Formbook Hides in Plain Sight: Three-Stage Dropper Chain Abuses Legitimate Paste Sites to Bypass Domain Blocking
TL;DR: A Formbook infostealer campaign discovered on March 14, 2026, uses legitimate paste services (pastefy.app, dpaste.com) as payload hosting infrastructure, completely bypassing domain-reputation and blocklist-based defenses. The dropper chain spans three stages -- a 61KB JScript file using a novel kbabofnIpkkfgk delimiter obfuscation, a PowerShell loader with UTF-16LE Base64 encoding and character substitution (f# to r), and a reflective .NET assembly that fetches a fully-packed Formbook PE from a live pastefy.app paste and injects it into RegAsm.exe. A Portuguese-language comment in the JScript source (janela oculta -- "hidden window") fingerprints the operator. The Stage 3 payload URL was still serving the Formbook binary at time of publication.
The Problem With Blocking Domains
Domain blocklists are a foundational layer of network defense. They are also increasingly irrelevant against operators who host their payloads on infrastructure that no organization can afford to block. This campaign delivers Formbook -- one of the most prolific infostealers in the commodity malware ecosystem -- entirely through pastefy.app and dpaste.com. Both are legitimate, widely-used paste services. Both sit behind Cloudflare and AWS respectively. Blocking either domain would break legitimate developer workflows across the organization.
The operator knows this. The entire delivery chain is architected around it.
The JScript dropper (79940efa2306d8d62d7ec4b8a30e708682e3fcd198896d508990df2546d6447c, 21/76 on VirusTotal at first submission) was first observed on 2026-03-14 19:17 UTC. Within three hours, all three paste URLs were indexed by threat intelligence platforms. The Stage 3 Formbook binary, hosted at pastefy.app/exuad92p/raw, was still returning HTTP 200 at time of analysis -- over 24 hours after initial detection.
Stage 1: JScript Dropper -- 1,123 Lines of Delimiter Obfuscation
The dropper is a 61,515-byte JScript file, 1,164 lines long. Its obfuscation technique is unusual: the entire PowerShell command is split across 1,123 lines of string concatenation, with a 14-character noise string -- kbabofnIpkkfgk -- inserted between every meaningful token.
var hAmbkheb = "pokbabofnIpkkfgkwekbabofnIpkkfgkrshkbabofnIpkkfgkell..."
// [1,100+ additional concatenation lines]
hAmbkheb = hAmbkheb.split("kbabofnIpkkfgk").join("" + "");
At runtime, the script splits on the delimiter and joins with an empty string, reconstructing a 6,457-character PowerShell command. This is not a sophisticated technique, but it is effective: static analysis tools that tokenize on whitespace or common delimiters will not extract the command, and the sheer volume of concatenation lines inflates the file size enough to exceed some sandbox upload limits.
The reconstructed command is executed via WMI Win32_Process.Create() with ShowWindow = 0:
var cagmIendab = jhafgmdAbIki.Get("Win32_ProcessStartup").SpawnInstance_();
cagmIendab.ShowWindow = 0; // janela oculta
The comment janela oculta is Portuguese for "hidden window." It is the only natural-language string in the entire dropper, and it is an operator fingerprint. The script also includes a dead-code phantom() function with a seeded PRNG -- junk padding designed to waste analyst time.
Stage 2: PowerShell Loader -- Base64 With a Twist
The PowerShell stage introduces an additional anti-detection layer: the Base64-encoded payload has every instance of r replaced with f# before being embedded in the script. This breaks standard Base64 validators and decoders that encounter the payload in transit or at rest.
$OhgjuxD = [system.Text.encoding]::Unicode.GetString(
[system.convert]::Frombase64string($ddsfdfdjhsdfgdgo.replace('f#','r'))
);
iex $OhgjuxD
After substitution reversal and Base64 decoding, the UTF-16LE payload reveals a downloader that:
- Sleeps 3 seconds (minimal sandbox evasion)
- Forces TLS 1.2
- Randomly shuffles two download URLs and tries each in sequence
- Extracts a .NET assembly from between
<<BASE64_START>=and<<BASE64_END>>markers in the downloaded paste content - Reflectively loads the assembly via
[System.Reflection.Assembly]::Load()-- entirely fileless - Invokes
myprogram.Homees.runss()with a reversed, junk-suffixed URL
The download URLs point to two paste services:
| URL | Service | Status |
|---|---|---|
https://dpaste.com/EG9HNFJBP.txt | dpaste.com | Taken down |
https://pastefy.app/CWneGvWS/raw | pastefy.app | Taken down |
The random shuffling provides rudimentary failover. When the primary paste is taken down, the loader falls back to the secondary. Both were removed within hours -- but the Stage 3 URL they point to was not.
