Info Stealer
Formbook
First seen: 2016-01 • Status: active
Currently Active Threat
Formbook is a popular password-stealing malware that's been around since 2016. It watches everything you type into website forms - login pages, checkout pages, anything. It rebranded as 'XLoader' and now works on both Windows and Mac. It's cheap and easy to use, so lots of criminals rely on it.
Overview
Formbook is a commodity infostealer malware that has been sold on hacking forums since 2016. It is known for its form-grabbing capabilities, keylogging, and ability to steal data from web browsers. The malware rebranded as XLoader in 2020 and expanded to target macOS systems.
Also Known As
FormBook, XLoader
How It Spreads
- • Phishing emails with malicious attachments
- • Fake software installers
- • Malicious Office documents
- • Compressed archives (ZIP, RAR, ISO)
- • PDF files with embedded links
What It Does
- • Captures data from web forms (form grabbing)
- • Logs all keystrokes
- • Takes screenshots
- • Steals clipboard contents
- • Harvests credentials from browsers
- • Downloads additional payloads
Is your business exposed?
Target Platforms
Windows 7, Windows 10, Windows 11, macOS
Detection Tips
- • Monitor for browser process injection
- • Detect form-grabbing hooks in web browser processes
- • Alert on unusual HTTP POST traffic patterns
- • Watch for process hollowing techniques
- • Monitor for clipboard monitoring behavior
MITRE ATT&CK Techniques
T1056.001, T1056.002, T1113, T1555, T1105
If You're Infected
- 1.
Isolate infected system from network
- 2.
Reset all passwords entered on the infected system
- 3.
Cancel and replace any credit cards used on infected machine
- 4.
Enable 2FA on all important accounts
- 5.
Run full system scan with updated antivirus
- 6.
Mac users: check for XLoader variant specifically
Related Malware
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required