Formbook Stealth Campaigns: DLL Sideloading and JavaScript Obfuscation

The cybersecurity landscape has reached a critical inflection point as of April 20, 2026, with the discovery of highly sophisticated Formbook stealth campaigns targeting corporate entities across Europe and South America. These campaigns, meticulously documented by threat intelligence researchers, represent a significant evolution in the delivery of the Formbook (and its successor XLoader) infostealer. By pivoting away from simple executable attachments and toward a dual-track infection strategy involving DLL sideloading and complex JavaScript obfuscation, threat actors are successfully bypassing modern Endpoint Detection and Response (EDR) systems that once held the line against such threats.

The current wave specifically zeroes in on organizations in Greece, Spain, and Slovenia, as well as emerging markets in South America. Security analysts note that the timing of these lures coincides with regional tax cycles and procurement seasons, utilizing business-themed lures such as Requests for Proposals (RFPs) and overdue invoices to manipulate employees into initiating the infection chain. This editorial explores the technical intricacies of these new evasion techniques and the multi-layered defense strategies required to mitigate them.

The Dual-Track Attack Architecture

What distinguishes the 2026 Formbook stealth campaigns from previous iterations is the parallel deployment of two distinct infection vectors. This “A/B testing” of malware delivery allows attackers to maximize their success rate across different IT environments. If a target’s mail gateway flags a suspicious script, the alternative archive-based DLL sideloading attack may still find its way to the endpoint.

• Track One: DLL Sideloading via Trusted Binaries. This variant leverages the inherent trust that Windows places in legitimate executable files. By bundling a signed, legitimate application with a malicious Dynamic Link Library (DLL) in a single RAR or ZIP archive, attackers trick the operating system into executing the malware within a “safe” memory space.
• Track Two: Obfuscated JavaScript & Living-off-the-Land Binaries (LOLBins). The second variant utilizes heavily bloated JavaScript files, often exceeding 10MB in size, to exhaust automated sandbox analysis tools. This track relies on the abuse of legitimate system utilities like MSBuild.exe and PowerShell to load the final payload.

Deep Dive into DLL Sideloading Evasion

The first variant of the current Formbook campaign is a masterclass in exploiting the Windows search order. When a legitimate application requires a specific DLL to function, it often searches its local directory before moving to system-wide folders like C:\Windows\System32. Attackers exploit this by providing a legitimate, often digitally signed, Windows executable alongside a trojanized DLL that shares the name of a library the executable expects to load.

In the April 2026 samples, researchers have identified the use of four-file packages within malicious RAR archives. These packages typically include one legitimate Windows executable and three supporting DLLs. One of these DLLs acts as the primary loader, which, once triggered by the legitimate EXE, performs process hollowing or manual DLL mapping. Because the execution begins with a trusted process, many EDR solutions fail to trigger an alert, as the initial process behavior appears consistent with legitimate software operations.

JavaScript Obfuscation and the 10MB “Bloatware” Tactic

The second variant of these Formbook stealth campaigns utilizes a JavaScript-based infection chain that is remarkably resilient against automated detection. The initial delivery involves a business-themed email containing a RAR archive with a file such as cbmjlzan.JS. This script is not a typical lightweight downloader; instead, it is a massive 10MB file that incorporates thousands of lines of code from legitimate open-source libraries, such as the AsmDB project.

This “size bloating” serves two primary purposes:

1. Gateway Evasion: Many automated email scanners and sandbox environments have file size limits (often 5MB or 10MB) to maintain performance. By exceeding these limits, the malicious script often bypasses deep inspection entirely.
2. Heuristic Camouflage: By interweaving malicious commands with legitimate library code, the attackers confuse heuristic engines that look for specific patterns of malicious script behavior.

The Role of MSBuild.exe in the Infection Chain

Once the obfuscated JavaScript is executed via the Windows Script Host (wscript.exe), it does not immediately drop the Formbook malware. Instead, it initiates a multi-stage loading process designed to “live off the land.” The script establishes persistence by creating a scheduled task that runs every 15 minutes, ensuring the infection survives reboots.

The script then drops several encrypted files disguised as harmless images—specifically Brio.png, Orio.png, and Xrio.png—into the C:\Users\Public\ directory. These are not images but AES-encrypted payloads. A PowerShell command is then invoked to decrypt these files and inject a malicious .NET DLL into MSBuild.exe. MSBuild.exe is a legitimate Microsoft tool used for building software applications; by hijacking its process space, Formbook can perform its data harvesting tasks under the guise of legitimate developer activity, a technique that is notoriously difficult for traditional antivirus to detect.

