Hack Group ComicForm Spreads FormBook Stealer Alongside Superhero Images

Analysts at F6 have analyzed phishing attacks carried out by a new hacker group known as ComicForm, which has targeted Russian companies in finance, tourism, biotechnology, research, and trade sectors, as well as organizations in Belarus and Kazakhstan. In their emails, attackers distributed the FormBook stealer—sometimes alongside animated GIFs of comic book superheroes.

Phishing Campaign Details

The ComicForm campaign ran in May and June 2025, primarily against Russian organizations. Malicious emails carried subject lines such as “RE: Reconciliation Statement,” “Contract and Invoice.pdf,” “Awaiting Signed Document,” and “Confirm Password”—all designed to entice recipients into opening the attachments.

One attachment, “Akt_sverki pdf 010.rar”, contained an executable file, “Akt_sverki pdf 010.exe.” Launching it initiated the infection chain.

Infection Chain

The executable was an obfuscated .NET loader that unpacked and ran a second-stage module (MechMatrix Pro.dll). This module accessed resources from the initial file, decrypted them, and executed a third-stage dropper (Montero.dll) in memory.

During execution, the malware:

• Copied itself to %AppData%\sLanZcuuAqw.exe.
• Established persistence via the Task Scheduler.
• Checked privileges and, if run as administrator, added itself to Windows Defender exclusions.
• Extracted its payload from internal resources.
• Launched %WINDIR%\SysWOW64\whoami.exe and injected the decrypted FormBook stealer into it.

Unusual Use of Superhero GIFs

A distinctive feature of this campaign was hidden links within attachments pointing to animated superhero GIFs (for example, Batman). These images were not used directly in the attacks but were embedded within the malware’s code.

Infrastructure and Distribution

ComicForm used sender addresses registered on the .ru, .by, and .kz top-level domains, with some likely belonging to compromised accounts. A notable trait was the use of the rivet_kz@… address (registered with a free Russian email service) as the reply-to field.

In addition to malicious attachments, ComicForm also set up fake document storage pages. Victims who clicked embedded links were redirected to phishing login forms, where stolen credentials were sent to remote servers.

Regional and International Reach

While most campaigns targeted Russian companies, the group also struck Belarusian and Kazakh organizations. The use of English in some phishing messages suggests potential expansion to foreign firms. In June, researchers identified evidence of an attack against an unnamed Kazakh telecommunications company.

“The ComicForm group has been operating since at least April 2025 and remains active to this day. In early September, we noticed that the attackers are expanding their infrastructure,” said Vladislav Kugan, analyst at the F6 Threat Intelligence division.