Redazione RHC : 18 September 2025 09:47
F6 analysts have published a study on a new phishing campaign active from spring 2025. The group, dubbed ComicForm, sent emails containing malicious attachments to Russian, Belarusian, and Kazakh companies in the industrial, financial, tourism, biotechnology, and other sectors.
The first recorded email with the subject “Signature Verification Report” was sent on June 3, 2025. The attachment contained an archive containing an executable file that started a multi-stage infection chain.
During activation, an obfuscated .NET loader, the MechMatrix Pro.dll module, and the Montero.dll dropper were downloaded. The latter remained on the system, added itself to Windows Defender exceptions, injected the payload into processes, and launched the FormBook spyware.
A curious discovery was the presence of superhero GIF animations from Tumblr and Giphy embedded in the malware code. These were not used in the attack, but were It is precisely this “aesthetic” that earned the attackers the nickname ComicForm.
The main feature of the emails was the return address rivet_kz@…, registered with a free email service. The emails came from the .ru, .by, and .kz domains, contained subjects related to invoices, contracts, and banking documents, and were accompanied by archives with infected files. In some cases, they came from the IP addresses 185.130.251[.]14, 185.246.210[.]198, and 37.22.64[.]155. One of the emails was sent to a corporate email address from Beeline Kazakhstan.
Subsequently, on July 25, F6 detected a new wave of emails sent on behalf of a Kazakh company. The emails contained a “Confirm Password” link that led to a fake login page. The victim’s login information was sent to a third-party resource, and the page’s code automatically inserted the user’s email address and added a screenshot of the company website to enhance credibility.
An analysis of the infrastructure revealed the use of a wide range of domains in the .ru, .kz, .vn, .id, .ng, .glitch.me, and other areas. Some resources were compromised. Experts found similarities with an April 2025 attack on a Belarusian bank, which used similar techniques and services to steal data via the Formspark platform.
ComicForm remains active as of September 2025, using both the old infrastructure and the new domains. However, the address rivet_kz@….ru no longer appears on recent mailing lists. Graph analysis revealed an expanding network of resources used by attackers.
F6 concluded that ComicForm has been active since at least April 2025, targeting organizations from various countries and industries. The group combines sending emails via FormBook with the creation of phishing pages impersonating corporate services.
Redazione