Phishing or Malware? Unpacking a Combo 2-in-1 Threat
0 分鐘閱讀

- Pavlo Prodanchuk
Security researchers at Forcepoint recently uncovered a particularly unusual sample that blurs the lines between a classic phishing scam and a malware attack. At first glance, it looked like an ordinary phishing email — but digging deeper revealed that it also contained a malicious attachment from the X-Worm/Formbook family. This kind of dual-threat delivery, where a phishing message also distributes malware, is rare and noteworthy.
Let’s break down what made this sample so interesting.
The Email: A Classic Phish on the Surface

Fig. 1 - Email view
The subject line read:
- Subject: Your mailbox is almost full [victim.email]@[domain].com
 
At first, everything about the email screamed “phishing.” The sender’s address was disguised in a deceptive format that looked something like:
- From: “[victim.domain]” [email protected]
This format gives the impression that the message came from a legitimate internal source when in reality it likely originated from a hijacked or spoofed email address.
The body of the message followed standard phishing tactics: a brief warning about a full mailbox and a big, urgent looking “Clear Storage” button prompting the user to take immediate action.
The Redirect: IPFS-Based Phishing Page
Clicking the button led the user to a free hosting platform via the following URL:
- hxxps://ipfs[.]io/ipfs/bafkreifs2nuxey2rbsqwuv5qt6xwnopg3hhailqnk2bpw52fmqitxmzuni#[email protected]
This redirect took the victim to a phishing page hosted on IPFS (InterPlanetary File System) - a decentralized file-sharing network increasingly exploited by threat actors due to its resilience against takedowns. Hosting malicious content on such platforms not only enhances persistence but also increases the likelihood of user interaction, as these services often appear familiar or trustworthy. This tactic reflects a broader trend anticipated in the Forcepoint X-Labs’ 2025 Future Insights report, which predicted that adversaries would increasingly exploit legitimate infrastructure to blend into normal traffic patterns and evade detection.

Fig. 2 - Phishing page
Interestingly, the phishing page didn’t just attempt to steal credentials — it also tried to gather extra context about the victim. By including an external JavaScript file from geoplugin.net, the page was able to quietly capture information like the user’s geographic region, system details, and local date and time. GeoPlugin is a geolocation API that determines a user’s location based on their IP address, offering insights such as country, city, and even latitude and longitude. These small details may seem harmless, but in the hands of a phisher, they help craft a more convincing and personalized experience — making the scam feel more legitimate and increasing the chances that a victim will fall for it.

Fig. 3 - Geolocation JavaScript
Obfuscated Code
The phishing page’s content was obfuscated using JavaScript. A snippet of the code looked like this:

After decoding, it became clear that the page was designed to steal credentials. The obfuscated script dynamically rendered a login form, and once credentials were entered, they were sent via a POST request to an attacker-controlled endpoint.

Fig. 4 - Code sample with POST request
The Attachment: Malware in Disguise
What set this phishing campaign apart, however, was the unrelated malicious attachment that came along with the email — a RAR archive.
Although the attachment had no logical connection to the email’s content, once extracted and executed, it dropped malware from the X-Worm/Formbook family, known for:
- Credential stealing
- Keylogging
- Persistence techniques
- Anti-analysis features
Malware Behavior Summary
The malware execution begins with a .NET-compiled loader that runs in a managed runtime environment. This loader is responsible for delivering and executing a second-stage payload, which is also a .NET executable. The consistent use of .NET across both stages indicates a streamlined delivery chain leveraging in-memory execution or embedded resources to evade detection.
In summary, the malware sample exhibited the following suspicious activities:
- Anti-analysis: Used sleep delays, checked for debugging environments, and detected virtualization.
- System modification: Added Windows Defender exclusions and created scheduled tasks for persistence.
- Network communication: Attempted connections to external IPs, possibly for command-and-control (C2) communication or data exfiltration.
- Code injection: Dropped and injected malicious payloads into legitimate system processes.
Conclusion
This hybrid campaign underscores the evolving tactics of threat actors. By bundling phishing with malware delivery, attackers increase their chances of success — if the phishing lure doesn’t get you, the malicious attachment might.
Protection Statement:
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 1 (Lure) – Emails are blocked by email security analytics.
- Stage 2 (Delivery) – Emails and malicious attachments are identified and blocked by Forcepoint Email Security.
- Stage 3 (Redirect) – Redirection URL within the email are identified and blocked.
- Stage 6 (Command and Control / Call Home) – Communication attempts to C2 servers related to the phishing page and malware attachment are successfully blocked.
IOCs:
| Indicators | Details | 
|---|---|
| From address | |
| Phish URLs | .hxxps://ipfs[.]io/ipfs/bafkreifs2nuxey2rbsqwuv5qt6xwnopg3hhailqnk2bpw52fmqitxmzuni#email@address | 
| Post URLs | .hxxp://Jezzo[.]sbs/love/newpost[.]php | 
| C2s | verism[.]xyz/x0tn/ rumbtap[.]site/gnwh/ ff87558[.]vip/582t/ elementzone[.]shop/w9tj/ beragame[.]biz/2c8x/ fun1995[.]net/wfuw/ instatv[.]shop/wx48/ top10-casino25[.]buzz/w300/ eternalethereum[.]xyz/d9jw/ computetools[.]xyz/1t1d/ bri[.]co[.]id/cx3e/ ezdecnight[.]info/ilbf/ hangten[.]tech/fnmj/ servisyeni[.]xyz/layp/ boldcatchpoint[.]shop/e49a/ nysche[.]tokyo/8q4x/ empero[.]fun/ccu2/ | 
| File hashes | 29bec38ca9f41669986562d69bbfb30c46f09346 exe f99e081031ba68bf5a0e1328df6574590516ec3a rar | 
 - Pavlo Prodanchuk閱讀更多文章 Pavlo Prodanchuk- Pavlo Prodanchuk serves as a Security Researcher with the Forcepoint X-Labs Threat Research team. He focuses on detecting and analyzing web, email, and file-based cyberattacks. Pavlo is passionate about identifying emerging threats and developing proactive defenses to enhance security across digital environments. 
- 2025 Future Insights eBook閱讀電子書
X-Labs
直接將洞察力、分析與新聞發送到您的收件箱











