FormBook Malware Analysis: Phishing Campaigns Use DLL Side-Loading and Obfuscated JavaScript to Target Businesses

WatchGuard telemetry identified two phishing campaigns targeting organizations across Greece, Spain, Slovenia, Bosnia and Latin/Central America that deliver the FormBook infostealer. One campaign uses RAR attachments and DLL side-loading to abuse legitimate executables; the other uses heavily obfuscated JavaScript which drops encrypted payloads decoded via PowerShell and a .NET 'Mandark' loader. The report provides deep technical analysis of the loaders and FormBook (notably manual mapping of ntdll.dll and direct syscall usage to evade monitoring) and lists file hashes and filename-based IOCs to aid detection and response.