with Israel. It also embeds politically charged messages, hinting at the motivations behind the campaign. However, these strings do not affect execution—they simply provide context for the attackers’ intent.

Sabotage Functions and ICS Network Scanning

Once deployed in a qualifying environment, ZionSiphon attempts to manipulate local configuration files tied to industrial processes. It appends predefined values related to chlorine dosing and system pressure. If successful, this could disrupt water treatment operations, leading to unsafe water quality or system failures.

In addition, the malware includes a network discovery routine that scans local subnets for ICS devices. It probes common industrial protocols, including Modbus, DNP3, and S7comm. Darktrace observed that the Modbus-related functionality is the most developed, allowing the malware to read and potentially modify register values. However, implementations for DNP3 and S7comm appear incomplete, suggesting partial development or testing stages.

Key Capabilities of the Water Infrastructure Malware

ZionSiphon exhibits several notable features designed to compromise water infrastructure:

• Subnet-wide scanning for ICS devices using common OT protocols
• Attempts to modify chlorine dosing and pressure parameters
• Propagation via removable media using disguised executables
• Persistence through registry modifications and hidden file placement

Despite these capabilities, the analyzed sample contains a flaw in its country validation logic. This error prevents the malware from correctly identifying intended targets. As a result, it may fail to activate its payload and instead trigger a self-deletion routine.

Indicators of Early-Stage OT Malware Development

The incomplete elements within ZionSiphon point to a tool still under development or not fully operational at the time of analysis. Errors in execution logic and partially implemented protocol support limit its immediate effectiveness. Even so, the structure of the malware reflects a growing interest among threat actors in developing tools capable of interacting directly with industrial processes.

Its combination of IT-based infection methods and OT-specific targeting illustrates an evolving approach to critical infrastructure attacks. While this version may not pose an immediate operational threat, it demonstrates how adversaries are experimenting with techniques that could, in more mature forms, disrupt physical systems and essential services.

For more on OT security, check out our article on OT cyber threats and learn how to protect your industrial control systems.

What This Means for Water Sector Cybersecurity

This discovery underscores the urgent need for enhanced cybersecurity measures in the water sector. As malware like ZionSiphon evolves, utilities must prioritize network segmentation, regular patching, and employee training to mitigate risks. Collaboration between government agencies and private companies is also crucial to share threat intelligence and develop robust defenses.

In conclusion, while ZionSiphon may be an early-stage threat, it serves as a stark reminder that critical infrastructure remains a prime target for cyberattacks. Staying vigilant and proactive is the best defense against such emerging dangers.

Kaspersky Uncovers Chinese Hackers’ Backdoor in Daemon Tools: A Widespread Supply Chain Attack

Security researchers at Kaspersky have identified a malicious backdoor embedded in the popular Windows disc imaging software, Daemon Tools. This discovery marks a significant supply chain attack that compromises thousands of computers globally.

According to a Tuesday report from the Russian cybersecurity firm, data collected from systems running Kaspersky’s antivirus software reveals a “widespread” campaign targeting Windows machines that use Daemon Tools. The hackers, linked to a Chinese-language speaking group based on malware analysis, exploited this backdoor to infiltrate a dozen high-value targets.

How the Chinese Hackers Backdoor Daemon Tools Works

Kaspersky’s investigation shows that the backdoor was first detected on April 8. The attackers used it to deploy additional malware on computers in the retail, scientific, and manufacturing sectors, as well as government systems. This selective targeting suggests a “targeted” effort, with victims located in Russia, Belarus, and Thailand.

The company noted that the supply chain attack remains “still active,” meaning the hackers can continue to plant malware on any system running the compromised software. This is a classic example of a supply chain attack, where malicious code is injected into legitimate software updates, affecting all users who download them.

The Mechanics of the Daemon Tools Backdoor

When TechCrunch downloaded the Windows installer from Daemon Tools’ official website, a check with the online malware scanner VirusTotal confirmed the presence of the backdoor. It remains unclear whether the macOS version of Daemon Tools or other Disc Soft applications are affected.

Kaspersky contacted Disc Soft, the company behind Daemon Tools, but did not disclose whether the developer responded or took immediate action. The ongoing nature of the attack raises concerns about the security of software supply chains.

Why This Supply Chain Attack Matters

This incident is part of a growing trend of supply chain attacks targeting popular software. Earlier this year, Chinese government-associated hackers hijacked the text editing software Notepad++ to deliver malware. Similarly, security researchers warned of an attack on CPUID, maker of HWMonitor and CPU-Z tools.

Supply chain attacks are particularly dangerous because they allow hackers to compromise a large number of systems at once by inserting malicious code into trusted software updates. This approach exploits the trust users place in legitimate applications, making it harder to detect.

For more insights on protecting your systems, read our guide on how to prevent supply chain attacks.

Response from Daemon Tools Developer Disc Soft

When contacted for comment, a Disc Soft representative stated they are “aware of the report and are currently investigating the situation.” The representative added, “Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users.”

This response indicates that Disc Soft is taking the threat seriously, but users should remain cautious. As the investigation unfolds, it is crucial for organizations using Daemon Tools to monitor for unusual activity and apply any security patches promptly.

What Users Should Do Now

If you use Daemon Tools on Windows, consider temporarily uninstalling the software until Disc Soft releases a clean update. Run a full antivirus scan with a reputable solution like Kaspersky or Malwarebytes to check for infections. Additionally, review your system for any signs of compromise, such as unexpected network traffic or new processes.

Building on this, organizations in the affected sectors should conduct a thorough security audit. Implementing strict software update policies and using endpoint detection tools can help mitigate risks. For further reading, check our article on best practices for software supply chain security.

Finally, stay informed about the latest cybersecurity threats. Following trusted security blogs and subscribing to threat intelligence feeds can provide early warnings. As this story develops, we will update with more details from Kaspersky and Disc Soft.