Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
Home
Threat Library
Malware
FormBook

FormBook Malware

Published: 12/28/2025

Written by: Lizzie Danielson

Glitch effectGlitch effect

What is FormBook malware?

FormBook is a type of spyware known for its data-stealing capabilities. It is designed to collect a range of sensitive information, including login credentials, browser autofill data, and more, often leveraging sophisticated techniques to evade detection. Commonly distributed through phishing emails or exploit kits, FormBook is highly flexible, making it a favored tool for cybercriminals. Notable aliases include XLoader, a closely related variant with overlapping functionalities.

When was FormBook first discovered?

FormBook was first identified in 2016 and has garnered attention from security researchers for its persistence and consistent updates. Despite its origins several years ago, it remains a persistent threat as cybercriminals adapt it to bypass evolving security measures.

Who created FormBook?

While the exact individuals or group behind FormBook remain unknown, its widespread availability on underground forums and its appeal to entry-level cybercriminals suggest it is a commodity malware-as-a-service.

What does FormBook target?

FormBook primarily targets Windows operating systems, with a focus on exfiltrating data from small to medium businesses and large organizations across various industries. It has been detected in phishing campaigns globally, with specific industries such as healthcare, finance, and manufacturing frequently affected.

FormBook distribution method

FormBook malware is commonly delivered via phishing emails containing malicious attachments, such as PDFs, Microsoft Office files, or ZIP archives. Additional distribution channels include exploit kits hosted on compromised websites that take advantage of software vulnerabilities.

Technical analysis of FormBook malware

FormBook operates through a multi-stage infection chain that includes downloading and executing a malicious payload. After initial execution, it proceeds to establish persistence mechanisms, such as modifying the Windows registry. Its payload enables keylogging, clipboard monitoring, and data exfiltration. Advanced obfuscation techniques, including packers and encrypted communication with command-and-control (C2) servers, make the malware difficult to detect.

Tactics, Techniques & Procedures (TTPs)

  • MITRE ATT&CK Techniques:

    • T1059 – Command and Scripting Interpreter

    • T1071 – Application Layer Protocol

    • T1056 – Input Capture (keylogging)

  • Behavioral Traits:

    • Hijacks clipboard to capture sensitive data

    • Encrypts outbound traffic to C2 servers

    • Utilizes persistence mechanisms like autorun registry keys

Indicators of Compromise (IoCs)

  • IP addresses:

    • 192.0.xxx.xxx

  • Domains:

    • malwarecommand[.]com

  • File hashes:

    • e4b9d8dxxxxxxxxxxxxxxxxxxxxxx9433

How to know if you’re infected with FormBook?

Potential indicators of FormBook infection include unexplained system slowdowns, high outbound network activity to unknown IPs, and unexpected credential thefts. Users may also detect unexplained clipboard activities or background processes running without proper context.

FormBook removal instructions

To manually remove FormBook, isolate the infected machine from the network immediately. Use tools like Task Manager to identify suspicious processes, and delete related files and registry entries. For streamlined and more effective removal, use advanced EDR solutions, such as Huntress, capable of detecting FormBook’s sophisticated tactics and ensuring complete remediation.

Is FormBook still active?

Yes, FormBook continues to be an active threat, with frequent updates making it resilient against detection. Variants like XLoader highlight that its developers are committed to evolving the malware to stay effective against modern defenses.

Mitigation & prevention strategies

To prevent FormBook infections, implement layered security measures such as enabling multi-factor authentication (MFA), restricting macro execution in Office files, and deploying EDR solutions like Huntress. Prioritize user security awareness training to recognize phishing attempts and ensure all software is patched and up-to-date. Huntress’s 24/7 monitoring can help organizations spot and mitigate threats like FormBook before they result in significant damage.

Related educational articles & videos

FormBook Malware FAQs

FormBook is a spyware designed to steal sensitive information, such as login credentials and keystrokes. It achieves this by monitoring clipboard data, logging user input, and exfiltrating data to its command-and-control servers.

FormBook commonly spreads through phishing emails containing malicious attachments, such as Office documents or ZIP files. It can also be distributed via exploit kits that take advantage of unpatched vulnerabilities.

Yes, FormBook and its variants like XLoader continue to pose threats due to frequent updates that enhance their evasion techniques. It remains active in phishing campaigns worldwide.

Organizations can protect against FormBook by training employees to recognize phishing attempts, enabling multifactor authentication, and deploying advanced technologies such asHuntress EDR for continuous monitoring and remediation.

Glitch effectBlurry glitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free