{ "name": "FormBook Malware Distributed via Horus Protector Using Word Docs", "slug": "formbook-malware-distributed-via-horus-protector-using-word-docs", "description": "Forcepoint X-Labs researchers have identified a phishing campaign where attackers distribute the FormBook information-stealing malware using Horus Protector, a malware distribution service designed to evade detection. The campaign employs malicious Microsoft Word documents that exploit the CVE-2017-11882 vulnerability in the Equation Editor.", "published": "2025-04-29T06:41:49+00:00", "created_at": "2025-04-29T06:41:49+00:00", "modified_at": "2025-04-29T07:00:36+00:00", "created_at_opencti": "2025-04-29T06:41:49+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-04-29", "CVE-2017-11882", "formbook", "horus", "maldoc", "phishing" ], "related_entities": { "observables": [ { "id": "", "name": "www.xxxvideosbox.xyz" }, { "id": "", "name": "www.smfrityhvde.info" }, { "id": "", "name": "www.shroom-topia.shop" }, { "id": "", "name": "www.shibsocial.xyz" }, { "id": "", "name": "www.natividade.tech" }, { "id": "", "name": "www.praxis-it.nrw" }, { "id": "", "name": "www.mm018.xyz" }, { "id": "", "name": "www.keys4health.net" }, { "id": "", "name": "www.link6-tesla-nd6.xyz" }, { "id": "", "name": "www.hellosweetie.net" }, { "id": "", "name": "www.enore.xyz" }, { "id": "", "name": "www.coreost.site" }, { "id": "", "name": "www.auctionringer.online" }, { "id": "", "name": "www.atepl.info" }, { "id": "", "name": "http://yenigercek.xyz/" }, { "id": "", "name": "http://xploitation.net/" }, { "id": "", "name": "http://www.xxxvideosbox.xyz/n8ev/" }, { "id": "", "name": "http://www.shibsocial.xyz/ib5p/" }, { "id": "", "name": "http://www.smfrityhvde.info/eck1/" }, { "id": "", "name": "http://www.shroom-topia.shop/ty2t" }, { "id": "", "name": "http://www.praxis-it.nrw/rw7d/" }, { "id": "", "name": "http://www.natividade.tech/xuyo/" }, { "id": "", "name": "http://www.mm018.xyz/d686/" }, { "id": "", "name": "http://www.hellosweetie.net/x21a/" }, { "id": "", "name": "http://www.link6-tesla-nd6.xyz/l25i/" }, { "id": "", "name": "http://www.keys4health.net/5jal/" }, { "id": "", "name": "http://www.auctionringer.online/4aby/" }, { "id": "", "name": "http://www.enore.xyz/sdi5/" }, { "id": "", "name": "http://www.coreost.site/r8ob/" }, { "id": "", "name": "http://www.atepl.info/lxq6/" }, { "id": "", "name": "http://sterlingproperties.net/" }, { "id": "", "name": "http://tipobetgirislinki.fit/" }, { "id": "", "name": "http://soportemx-findmy.click/" }, { "id": "", "name": "http://smfrityhvde.info/" }, { "id": "", "name": "http://siik18.boats/" }, { "id": "", "name": "http://qdkinv.casino/" }, { "id": "", "name": "http://pembiayaan.xyz/" }, { "id": "", "name": "http://ppostealeone.shop/" }, { "id": "", "name": "http://optimuminvestment.net/" }, { "id": "", "name": "http://mrguider.pics/" }, { "id": "", "name": "http://myhandyplanner.courses/" }, { "id": "", "name": "http://networkcomputing.tech/" }, { "id": "", "name": "http://mayaheonline.shop/" }, { "id": "", "name": "http://lawrax.ltd/" }, { "id": "", "name": "http://lamorenadiving.net/" }, { "id": "", "name": "http://kekisi.xyz/" }, { "id": "", "name": "http://hlkjhu.online/" }, { "id": "", "name": "http://jicode.xyz/" }, { "id": "", "name": "http://hasan94tanriverdi.xyz/" }, { "id": "", "name": "http://gunchenko.tech/" }, { "id": "", "name": "http://glorifyer.store/" }, { "id": "", "name": "http://fhm500166i.vip/" }, { "id": "", "name": "http://giadungtot04.online/" }, { "id": "", "name": "http://eja-online.org/" }, { "id": "", "name": "http://eioo.org/" }, { "id": "", "name": "http://desktitle.homes/" }, { "id": "", "name": "http://eferakiglobal.xyz/" }, { "id": "", "name": "http://5s5zz.icu/" }, { "id": "", "name": "http://conmoro.xyz/" }, { "id": "", "name": "http://vsilmhxj.tokyo/" }, { "id": "", "name": "http://southpaw.info/" }, { "id": "", "name": "http://mulher777.info/" }, { "id": "", "name": "http://astrologerritesh.click/" }, { "id": "", "name": "http://headset2.online/" }, { "id": "", "name": "yenigercek.xyz" }, { "id": "", "name": "xploitation.net" }, { "id": "", "name": "vsilmhxj.tokyo" }, { "id": "", "name": "tipobetgirislinki.fit" }, { "id": "", "name": "sterlingproperties.net" }, { "id": "", "name": "southpaw.info" }, { "id": "", "name": "soportemx-findmy.click" }, { "id": "", "name": "smfrityhvde.info" }, { "id": "", "name": "siik18.boats" }, { "id": "", "name": "qdkinv.casino" }, { "id": "", "name": "ppostealeone.shop" }, { "id": "", "name": "pembiayaan.xyz" }, { "id": "", "name": "optimuminvestment.net" }, { "id": "", "name": "networkcomputing.tech" }, { "id": "", "name": "mulher777.info" }, { "id": "", "name": "mrguider.pics" }, { "id": "", "name": "lawrax.ltd" }, { "id": "", "name": "mayaheonline.shop" }, { "id": "", "name": "lamorenadiving.net" }, { "id": "", "name": "kekisi.xyz" }, { "id": "", "name": "jicode.xyz" }, { "id": "", "name": "hlkjhu.online" }, { "id": "", "name": "headset2.online" }, { "id": "", "name": "hasan94tanriverdi.xyz" }, { "id": "", "name": "glorifyer.store" }, { "id": "", "name": "gunchenko.tech" }, { "id": "", "name": "giadungtot04.online" }, { "id": "", "name": "fhm500166i.vip" }, { "id": "", "name": "eja-online.org" }, { "id": "", "name": "eioo.org" }, { "id": "", "name": "eferakiglobal.xyz" }, { "id": "", "name": "desktitle.homes" }, { "id": "", "name": "astrologerritesh.click" }, { "id": "", "name": "5s5zz.icu" }, { "id": "", "name": "conmoro.xyz" }, { "id": "", "name": "cd3ce650f757c4414a70ab9a0b34153d94740ce72884089c152415b70362c4c2" }, { "id": "", "name": "76e1dcf43d423b12bb11b59f25ba62e0597a9fd4a6e5464a882373169fd934b2" } ], "malware": [ { "id": "legacy:malware:a81818615b7705ec", "name": "FormBook", "slug": "formbook" } ], "attack_patterns": [ { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" } ], "others": [ { "id": "", "name": "myhandyplanner.courses" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/681090cd8ad1f16f204a4b43" ] }