Advanced Evasion: Patching ETW and AMSI

The 2026 Formbook stealth campaigns take evasion a step further by actively tampering with the Windows security subsystem. Before the final Formbook payload is fully unrolled in memory, the PowerShell loader performs two critical “surgical” operations on the running process:

• Patching AMSI (Anti-Malware Scan Interface): By modifying the AmsiScanBuffer function in memory, the malware effectively “blinds” Windows Defender and other integrated security tools, preventing them from scanning the malicious buffers being loaded into the MSBuild.exe process.
• Disabling ETW (Event Tracing for Windows): The malware patches EtwEventWrite to suppress the generation of system logs that would typically alert defenders to suspicious API calls or process injections. This creates a “telemetry black hole” where the malware’s most aggressive actions remain invisible to centralized logging and SIEM (Security Information and Event Management) platforms.

Formbook’s Core Capabilities in 2026

Once Formbook is successfully established within the memory space of a trusted process, it begins its primary mission of information exfiltration. Despite being a decade-old malware family, Formbook remains a “premier” infostealer due to its robust feature set and the Infrastructure-as-a-Service (IaaS) model used by its developers. The current variant is capable of:

• Credential Harvesting: Extracting stored passwords and session cookies from over 25 different web browsers, including Chrome, Firefox, and Edge.
• Form Grabbing: Monitoring HTTP/HTTPS traffic to capture data entered into web forms in real-time.
• Keystroke Logging: Recording every input to capture login credentials for local applications and VPNs.
• Screenshot Capture: Periodically taking snapshots of the victim’s desktop to gather visual intelligence on business operations.
• Browser Data Monitoring: Accessing history and autofill data to map out the victim’s digital footprint.

Regional Targeting: Greece, Spain, and Slovenia

The concentration of these Formbook stealth campaigns in Greece, Spain, and Slovenia suggests a coordinated effort to exploit specific regional business vulnerabilities. In Spain and Greece, the lures often mimic official government communications regarding VAT (Value Added Tax) compliance or maritime shipping invoices—sectors that are vital to these economies. In Slovenia, the attacks have been observed targeting the manufacturing and logistics sectors with fake “Project Specification” documents.

Threat intelligence data from mid-April 2026 shows a massive surge in Command and Control (C2) infrastructure, with over 55 new C2 servers coming online in a single 24-hour period. These servers are often hosted on bulletproof infrastructure with no clear geographic pattern, making it difficult for international law enforcement to dismantle the network. This rapid rotation of infrastructure is a hallmark of the sophisticated affiliate groups now leveraging Formbook for high-volume corporate espionage.

Strategic Defense and Remediation

Combating the latest Formbook stealth campaigns requires a departure from signature-based detection toward a more behavioral and proactive “hunting” posture. Because the malware thrives in the memory of trusted processes, defenders must look for the “shadows” left by its infection chain.

Hunting for Indicators of Compromise (IoCs)

Security teams are advised to monitor for the following “red flag” behaviors:

• Anomalous MSBuild Activity: Any instance of MSBuild.exe or vbc.exe making outbound network connections, especially to uncategorized or newly registered domains.
• Script Host Anomalies: Execution of wscript.exe or cscript.exe that originates from a temporary directory or an email attachment folder.
• Public Directory Artifacts: The presence of non-image files with .png or .jpg extensions in C:\Users\Public\, particularly files named Brio, Orio, or Xrio.
• PowerShell Evasion Flags: PowerShell execution strings containing -Noexit -nop -WindowStyle Hidden combined with Base64 encoded commands.

Recommended Hardening Measures

Beyond hunting, organizations can reduce their attack surface by implementing the following controls:

1. Restrict Script Interpreters: Use AppLocker or Windows Defender Application Control (WDAC) to block the execution of .js, .vbs, and .hta files by default, unless they are digitally signed by a trusted internal source.
2. Disable MSBuild for Non-Developers: Since MSBuild.exe is a primary vehicle for injection, its execution should be restricted to known developer workstations via group policy.
3. Implement Advanced Memory Protection: Ensure that EDR solutions are configured to detect and block AMSI/ETW patching attempts, which are clear indicators of malicious intent.
4. Email Authentication: Enforce strict DMARC, SPF, and DKIM policies to reduce the likelihood of spoofed business emails reaching the inbox.

Conclusion: The Persistence of the Infostealer

The April 2026 Formbook stealth campaigns serve as a stark reminder that even “legacy” malware can remain a Tier-1 threat when paired with modern evasion techniques. The shift toward DLL sideloading and JavaScript-based LOLBin abuse demonstrates that attackers are no longer content with simple “click-to-run” payloads. They are instead building complex, multi-stage delivery platforms that exploit the fundamental trust mechanisms of the Windows operating system.

For organizations in Greece, Spain, and Slovenia, the message is clear: the threat is regional, targeted, and technically advanced. Success in the current threat landscape depends not on the strength of a single antivirus product, but on a holistic defense-in-depth strategy that combines rigorous application control, proactive threat hunting, and a culture of cybersecurity awareness that can spot a “10MB invoice” before the first script is ever executed.