CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

ComicForm and SectorJ149 Deploy Formbook Malware in Phishing Campaigns Targeting Eurasian and South Korean Organizations

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A new hacking group, ComicForm, has been targeting organizations in Belarus, Kazakhstan, and Russia with a phishing campaign since at least April 2025. The campaign primarily targets industrial, financial, tourism, biotechnology, research, and trade sectors. The attacks involve sending phishing emails with malicious executables disguised as PDF documents, which deploy Formbook malware. Additionally, a pro-Russian group, SectorJ149, has been targeting South Korean manufacturing, energy, and semiconductor sectors with similar tactics. The phishing emails from ComicForm use subject lines like "Waiting for the signed document" and contain malicious executables that evade detection by creating scheduled tasks and configuring Microsoft Defender exclusions. The malware includes Tumblr links to harmless comic superhero GIFs, which gave the group its name. SectorJ149's attacks in South Korea involve spear-phishing emails targeting executives and employees, leading to the execution of commodity malware families like Lumma Stealer, Formbook, and Remcos RAT. The group's recent activities are believed to have a hacktivist nature, conveying political or ideological messages.

Timeline

  1. 22.09.2025 18:40 πŸ“° 1 articles Β· ⏱ 14h ago

    ComicForm targets Eurasian organizations with Formbook malware phishing campaign

    Since April 2025, ComicForm has been targeting organizations in Belarus, Kazakhstan, and Russia with a phishing campaign. The campaign involves sending phishing emails with malicious executables disguised as PDF documents, which deploy Formbook malware. The malware evades detection by creating scheduled tasks and configuring Microsoft Defender exclusions. The phishing emails use subject lines such as "Waiting for the signed document" and contain malicious executables that deploy Formbook malware. The malware includes Tumblr links to harmless comic superhero GIFs, which gave the group its name.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Subtle Snail APT Targets Global Telcos and Satellite Operators

Subtle Snail (UNC1549) has conducted a series of cyberattacks against 11 global telecommunications, satellite, and aerospace companies in recent weeks. The attacks, which occurred over a short period, targeted key personnel in these industries using highly customized phishing lures and malware. The primary goals appear to be data theft for research and development and call data records (CDRs) for espionage. The group has been active since at least June 2022, focusing on aerospace, defense, and telecommunications sectors. Their tactics include extensive background research on targets and the use of custom malware, particularly the MiniBike backdoor, which employs modular components to evade detection. The attacks have been observed across the Middle East, Europe, and North America, with victims including major companies serving millions of customers. The group is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). Subtle Snail has expanded its operations to target critical infrastructure organizations in Western Europe, specifically in Denmark, Portugal, and Sweden. The group uses new malware variants, MiniJunk and MiniBrowse, to conduct its attacks. MiniJunk is a highly obfuscated backdoor that provides persistent access to infected systems, while MiniBrowse is a lightweight stealer designed to steal credentials from Chrome and Edge browsers.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A new sophisticated malware campaign dubbed GPUGate targets IT and software development companies in Western Europe, as well as macOS users through fake GitHub repositories. The campaign uses Google Ads, SEO poisoning, and fake GitHub commits to deliver malware. The initial infection vector involves a bloated MSI file that evades detection by security sandboxes. The malware employs a GPU-gated decryption routine to avoid analysis in virtual environments. The attack chain includes multiple stages, ultimately leading to information theft and the delivery of secondary payloads. The campaign has been active since at least December 2024 and is attributed to threat actors with native Russian language proficiency. The malware also serves as a staging ground for Atomic macOS Stealer (AMOS), indicating a cross-platform approach. The AMOS malware-as-a-service operation is available for $1,000 per month and includes a backdoor component for persistent access. The campaign impersonates more than 100 software solutions, including Confluence, Fidelity, Audacity, Adobe After Effects. The campaign targets a range of companies across the technology and financial sectors, including LastPass. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign leverages SEO to ensure the fake repositories are positioned well in search results. The attack involves a specific line of code to be pasted into the Mac terminal, leading to the download and execution of the Atomic infostealer. The Atomic infostealer has been active since at least April 2023. The campaign is part of a broader trend of using GitHub repositories to distribute malware, including the Shai-Hulud worm, the compromise of prolific NPM developer Qix, and the Salesloft breach. The threat actors behind the campaign may prefer to focus on macOS systems, viewing Mac users as low-hanging fruit due to the perception that Macs face less of a malware threat. The campaign utilizes malvertising to direct users to fraudulent macOS help websites where victims are instructed to execute a malicious one-line installation command. The Cookie Spider threat group attempted to compromise more than 300 customer environments using SHAMOS, a variant of the Atomic infostealer.

Open in new tab