Executive Summary
In April 2025, a previously unknown threat group known as ComicForm, in tandem with the SectorJ149 collective, launched a sophisticated phishing campaign against organizations in Belarus, Kazakhstan, and Russia. Exploiting spear-phishing emails, the attackers delivered Formbook malware, an advanced infostealer, to infiltrate sectors including industrial, financial, biotechnology, research, tourism, and trade. The campaign's attack chain leveraged malicious email attachments and deceptive lures aimed at harvesting sensitive credentials, exfiltrating business information, and enabling internal lateral movement, causing operational disruptions and exposing confidential data.
This incident exemplifies the rise of regionally targeted malware campaigns by emerging threat actors who combine phishing, credential theft, and infostealer malware. Current threat intelligence points to increased infostealer usage, especially in sectors with valuable intellectual property, necessitating enhanced vigilance and stronger defense-in-depth strategies.
Why This Matters Now
This breach underscores an urgent trend: new and agile threat actors are rapidly targeting Eurasian organizations using highly effective infostealer malware via phishing campaigns. With critical sectors increasingly under attack, organizations must accelerate investments in email security, network segmentation, and real-time anomaly detection to address this evolving threat landscape.
Attack Path Analysis
Attackers initiated the breach via phishing emails delivering Formbook infostealer malware to targets across Eurasian sectors. Upon execution, the malware gained unauthorized access and likely escalated privileges to maintain persistence. The adversaries then attempted to move laterally within cloud and internal networks to access further sensitive resources and services. Command and control channels were established using encrypted outbound communications to receive commands and exfiltrate stolen data. Sensitive information was exfiltrated via network egress to attacker-controlled infrastructure. The overall impact included theft of confidential documents, credentials, and potential business disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers delivered spear-phishing emails containing Formbook malware, leading to user endpoint and initial cloud foothold compromise.
Related CVEs
CVE-2017-11882
CVSS 7.8A memory corruption vulnerability in Microsoft Office's Equation Editor allows remote code execution when a user opens a specially crafted file.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wildCVE-2017-0199
CVSS 7.8A vulnerability in Microsoft Office allows remote attackers to execute arbitrary code via a crafted document that triggers automatic execution of embedded OLE2 objects.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
Malicious File
Command and Scripting Interpreter
Credentials from Password Stores
Web Protocols
Exfiltration Over Web Service
Screen Capture
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Detect and Identify Malicious Software
Control ID: 5.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Implement robust phishing-resistant authentication
Control ID: Identity Pillar: Phishing-Resistant MFA
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Formbook infostealer targets financial institutions in Belarus, Kazakhstan, Russia requiring enhanced egress security, encrypted traffic protection, and zero trust segmentation.
Biotechnology/Greentech
Biotechnology sector faces targeted phishing campaigns deploying Formbook malware, necessitating threat detection, anomaly response capabilities, and multicloud visibility controls.
Leisure/Travel
Tourism industry targeted by ComicForm group requires comprehensive east-west traffic security, inline IPS protection, and cloud native security fabric implementation.
Research Industry
Research organizations vulnerable to Eurasian cyberattacks need kubernetes security, secure hybrid connectivity, and enhanced policy enforcement against data exfiltration threats.
Sources
- ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattackshttps://thehackernews.com/2025/09/comicform-and-sectorj149-hackers-deploy.htmlVerified
- FormBook Malware Phishing Campaignshttps://www.hhs.gov/sites/default/files/formbook-malware-phishing-campaigns.pdfVerified
- FormBook Returns: Exploiting CVE-2017-0199 via Malicious Excel Attachments in New Phishing Campaignhttps://securityonline.info/formbook-returns-exploiting-cve-2017-0199-via-malicious-excel-attachments-in-new-phishing-campaign/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress controls, inline threat detection, and cloud-focused visibility would have detected anomalous activity, blocked lateral movement, prevented unauthorized exfiltration, and contained the Formbook campaign before major data loss could occur.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious initial access and malware behaviors detected in real time.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege escalation attempts are blocked based on identity and least privilege policies.
Control: East-West Traffic Security
Mitigation: Lateral movement traffic is segmented and monitored, stopping spread to other workloads.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 channels are detected and blocked by URL and FQDN filtering.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data transfers are prevented or flagged for incident response.
Comprehensive visibility ensures rapid detection and incident response to minimize harm.
Impact at a Glance
Affected Business Functions
- Financial Transactions
- Research and Development
- Customer Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive financial data, intellectual property, and personal customer information due to FormBook malware's data-stealing capabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust microsegmentation policies to ensure only authorized identities and workloads can communicate.
- • Deploy inline anomaly detection and threat intelligence feeds for rapid identification of malware and suspicious user behaviors.
- • Implement granular egress filtering and FQDN controls to prevent unauthorized data exfiltration and C2 communications.
- • Leverage centralized cloud network visibility for continuous monitoring and rapid containment of anomalous activity.
- • Regularly assess and update east-west traffic security to reduce lateral movement opportunities within and across cloud regions.
