That Fake Purchase Order in Your Inbox? It Might Be Formbook Stealing Every Keystroke You Type

Table of Contents

• What Is Formbook, Exactly?
• This Specific Sample: What We Know
• How the Attack Works (Without the Jargon)
• Who Should Care?
• How to Protect Yourself
• The Bottom Line

Imagine you work at a mid-sized company. It's a Tuesday morning. You open your email and see a message with the subject line "PO-000806758" — a purchase order. Maybe it's from a supplier you've been waiting on. The attachment is an .exe file, but it looks like a standard document. You double-click.

Nothing dramatic happens. No skull-and-crossbones, no ransom note. Your screen doesn't even flicker. But from that moment on, every password you type, every form you fill out, every credit card number you enter into a browser — all of it is being silently copied and sent to someone you've never met.

That's Formbook. And this is a real sample spotted in the wild this April.

What Is Formbook, Exactly?

Formbook is one of the most popular and long-running information stealers in the world. Think of it as a silent spy that moves into your computer and watches everything you do — especially in your web browser.

Its specialty is form grabbing: intercepting data you type into web forms before it gets encrypted and sent to a website. That means even if you're on an HTTPS site (the kind with the little padlock icon), Formbook can still see your login credentials, payment details, and personal information. It captures the data at the source — your keyboard and your browser — not in transit.

It can also:

• Log keystrokes (record every key you press)
• Take screenshots of your desktop
• Steal saved passwords from browsers and email clients
• Download and run additional malware — opening the door for even worse attacks
• Send everything back to the attacker's remote server (security folks call this a "command-and-control" or C2 server — think of it as the attacker's remote control for your compromised machine)

Formbook has been around since at least 2016, and for a while it was literally sold as a service on underground forums for as little as $30 a week. That low barrier to entry means it's not just used by sophisticated criminal gangs — anyone with a little money and bad intentions can deploy it.

This Specific Sample: What We Know

Our platform flagged this file on April 7, 2026. Here's a snapshot:

Detail	Value
File name	PO-000806758.exe
File type	Windows executable (.exe), built with .NET
File size	~1.2 MB
Origin	Germany (DE)
Family	Formbook
Detection rate	27 out of 76 antivirus engines flagged it on VirusTotal

That detection rate is worth pausing on. 27 out of 76 means roughly a third of antivirus products caught it — which also means about two-thirds didn't. If your antivirus wasn't one of the 27, this file would have sailed right past your defenses.

Multiple respected analysis platforms — CAPE, VMRay, Kaspersky, and vxCube — independently confirmed it as Formbook or flagged it as malware. Interestingly, one sandbox (ANY.RUN) initially reported "No threats detected," which tells you something important: Formbook is good at hiding.

The file also has some known aliases: Bfdf.exe, aqoni.exe, and some scanners associated it with AgentTesla, a related info-stealer family. This kind of overlap is common — these malware families share techniques and sometimes even code.

How the Attack Works (Without the Jargon)

Here's the chain of events, step by step:

Step 1: The bait. The attacker sends a convincing email — often disguised as a purchase order, invoice, or shipping notification. The file name PO-000806758.exe is textbook. It looks like a routine business document. In some cases, the .exe extension is hidden by Windows, or the file is wrapped inside a .zip or .rar archive to seem less suspicious.

Step 2: The Trojan horse. When you run the file, it doesn't immediately do anything obviously malicious. This sample is built using .NET (Microsoft's programming framework), but here's the clever part: it has no standard import table. In plain English, that means it doesn't openly declare what system functions it plans to use — like a burglar who brings their own tools instead of borrowing the homeowner's. This makes it harder for security tools to predict what it's about to do.

Step 3: The shell game. Formbook is famous for a technique called process injection — it essentially disguises itself inside a legitimate Windows program that's already running. Imagine a criminal putting on a police uniform. The operating system sees a trusted process and doesn't intervene. This is how it evades antivirus software that only checks files on disk.

Step 4: Silent surveillance. Once embedded, Formbook hooks into your browsers and starts capturing form data, keystrokes, and screenshots. It phones home to its C2 server with everything it collects. It also installs persistence mechanisms — ways to survive a reboot, like adding itself to your startup programs. Think of it as the malware hiding a spare key under your doormat so it can always get back in.

Who Should Care?

If you're thinking "I'm not a target," think again. Formbook isn't a precision weapon aimed at governments or giant corporations. It's a dragnet. Attackers spray it out to thousands of email addresses and see what sticks. That means:

• Small business owners who handle invoices and purchase orders daily — you're the primary target for these social engineering lures
• Remote workers who may not have corporate-grade security on their home machines
• Developers who download tools and libraries from the internet and may encounter repackaged malicious executables
• Anyone who uses a web browser to log into banking, email, or shopping sites

The real-world damage looks like this: stolen banking credentials drained overnight. Client databases exfiltrated and sold on dark web forums. Email accounts hijacked to send more phishing emails to your contacts. Company credentials used to breach your employer's network. And because Formbook can download additional malware, a single infection can be the first domino in a much larger attack — including ransomware (digital kidnapping of your files for payment).

How to Protect Yourself

You don't need a six-figure security budget. Here are concrete things you can do right now:

1. Never open .exe attachments from email. Period. Legitimate purchase orders come as PDFs. If someone sends you an executable — or a compressed archive containing one — treat it as suspicious, even if you recognize the sender's name. (Attackers routinely spoof email addresses.)

2. Turn on "Show file extensions" in Windows. By default, Windows hides file extensions, so PO-000806758.exe might just look like PO-000806758. Go to File Explorer → View → check "File name extensions." This one setting removes a huge category of deception.

3. Keep Windows and your antivirus updated. Yes, only 27/76 engines caught this sample at the time of analysis. But detection improves quickly once a sample is flagged. Keeping definitions current means you benefit from the community's collective response.

4. Use a password manager instead of letting your browser save passwords. Formbook specifically targets browser-stored credentials. A dedicated password manager stores credentials in an encrypted vault that's much harder for malware to raid.

5. Enable multi-factor authentication (MFA) everywhere you can. Even if Formbook steals your password, a second factor — like a code from your phone — means the attacker still can't get in. This single step neutralizes a huge portion of stolen-credential attacks.

The Bottom Line

Formbook isn't flashy. It doesn't lock your screen or make demands. It just quietly watches and copies, like someone reading over your shoulder — except they're reading everything, and they never leave.

This sample, PO-000806758.exe (SHA-256: af3f5610187dd9fadeffd7148fce068c920c10a824bc7e139550e06dd4cca882), is one of thousands of Formbook variants circulating right now. The social engineering is simple. The malware is well-engineered. And the consequences — stolen credentials, financial loss, deeper network compromise — are very real.

The best defense isn't expensive software. It's a moment of pause before you click.

---

This analysis is based on data collected by ThreatChain and corroborated by multiple public malware analysis services including CAPE, VMRay, Kaspersky, and VirusTotal. Sample first observed April 7, 2026.