In a series of escalating cyber threats, two distinct hacking groups— the newly identified ComicForm and the pro-Russian SectorJ149—have been deploying the notorious Formbook malware in targeted phishing campaigns across Eurasia and beyond. These attacks, which began as early as April 2025 for ComicForm and November 2024 for SectorJ149, are hitting critical sectors including finance, manufacturing, and energy, raising alarms about potential data breaches and geopolitical motivations.
The campaigns highlight a sophisticated blend of social engineering and technical evasion tactics. ComicForm, a previously undocumented group, has focused on organizations in Belarus, Kazakhstan, and Russia since April 2025, targeting industries such as industrial operations, finance, tourism, biotechnology, research, and trade. Meanwhile, SectorJ149—also tracked as UAC-0050—has shifted from financial cybercrime to hacktivist-style operations against South Korean entities in manufacturing, energy, and semiconductors. Both groups leverage Formbook, an infostealer malware capable of harvesting credentials, sensitive data, and system information, often alongside tools like Lumma Stealer and Remcos RAT.
Security researchers from F6 and NSHC’s ThreatRecon Team have uncovered these operations, noting the groups’ use of obfuscated loaders, scheduled tasks, and phishing lures to bypass defenses like Microsoft Defender.
ComicForm’s Phishing Onslaught
ComicForm’s attacks kick off with tailored phishing emails in Russian or English, using innocuous subject lines such as “Waiting for the signed document,” “INvoice for Payment,” or “Reconciliation Act for Signature.” These messages originate from domains in .ru, .by, and .kz, containing RAR archives disguised as PDFs—files like “Акт_сверки pdf 010.exe.”
Once executed, the .NET-based loader deploys a chain of malicious DLLs (“MechMatrix Pro.dll” and “Montero.dll”), ultimately installing Formbook. The malware sets up persistence via scheduled tasks and adds exclusions in antivirus software to avoid detection. A quirky hallmark: embedded Tumblr links to superhero comic GIFs (e.g., Batman), which inspired the group’s name but play no active role in attacks. As F6 researcher Vladislav Kugan explained, “These images were not used in any attack, but were merely part of the malware code.”
Recent escalations include fake login pages mimicking document management services. In July 2025, emails from a Kazakhstan industrial firm redirected victims to credential-harvesting sites. JavaScript on these pages auto-fills email fields from URL parameters, pulls domain screenshots via screenshotapi.net for realism, and sends stolen data via HTTP POST. Earlier hits targeted a Belarusian bank in April and a Kazakhstan company in June, with lures like invoice-themed forms capturing emails and phone numbers.
The use of English emails signals ComicForm’s potential expansion beyond Russian-speaking regions, per F6 analysis: “The group attacks Russian, Belarusian, and Kazakh companies from various sectors, and the use of English-language emails suggests that the attackers are also targeting organizations in other countries.”
SectorJ149’s Spear-Phishing Shift
Operating since November 2024, SectorJ149 employs spear-phishing against South Korean executives, baiting them with emails about production facility purchases or quotation requests. Attachments come as Microsoft CAB archives containing Visual Basic Scripts that trigger PowerShell commands to download disguised JPG files from Bitbucket or GitHub repositories.
These files unpack loaders that fetch, decrypt, and execute additional payloads from remote URLs—disguised as .txt files—leading to in-memory deployment of Formbook, Lumma Stealer, and Remcos RAT. NSHC’s ThreatRecon Team detailed the process: “The PE Malware executed directly in the memory area is a loader-type Malware that downloads additional malicious data disguised as a text file (.txt) through a URL included in the provided parameter values, decrypts it, and then generates and executes the PE Malware.”
What sets SectorJ149 apart is its evolving motive. Previously profit-driven, recent activities carry a “strong hacktivist nature,” using hacks to push political, social, or ideological messages against Korean targets.
Broader Impact and Implications
These campaigns underscore the risks to Eurasian infrastructure, with Formbook’s credential theft enabling further espionage or ransomware. No specific victim disclosures beyond general sectors have surfaced, but the attacks’ precision suggests insider knowledge or reconnaissance.
Experts warn of rising state-affiliated threats in the region, exacerbated by geopolitical tensions. While ComicForm appears opportunistic, SectorJ149’s hacktivist leanings could signal broader hybrid warfare tactics.
Leave A Comment