Stage 2b: .NET Assembly -- Process Hollowing Engine
The reflectively-loaded .NET assembly (bd6b60ce34d8fa3f2b9d032b49aac5b47f868b09ab24ccbd9c7168e5bfc8e963, 50/76 on VT) is a complete RunPE / process hollowing toolkit. It is a Debug build -- not Release -- with a PDB path that leaks the developer's environment:
C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\myprogram.pdb
The project name testpowershell mirrors the delivery mechanism. The Administrator username and Debug configuration suggest an operator who is functional but not disciplined -- a MaaS customer, not an APT developer. The assembly's copyright field reads Copyright (c) 2027, a future date used as a weak anti-attribution measure.
The loader's runss() method takes a reversed URL string with six junk characters appended:
war/p29dauxe/ppa.yfetsap//:sgsffsf
Strip the last six characters and reverse: https://pastefy.app/exuad92p/raw. This URL serves the final Formbook payload as 402,990 characters of reversed Base64, which decodes to a 302,241-byte PE32+ executable.
The assembly injects this PE into RegAsm.exe (the legitimate .NET Assembly Registration Utility) via process hollowing -- CreateProcessA in suspended state, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread. It also deploys a persistence mechanism: a .bat watchdog (wrffite.bat) that monitors the injected process every 60 seconds and relaunches it via a .vbs script if terminated.
Stage 3: Formbook Payload
The final payload is a single-section PE with entropy 7.99/8.0 -- a fully packed binary with zero imports, consistent with Formbook's custom packer. ESET identifies it as Win32/Formbook_AGen.AE. The compile timestamp (2021-06-23) is spoofed.
Formbook's capabilities are well-documented: credential harvesting from browsers, email clients, and FTP applications; keylogging via SetWindowsHookEx; clipboard monitoring; screenshot capture; and C2 communication over HTTP. The C2 panel URL is encrypted within the packed PE and was not recoverable without dynamic execution.
What matters here is not what Formbook does -- it is how it arrived. Every stage of this chain uses infrastructure that defenders cannot preemptively block.
Infrastructure
| Component | Host | Status | Notes |
|---|---|---|---|
| Stage 2 loader (primary) | dpaste.com/EG9HNFJBP.txt | Taken down | AWS/PythonAnywhere (35.173.69.207) |
| Stage 2 loader (backup) | pastefy.app/CWneGvWS/raw | Taken down | Cloudflare CDN |
| Stage 3 Formbook PE | pastefy.app/exuad92p/raw | Live at publication | Cloudflare CDN (172.67.188.196, 104.21.49.12) |
| Alternate loader staging | pastefy.app/sLC7Jpkp/raw | Live at publication | Contains .NET loader with BASE64 markers |
The operator used the same pastefy.app account for both the .NET loader (CWneGvWS) and the Formbook payload (exuad92p). This clustering is an OPSEC failure -- once one URL is identified, the account's other pastes become investigable. VirusTotal's communicating_files for pastefy.app reveals additional malicious payloads from other operators: NEW ORDER.zip (32 detections), Output.exe (49 detections), ServiceHub.exe (52 detections). The platform is actively abused as a distribution channel.
