Organizations in Belarus, Kazakhstan, and Russia have emerged because the goal of a phishing marketing campaign undertaken by a beforehand undocumented hacking group referred to as ComicForm since no less than April 2025.
The exercise primarily focused industrial, monetary, tourism, biotechnology, analysis, and commerce sectors, cybersecurity firm F6 stated in an evaluation printed final week.
The assault chain includes sending emails bearing topic strains like “Ready for the signed doc,” “INvoice for Fee,” or “Reconciliation Act for Signature,” urging recipients to open an RR archive, inside which there exists a Home windows executable that masquerades as a PDF doc (e.g., “Акт_сверки pdf 010.exe”). The messages, written in Russian or English, are despatched from electronic mail addresses registered within the .ru, .by, and .kz top-level domains.
The executable is an obfuscated .NET loader designed to launch a malicious DLL (“MechMatrix Professional.dll”), which subsequently runs a third-stage payload, one other DLL named “Montero.dll” that serves as a dropper for the Formbook malware, however not earlier than making a scheduled process and configuring Microsoft Defender exclusions to evade detection.
Curiously, the binary has additionally been discovered to include Tumblr hyperlinks pointing to fully innocent GIFs of comedian superheroes like Batman, giving the menace actor its identify. “These photographs weren’t utilized in any assault, however had been merely a part of the malware code,” F6 researcher Vladislav Kugan stated.
Evaluation of ComicForm’s infrastructure has revealed indicators that phishing emails have additionally been directed towards an unspecified firm working in Kazakhstan in June 2025 and a Belarusian financial institution in April 2025.
F6 additionally stated it detected and blocked phishing emails despatched to Russian manufacturing corporations from the e-mail deal with of a Kazakhstan-based industrial firm as not too long ago as July 25, 2025. These digital missives immediate potential targets to click on on an embedded hyperlink to verify their account and keep away from a possible block.
Customers who click on on the hyperlink are redirected to a bogus touchdown web page mimicking the login web page of a home doc administration service to facilitate credential theft by transmitting the entered info to an attacker-controlled area within the type of an HTTP POST request.
“Moreover, JavaScript code was discovered within the web page physique that extracts the e-mail deal with from URL parameters, populates the enter subject with id=”electronic mail” , extracts the area from the e-mail deal with, and units a screenshot of that area’s web site (through the screenshotapi[.]internet API) because the background of the phishing web page,” Kugan defined.
The assault aimed on the Belarusian financial institution concerned sending a phishing electronic mail with an invoice-themed lure to trick customers into coming into their electronic mail addresses and cellphone numbers in a kind, that are then captured and despatched to an exterior area.
“The group assaults Russian, Belarusian, and Kazakh corporations from numerous sectors, and using English-language emails means that the attackers are additionally concentrating on organizations in different international locations,” F6 stated. “The attackers make use of each phishing emails distributing FormBook malware and phishing sources disguised as net companies to reap entry credentials.”
Professional-Russian Group Targets South Korea with Formbook
The disclosure comes because the NSHC ThreatRecon Workforce disclosed particulars of a pro-Russian cybercrime group that has focused manufacturing, power, and semiconductor sectors in South Korea. The exercise has been attributed to a cluster referred to as SectorJ149 (aka UAC-0050).
The assaults, noticed in November 2024, commenced with spear-phishing emails concentrating on executives and staff utilizing lures associated to manufacturing facility purchases or citation requests, resulting in the execution of commodity malware households like Lumma Stealer, Formbook, and Remcos RAT by the use of a Visible Primary Script distributed as a Microsoft cupboard (CAB) archive.
The Visible Primary Script is engineered to run a PowerShell command that reaches out to a Bitbucket or GitHub repository to fetch a JPG picture file, which conceals a loader executable answerable for launching the ultimate stealer and RAT payloads.
“The PE Malware executed immediately within the reminiscence space is a loader-type Malware that downloads extra malicious information disguised as a textual content file (.txt) by means of a URL included within the supplied parameter values, decrypts it, after which generates and executes the PE Malware,” the Singaporean cybersecurity firm stated.
“Up to now, the SectorJ149 group primarily operated for monetary achieve, however the latest hacking actions concentrating on Korean corporations are believed to have a powerful hacktivist nature, utilizing hacking strategies to convey political, social, or ideological messages.”
