ComicForm phishing campaign targeting organizations in Belarus, Kazakhstan, and Russia
Campaign
Summary
Hide ▲
Show ▼
ComicForm is running an active phishing campaign against organizations in Belarus, Kazakhstan, and Russia, creating ongoing risk of credential theft and Formbook delivery across multiple sectors. The operation has been active since at least April 2025 and uses lure emails with malicious archives or links. Its tradecraft combines fake document themes, .NET loader stages, and phishing pages built to harvest credentials.
Related Happenings
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Vercel v0.dev phishing campaign using GenAI-built lure pages
Campaign
First: 07.05.2026 11:30
Last: 07.05.2026 11:30
Sources 1
About this happening:
A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Vercel v0.dev phishing campaign using GenAI-built lure pages
CampaignAbout this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
FBI-led takedown of W3LL phishing network
Law Enforcement
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
22.09.2025 18:40 2 articles · 8mo ago
ComicForm phishing campaign targeting organizations in Belarus, Kazakhstan, and Russia
Initial DisclosureIn the first observed phase, ComicForm used Russian- and English-language invoice and signature lures to deliver RR archives that unpacked into a fake PDF executable. That opening step established the loader chain that later enabled credential theft and Formbook delivery.
Show sources
- ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattacks — thehackernews.com — 22.09.2025 18:40
- ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattacks — thehackernews.com — 22.09.2025 18:40