Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattacks

The Hacker News by The Hacker News
September 22, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Organizations in Belarus, Kazakhstan, and Russia have emerged as the target of a phishing campaign undertaken by a previously undocumented hacking group called ComicForm since at least April 2025.

The activity primarily targeted industrial, financial, tourism, biotechnology, research, and trade sectors, cybersecurity company F6 said in an analysis published last week.

The attack chain involves sending emails bearing subject lines like “Waiting for the signed document,” “INvoice for Payment,” or “Reconciliation Act for Signature,” urging recipients to open an RR archive, within which there exists a Windows executable that masquerades as a PDF document (e.g., “Акт_сверки pdf 010.exe”). The messages, written in Russian or English, are sent from email addresses registered in the .ru, .by, and .kz top-level domains.

The executable is an obfuscated .NET loader designed to launch a malicious DLL (“MechMatrix Pro.dll”), which subsequently runs a third-stage payload, another DLL named “Montero.dll” that serves as a dropper for the Formbook malware, but not before creating a scheduled task and configuring Microsoft Defender exclusions to evade detection.

DFIR Retainer Services

Interestingly, the binary has also been found to contain Tumblr links pointing to completely harmless GIFs of comic superheroes like Batman, giving the threat actor its name. “These images were not used in any attack, but were merely part of the malware code,” F6 researcher Vladislav Kugan said.

Analysis of ComicForm’s infrastructure has revealed signs that phishing emails have also been directed against an unspecified company operating in Kazakhstan in June 2025 and a Belarusian bank in April 2025.

F6 also said it detected and blocked phishing emails sent to Russian manufacturing companies from the email address of a Kazakhstan-based industrial company as recently as July 25, 2025. These digital missives prompt prospective targets to click on an embedded link to confirm their account and avoid a potential block.

Users who click on the link are redirected to a bogus landing page mimicking the login page of a domestic document management service to facilitate credential theft by transmitting the entered information to an attacker-controlled domain in the form of an HTTP POST request.

“Additionally, JavaScript code was found in the page body that extracts the email address from URL parameters, populates the input field with id=”email” , extracts the domain from the email address, and sets a screenshot of that domain’s website (via the screenshotapi[.]net API) as the background of the phishing page,” Kugan explained.

The attack aimed at the Belarusian bank involved sending a phishing email with an invoice-themed lure to trick users into entering their email addresses and phone numbers in a form, which are then captured and sent to an external domain.

“The group attacks Russian, Belarusian, and Kazakh companies from various sectors, and the use of English-language emails suggests that the attackers are also targeting organizations in other countries,” F6 said. “The attackers employ both phishing emails distributing FormBook malware and phishing resources disguised as web services to harvest access credentials.”

Pro-Russian Group Targets South Korea with Formbook

The disclosure comes as the NSHC ThreatRecon Team disclosed details of a pro-Russian cybercrime group that has targeted manufacturing, energy, and semiconductor sectors in South Korea. The activity has been attributed to a cluster called SectorJ149 (aka UAC-0050).

The attacks, observed in November 2024, commenced with spear-phishing emails targeting executives and employees using lures related to production facility purchases or quotation requests, leading to the execution of commodity malware families like Lumma Stealer, Formbook, and Remcos RAT by means of a Visual Basic Script distributed as a Microsoft cabinet (CAB) archive.

CIS Build Kits

The Visual Basic Script is engineered to run a PowerShell command that reaches out to a Bitbucket or GitHub repository to fetch a JPG image file, which conceals a loader executable responsible for launching the final stealer and RAT payloads.

“The PE Malware executed directly in the memory area is a loader-type Malware that downloads additional malicious data disguised as a text file (.txt) through a URL included in the provided parameter values, decrypts it, and then generates and executes the PE Malware,” the Singaporean cybersecurity company said.

“In the past, the SectorJ149 group primarily operated for financial gain, but the recent hacking activities targeting Korean companies are believed to have a strong hacktivist nature, using hacking techniques to convey political, social, or ideological messages.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Watch new Fed Governor Stephen Miran speak live on the economy and interest rates

Watch new Fed Governor Stephen Miran speak live on the economy and interest rates

Recommended.

Eforthink Displays the Future of UWB Technologies and Intelligent Living with Groundbreaking Products and Solutions at CES 2026

Eforthink Displays the Future of UWB Technologies and Intelligent Living with Groundbreaking Products and Solutions at CES 2026

January 15, 2026
STL assure une connectivité ultra-rapide avec Mynet pour un centre de données au « cœur des montagnes »

STL assure une connectivité ultra-rapide avec Mynet pour un centre de données au « cœur des montagnes »

February 26, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio