A new wave of targeted phishing in the CIS is being attributed to the threat group ComicForm. Active since at least April 2025 and ongoing, the operation blends malware delivery with credential harvesting and exhibits a curious signature: hidden links to superhero GIFs inside malicious attachments. The campaign primarily targets organizations in Russia, Belarus, and Kazakhstan and relies on the FormBook information stealer as its end payload.
Targets and geography: financial services to biotech across Russia, Belarus, and Kazakhstan
Analysis indicates victimology across finance, tourism, biotechnology, scientific research, and trading companies. Messages were sent from domains using country-code TLDs .ru, .by, and .kz, with some sender accounts likely compromised. A recurring indicator is a forged reply-to field, reply-to: rivet_kz@…, hosted on a free Russian email service. Some lures appeared in English, signaling potential expansion beyond the CIS.
Email lures and attachments: business-themed pretexts and double-extension traps
Subject lines mirrored routine business correspondence such as “RE: Reconciliation act,” “Contract and invoice.pdf,” “Awaiting signed document,” and “Confirm password.” A representative sample used a RAR archive named “Акт_сверки pdf 010.rar,” concealing an executable “Акт_сверки pdf 010.exe.” Launching the file initiated the malware chain, exploiting the common double-extension trick to bypass cursory user checks.
Malware delivery chain: obfuscated .NET loader to FormBook stealer
The initial executable functions as an obfuscated .NET loader, responsible for unpacking and reflectively executing a second-stage module, MechMatrix Pro.dll. This component decrypts embedded resources from the parent EXE and launches an in-memory third stage, Montero.dll, classified as a dropper. The dropper handles delivery and execution of FormBook, and may establish persistence and connect to attacker-controlled infrastructure. In-memory execution and resource encryption complicate static detection and favor behavior-based EDR visibility.
Odd fingerprint: embedded superhero GIF links
An unusual hallmark of ComicForm’s tooling is the inclusion of hard-coded links to animated superhero GIFs (e.g., Batman). Current analysis suggests these links do not influence the attack logic; they likely serve as noise, a signature, or informal “branding” to hinder straightforward pattern-matching.
Credential theft via fake document-storage pages
Beyond attachments, the campaign leverages phishing sites impersonating document storage and file-sharing portals. Victims are prompted to authenticate, with entered credentials exfiltrated to ComicForm-controlled servers. This dual-vector approach—malware-based theft plus phishing logins—raises the probability of successful initial access to corporate environments.
Activity timeline and scaling signals
Indicators of compromise were observed in May–June 2025, including traces linked to a Kazakhstan telecommunications company in June. By early September, the adversary began expanding its infrastructure, consistent with an ongoing, adaptable operation. The pattern suggests an iterative campaign rather than a one-off spike.
Why it works: FormBook’s ubiquity and the human factor
FormBook is a widely traded stealer that collects passwords, cookies, autofill data, and clipboard contents and is frequently seen in both mass and targeted operations. According to the Verizon DBIR 2024, the “human element” underpins the majority of breaches, with phishing and use of stolen credentials among leading initial access vectors—dynamics directly exploited by ComicForm.
Defensive guidance: detection, hardening, and user readiness
Technical controls: block execution from archives (RAR/ZIP) and deny attachments with double extensions (e.g., pdf.exe); detonate suspicious attachments in sandboxing solutions; deploy EDR/NGAV tuned to in-memory behaviors (e.g., .NET reflection, RunPE, encrypted resource loading); apply URL rewriting and browser isolation for external links; enforce SPF, DKIM, and DMARC with reject/quarantine policies and monitor anomalous Reply-To use; enable MFA and least privilege; monitor anomalous logins and access patterns.
Processes and visibility:
Deliver targeted phishing awareness focused on business-themed lures and safe handling of archives; continuously monitor for ComicForm-related IOCs (themes, .ru/.by/.kz domains, the “rivet_kz” reply-to pattern) in mail and SIEM telemetry; run regular phishing simulations and ensure incident response playbooks address stealer infections and credential rotation.
ComicForm illustrates a familiar yet effective playbook: credible business emails, a layered .NET loader chain, and a proven stealer. Organizations in Russia, Belarus, and Kazakhstan—and adjacent regions—should tighten mail filtering, validate attachments rigorously, and prioritize behavior-based EDR. Rapid triage of suspicious messages, coupled with strict email authentication and MFA, materially reduces the risk that harvested credentials evolve into deeper compromises.
