Essential Insights
- A new hacking group called ComicForm has targeted organizations in Belarus, Kazakhstan, and Russia since April 2025 with a sophisticated phishing campaign involving malicious executables masquerading as PDFs, aimed at sectors like industry, finance, and biotech.
- The attack chain includes Microsoft DLL loaders and droppers that deploy Formbook malware, while also using benign Tumblr links within malware code for obfuscation, and establishing persistence by creating scheduled tasks and disabling defenses.
- Phishing emails redirect victims to fake login pages that mimic real document management services, extracting credentials and using JavaScript for dynamic data collection, with recent attacks targeting banks and industrial firms to steal sensitive info.
- At the same time, a pro-Russian cybercriminal group has been launching spear-phishing and malware attacks on South Korean manufacturing and energy sectors since late 2024, employing Visual Basic scripts and loaders to deploy Formbook, indicating a mix of financial and hacktivist motives.
The Core Issue
Since April 2025, a clandestine hacking entity called ComicForm has launched a sophisticated phishing campaign targeting organizations across Belarus, Kazakhstan, and Russia, with attempts also extending to other countries. The group primarily focuses on sectors like industry, finance, biotech, and tourism, deploying cunning email schemes that mimic legitimate correspondence—such as invoices or signed documents—to lure recipients into opening malicious archives. These archives conceal Windows executables that pose as PDFs but are, in fact, complex loaders designed to stealthily deploy malware like Formbook, which is used for credential theft and further infiltration. ComicForm’s tactics include creating scheduled tasks, modifying security settings to avoid detection, and embedding seemingly innocuous images—like superhero GIFs—to obscure their true intentions, with data collected from these attacks revealing ongoing operations, including targeting a Belarusian bank and a Kazakh industrial firm.
In tandem, an associated cybercrime activity targeting South Korea has been uncovered, this time attributed to a pro-Russian cluster known as SectorJ149. Starting in late 2024, this group has employed spear-phishing emails related to corporate procurement, delivering malware such as Lumma Stealer, Formbook, and Remcos RAT through cunning scripts that download hidden loaders from repositories like GitHub. These operations seem to serve dual purposes: financial gain and the dissemination of political or ideological messages, reflecting a broader trend of both commercially motivated cybercrime and politically motivated hacking. The reports are issued by cybersecurity firms, notably F6 and NSHC ThreatRecon, who analyze and document these campaigns, indicating an increasingly complex landscape of digital espionage and cyber threats aimed at national and corporate security.
Risk Summary
Cyber risks today encompass sophisticated cyberattacks that threaten organizational security, financial stability, and national infrastructure, often executed via clandestine phishing campaigns, malware deployment, and credential theft. Groups like ComicForm, targeting Belarus, Kazakhstan, and Russia since April 2025, utilize elaborate attack chains involving malicious email attachments, obfuscated loaders, and backdoor DLLs to infiltrate sectors like industry and finance, evading detection through tactics such as scheduled tasks and Defender exclusions. Similarly, state-linked threats, such as the SectorJ149 group targeting South Korea’s manufacturing and energy sectors from late 2024, employ spear-phishing coupled with advanced malware like Formbook and Remcos RATs to exfiltrate data or advance political agendas. These evolving tactics not only jeopardize sensitive data and operational continuity but also amplify risks of economic disruption, national security breaches, and geopolitical destabilization, underscoring the urgent need for comprehensive cybersecurity strategies and proactive threat intelligence.
Fix & Mitigation
Prompt management
Addressing issues like the deployment of Formbook malware by hackers in the Eurasian cyberattack demands swift action, as delays can amplify damage, undermine cybersecurity defenses, and lead to widespread data breaches or system compromise. Immediate and effective remediation ensures the containment of malicious activities, preserves data integrity, and restores normal operations.
Mitigation Strategies
-
Threat Detection
Utilize advanced antivirus and intrusion detection systems to identify malware early. -
System Isolation
Disconnect affected devices from networks to prevent malware spread. - Patch Management
Apply the latest security updates and patches to vulnerable software.
Remediation Measures
-
Malware Removal
Conduct thorough scans and clean infected systems with specialized tools. -
Data Backup & Recovery
Restore affected data from secure backups to minimize loss. - Security Audit
Perform comprehensive vulnerability assessments to identify and address security gaps.
Preventive Actions
-
User Training
Educate staff about phishing and suspicious activity to reduce risk. -
Network Segmentation
Divide networks into segments to contain potential breaches effectively. - Monitoring and Reporting
Implement continuous monitoring and prompt reporting mechanisms for suspicious events.
Explore More Security Insights
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
