A sophisticated new variant of the FormBook malware that grants cybercriminals complete remote control over Windows systems through an elaborate multi-stage attack process. 

The latest analysis, published on May 27, 2025, reveals that this information-stealing malware has evolved significantly, incorporating advanced anti-analysis techniques and leveraging legitimate Windows processes to evade detection.

Exploiting Legacy Vulnerabilities

Fortinet reports that the new FormBook campaign initiates through carefully crafted phishing emails containing malicious Word documents that exploit the CVE-2017-11882 vulnerability in Microsoft Office’s Equation Editor. 

Upon successful exploitation, the malware downloads and decrypts a hidden FormBook payload disguised as a fake PNG file, demonstrating the attackers’ commitment to stealth operations.

The malware employs process hollowing techniques, initially targeting the “ImagingDevices.exe” process before systematically injecting itself into randomly selected child processes of explorer.exe. 

Security analyst Xiaopeng Zhang’s research revealed that the malware maintains a list of twelve encrypted process names, including “PATHPING.EXE,” “fontview.exe,” and “MuiUnattend.exe,” all residing in the “C:\Windows\SysWOW64” folder. 

The malware repeatedly attempts to launch these processes until one successfully executes, then performs process hollowing to inject the FormBook payload.

Heaven’s Gate Anti-Analysis Tactics

This FormBook variant demonstrates remarkable sophistication through its implementation of the Heaven’s Gate technique, which allows 32-bit processes to execute 64-bit code on Windows x64 systems. 

The malware switches execution modes by modifying the CS (Code Segment) register, transitioning from 32-bit mode (0x23) to 64-bit mode (0x33) through instructions like “jmp far 0x33:{address}”.

The malware deploys multiple anti-analysis mechanisms to frustrate security researchers. It loads a duplicated ntdll.dll in memory, calling APIs from this copy rather than the original, making analysis significantly more complex. 

Additionally, FormBook encrypts over 100 key functions that are only decrypted during execution and immediately re-encrypted afterward, presenting substantial challenges for static analysis.

The malware actively detects virtualized environments by checking for blacklisted process names including “vmwareuser.exe,” “sandboxiedcomlaunch.exe,” “procmon.exe,” and “wireshark.exe”. 

It also examines usernames and execution paths for indicators of sandbox environments, such as directories containing “\cuckoo,” “\sandbox,” or “\aswsnx”.

Data Harvesting Capabilities

Once established, FormBook demonstrates extensive data harvesting capabilities, targeting credentials from major web browsers including Chrome, Firefox, Internet Explorer, and Edge. 

The malware executes SQL queries such as “SELECT origin_url, username_value, password_value FROM logins” against Chrome’s SQLite databases to extract stored credentials.

The malware maintains communication with 64 Command and Control (C2) domains that undergo multi-layered obfuscation, being encrypted, Base64-encoded, and encrypted again. 

Through these C2 servers, FormBook can execute nine distinct control commands ranging from file execution and system updates to complete system shutdown.

Security firm Fortinet has confirmed that customers using FortiGuard’s Anti-Botnet Service, Web Filtering, IPS, and AntiVirus services are protected against this campaign. 

Organizations should implement comprehensive endpoint protection and maintain updated security solutions to defend against this evolving threat that continues to demonstrate the persistent danger of commodity malware services.

Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here