"The attack chain involves sending emails bearing subject lines like "Waiting for the signed document," "INvoice for Payment," or "Reconciliation Act for Signature," urging recipients to open an RR archive, within which there exists a Windows executable that masquerades as a PDF document (e.g., "Акт_сверки pdf 010.exe"). The messages, written in Russian or English, are sent from email addresses registered in the .ru, .by, and .kz top-level domains."
"The executable is an obfuscated .NET loader designed to launch a malicious DLL ("MechMatrix Pro.dll"), which subsequently runs a third-stage payload, another DLL named "Montero.dll" that serves as a dropper for the Formbook malware, but not before creating a scheduled task and configuring Microsoft Defender exclusions to evade detection. Interestingly, the binary has also been found to contain Tumblr links pointing to completely harmless GIFs of comic superheroes like Batman, giving the threat actor its name."
"Analysis of ComicForm's infrastructure has revealed signs that phishing emails have also been directed against an unspecified company operating in Kazakhstan in June 2025 and a Belarusian bank in April 2025. F6 also said it detected and blocked phishing emails sent to Russian manufacturing companies from the email address of a Kazakhstan-based industrial company as recently as July 25, 2025."
ComicForm engaged in a phishing campaign targeting organizations in Belarus, Kazakhstan, and Russia since at least April 2025. Targets included industrial, financial, tourism, biotechnology, research, and trade sectors. Phishing emails used subject lines such as "Waiting for the signed document" and "INvoice for Payment," prompting recipients to open RR archives that contained Windows executables disguised as PDFs. The executable functions as an obfuscated .NET loader that launches MechMatrix Pro.dll, which loads Montero.dll to drop the Formbook malware after creating scheduled tasks and adding Microsoft Defender exclusions. The binary also contains Tumblr links to harmless superhero GIFs, inspiring the ComicForm name.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]