View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 15, 2022updated 16 Sep 2022 4:32am

Info-stealing FormBook surpasses Emotet as most popular malware with cybercriminals

Targeting Windows machines, FormBook steals credentials and has been used in attacks on a variety of sectors.

By Claudia Glover

FormBook was the malware most used in online criminal activity last month, according to new research, knocking Emotet off top spot for the first time in nine months. The info-stealing software is available off the shelf for cybercriminals of any level as malware-as-a-service, and is known for its strong evasion techniques and relatively low price.

FormBook was the most popular malware used last month. (Photo by Tero Vesalainen/Shutterstock)

The malware targets Windows machines and, once deployed, “can harvest credentials, collect screenshots, monitor and log keystrokes as well as download and execute files according to its command and control (C&C) orders,” according to research from security vendor Check Point. FormBook has been growing in popularity since 2016. 

Other prevalent malware popular on dark web forums includes GuLoader, which has seen a sharp rise in activity propelling it into the fourth most widespread over August, according to Check Point. Initially only used to download one remote access trojan (RAT), it is now used in conjunction with infostealers like FormBook, Netwire, and Agent Tesla.

Agent Tesla was the most commonly used in cyberattacks on UK targets last month, the research says. Similar to FormBook in that it steals and transmits credentials, keyboard input and screenshots from a variety of apps installed on a victim’s machine, including the Google Chrome and Mozilla Firefox browsers and the Microsoft Outlook email client.

These malware strains are used to attack companies primarily in the sectors of education and research, government and military and healthcare, utilising widespread vulnerabilities like Log4J as their point of entry. “Apache Log4J remote code execution returns to first place as the most exploited vulnerability,” says the Check Point report. Log4J was used in 44% of attacks on organisations worldwide in August.

Use of mobile malware on the rise

In addition to remote access trojans and infostealers, the use of mobile malware is also growing, says Check Point. This month a mobile malware called AlienBot was most popular among online criminals, followed by Anubis and Joker.

AlienBot is a banking Trojan for Google’s Android operating system. Sold as malware-as-a-Service, it has many of the same capabilities as RATs, such as credential stealing and keystroke logging. However, since it was detected it has also developed audio recording and SMS harvesting capabilities.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Joker also has SMS harvesting capabilities. This malware can sign the victim up for paid premium services without the victim’s knowledge and is a signifier of how rapidly the malware landscape is changing, says Maya Horowitz, VP research at Check Point.

“The shifts that we see in this month’s index, from Emotet dropping from first to fifth place to Joker becoming the third most prevalent mobile malware, is reflective of how fast the threat landscape can change,” she says

Horowitz adds that this should act as a reminder to individuals and companies alike “of the importance of keeping up to date with the most recent threats as knowing how to protect yourself.”

She says: “Threat actors are constantly evolving and the emergence of FormBook shows that we can never be complacent about security and must adopt a holistic, prevent-first approach across networks, endpoints and the cloud.”

Tech Monitor is hosting the Tech Leaders Club on 15 September. Find out more on

Read more: WordPress vulnerability leads to 4.6 million attempted attacks

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.