0-day vibes from 2017? Yup, it’s still happening.

A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.

The attack chain?

• Macro-free Excel
• Weaponized with remote .hta
• Payload: Info-stealer FormBook

Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.

Full technical breakdown by @FortiGuardLabs: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload

TL;DR for blue teamers:

• Watch your egress traffic
• Harden Office apps
• Monitor LOLBins (Living Off the Land Binaries)
• Block outbound to shady IPs faster than your memes go viral

Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.

Found this user on the @internetarchive hosting images with embedded base64 encoded #malware between <<BASE64_START>> and <<BASE64_END>> flags. The malware is used to download an inject the next stage payload into another process. The campaign I observed involved #RemcosRAT

User page: https://archive.org/details/@nodetectonn
Remcos: hxxps://petshopsirena[.]mk/a.txt
#c2 : 45.95.169[.]135:2404

I found samples dropping others such as #agenttesla and #formbook as well.

We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about

Hey there! I stumbled upon a fresh sample of Formbook info-stealer malware. During analysis I found this malware hides its payload into a vulnerable WordPress website.
Read the article to know more.
#FormBook #Stealer #MalwareAnalysis #MalwareResearch #CTI #ThreatIntel #InfoSec https://ashishranax.github.io/posts/FormBook-Malware-The-Uninvited-Guest-of-WordPress/

The malware pays homage to the League of Legends character Jinx, prominently featuring the character on its advertising poster and command-and-control login panel. JinxLoader’s primary purpose is straightforward – loading malware.

#Cybersecurity #Formbook #JinxLoader #Malware #Xloader

https://cybersec84.wordpress.com/2024/01/01/jinxloader-new-malware-front-for-formbook-and-xloader-attacks/

From a post I wrote for my employer at https://www.linkedin.com/posts/unit42_jinxloader-formbook-xloader-activity-7136002703737974786-9y8J and https://twitter.com/Unit42_Intel/status/1730237085246775562

2023-11-29 (Wednesday): Email --> #JinxLoader --> #Formbook/#XLoader

IOCs available at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-11-29-IOCs-for-JinxLoader-to-Formbook-XLoader.txt

Of note, #JinxLoader is a relatively new malware service first posted to hackforums[.]net on 2023-04-30.

A #pcap of the infection traffic, copy of the email, and the associated malware/artifacts are available at https://malware-traffic-analysis.net/2023/11/29/index.html

ISC Diary: @malware_traffic reviews loader-style infection for #Formbook on 2023-07-11 https://i5c.us/d30020

2023-07-04 (Tuesday) - 30 Days of #Formbook: Day 30, version 4.1 "MF6W" - #pcap of the infection, associated malware sample, and IOCs available at https://www.malware-traffic-analysis.net/2023/07/04/index.html

And that's it! I've finished what I set out to do: generate 30 consecutive days of Formbook infections.

As mentioned before, 30 days of Formbook is really too many days of Formbook. But it's still out there, and new samples still appear in the wild on a near-daily basis.

ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958