MITRE ATT&CK
| Technique | ID | Usage |
|---|---|---|
| Command and Scripting Interpreter: JavaScript | T1059.007 | JScript dropper via WScript.exe |
| Command and Scripting Interpreter: PowerShell | T1059.001 | Hidden PowerShell spawned via WMI |
| Obfuscated Files or Information | T1027 | Delimiter obfuscation, reversed URLs, Base64 character substitution |
| Deobfuscate/Decode Files or Information | T1140 | Runtime string splitting, f#-to-r substitution, URL reversal |
| Reflective Code Loading | T1620 | In-memory .NET assembly load |
| Process Injection | T1055 | Formbook injected into RegAsm.exe via process hollowing |
| Ingress Tool Transfer | T1105 | Payload fetched from paste sites |
| Web Service: Dead Drop Resolver | T1102.001 | Paste sites as payload hosting |
| Hide Artifacts: Hidden Window | T1564.003 | WMI ShowWindow=0 |
| Time-Based Evasion | T1497.003 | 3-second sleep before download |
| Masquerading | T1036.004 | Injection into legitimate RegAsm.exe |
| Credentials from Password Stores | T1555 | Browser/email credential harvesting |
| Input Capture: Keylogging | T1056.001 | Global keyboard hook |
| Screen Capture | T1113 | Screenshot capability |
| Clipboard Data | T1115 | Clipboard monitoring |
IOCs
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| URL | https://pastefy.app/exuad92p/raw | Stage 3 Formbook PE delivery (LIVE) |
| URL | https://pastefy.app/sLC7Jpkp/raw | Alternate .NET loader staging (LIVE) |
| URL | https://pastefy.app/CWneGvWS/raw | Stage 2 .NET loader (taken down) |
| URL | https://dpaste.com/EG9HNFJBP.txt | Stage 2 .NET loader (taken down) |
| IP | 35.173.69.207 | dpaste.com origin (AWS) |
| IP | 172.67.188.196 | pastefy.app Cloudflare CDN |
| IP | 104.21.49.12 | pastefy.app Cloudflare CDN |
Host Indicators
| Type | Indicator | Context |
|---|---|---|
| Process | RegAsm.exe with network connections | Formbook injection target |
| String | kbabofnIpkkfgk | JScript delimiter (unique to this campaign) |
| String | myprogram.Homees | .NET loader type name |
| String | janela oculta | Portuguese comment in dropper |
| String | <<BASE64_START>= / <<BASE64_END>> | Paste content payload markers |
| File | wrffite.bat | Persistence watchdog script |
| Registry | SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Persistence key |
File Indicators
| Hash | Stage | Detection |
|---|---|---|
79940efa2306d8d62d7ec4b8a30e708682e3fcd198896d508990df2546d6447c (SHA256) | Stage 1: JScript dropper | 21/76 |
197164fb0a7b96aaaca092760f3ec419 (MD5) | Stage 1: JScript dropper | -- |
bd6b60ce34d8fa3f2b9d032b49aac5b47f868b09ab24ccbd9c7168e5bfc8e963 (SHA256) | Stage 2b: .NET loader | 50/76 |
f0fe3a122f2729c607f781d21fdd8b770339eb67717bee54718a191ee1043a9b (SHA256) | Stage 3: Formbook PE | 23/76 |
a38c94f6d13d552ce1757a88f7e8e420 (MD5) | Stage 3: Formbook PE | -- |
IOCs are provided for defensive use. Handle responsibly.
Detection Recommendations
Network-level:
- Alert on HTTPS connections to
pastefy.appordpaste.comoriginating frompowershell.exeorwscript.exe. Legitimate developer use of these services does not involve script host processes. - Deploy Suricata signatures for HTTP responses containing
<<BASE64_START>=markers, which are not a feature of any legitimate paste site API.
Endpoint-level:
- Hunt for
RegAsm.exeprocesses with network connections to external hosts. LegitimateRegAsm.exedoes not make outbound connections. - Alert on WMI process creation (
wmiprvse.exeparent) spawningpowershell.exewith-WindowStyle HiddenorShowWindow = 0. - Search endpoint telemetry for the string
kbabofnIpkkfgk-- it is unique to this campaign and has no legitimate use. - Monitor for
[System.Reflection.Assembly]::Load()in PowerShell script block logs combined with outbound HTTPS activity.
Email gateway:
- Block or quarantine
.jsattachments exceeding 50KB that contain high-entropy string concatenation patterns. The 61KB size of this dropper is atypical for legitimate JScript files.
Conclusion
This campaign is not technically novel in its choice of final payload -- Formbook is commodity malware available to any MaaS customer with cryptocurrency. What is notable is the delivery architecture. By hosting every stage on legitimate paste services behind CDN infrastructure, the operator has built a chain that is invisible to domain-reputation defenses and resistant to takedown. The Stage 2 loader pastes were removed within hours, but the Stage 3 payload paste remained live for over 24 hours after initial detection. In a commodity malware economy, that window is more than sufficient.
The operator's OPSEC is inconsistent. They use multi-layer encoding, reversed URLs, and junk-suffixed strings -- but they leave a Portuguese comment in the source, compile in Debug mode, and cluster their infrastructure under a single pastefy.app account. This is the profile of a MaaS customer: sophisticated enough to assemble a working delivery chain, not disciplined enough to sanitize it.
Organizations that rely on domain blocking as a primary network defense should treat this as a case study in its limitations. The detection surface for this campaign is behavioral -- script host processes making HTTPS connections to paste sites, reflective assembly loading in PowerShell, and RegAsm.exe with anomalous network activity. Hunt for the behavior, not the domain.
Published 2026-03-15 | BGI Autonomous Threat Hunting | Breakglass Intelligence