ComicForm Targets Eurasia
A new group, ComicForm, attacks Belarus, Kazakhstan, and Russia. It uses phishing emails since April 2025. For example, it targets finance and biotech. The campaign deploys Formbook malware.
Emails mimic official documents. They urge users to open archives. Consequently, victims run malicious executables. These pose as PDFs.
The executable launches a .NET loader. This loader deploys a malicious DLL. For instance, it drops Formbook via another DLL. This evades detection.
Evasion Tactics
The malware creates scheduled tasks. It adds antivirus exclusions. Moreover, it uses comic-themed links as decoys. This hides its true intent.
Phishing pages mimic login services. They steal email and phone data. Therefore, attackers gain access to accounts. This targets sensitive systems.
JavaScript extracts email domains. It sets website screenshots as backgrounds. For example, this enhances page realism. This boosts phishing success.
SectorJ149’s Attacks
SectorJ149 targets South Korean industries. It uses spear-phishing since November 2024. Additionally, it deploys Formbook and other RATs. This shows a hacktivist motive.
SectorJ149 sends CAB archives. These contain Visual Basic scripts. For instance, scripts fetch loaders from repositories. This delivers final payloads.
In-Memory Execution
Malware runs in memory. It downloads disguised text files. Moreover, it decrypts and executes them. This avoids disk-based detection.
The campaigns hit manufacturing and energy. They focus on executives. Therefore, they aim for high-value data. This impacts critical industries.
Preventing ComicForm Attacks
To stop ComicForm and SectorJ149, verify email attachments. Use advanced phishing filters. Additionally, real-time threat monitoring detects loaders. Cybersecurity training helps spot fakes. By staying vigilant, organizations protect systems.
Sleep well, we got you covered.
