A new hacking group called ComicForm has been targeting organizations in Belarus, Kazakhstan, and Russia since at least April 2025. The group has primarily focused on the industrial, financial, tourism, biotechnology, research, and trade sectors.
The attack begins with phishing emails that have subject lines like "Waiting for the signed document" or "Invoice for Payment." These emails, written in either Russian or English, are sent from addresses in the .ru, .by, and .kz domains. The messages prompt recipients to open a RAR archive that contains a Windows executable file disguised as a PDF document.
The executable is an obfuscated .NET loader that installs a malicious DLL called "Montero.dll." This DLL then acts as a dropper for the Formbook malware. To avoid detection, it also creates a scheduled task and adds exclusions to Microsoft Defender.
Interestingly, the malware's code contains links to harmless GIFs of comic superheroes like Batman. According to F6 researcher Vladislav Kugan, these images are just part of the code and are not used in the attack, which is why the group was named ComicForm.
Expanding Phishing Tactics
In addition to using malware, ComicForm has also been seen using phishing links to steal credentials. In July 2025, they sent emails to Russian manufacturing companies from the email address of a company in Kazakhstan. The emails urged recipients to click a link to confirm their account to avoid a potential block.
When a user clicks the link, they are taken to a fake login page that mimics a domestic document management service. The page steals any information the user enters and sends it to a server controlled by the attacker. It also extracts the user's email address from the URL to customize the phishing page's background with a screenshot of the user's domain.
Another attack aimed at a Belarusian bank used a fake invoice to trick users into entering their email addresses and phone numbers.
According to F6, the group’s use of English emails suggests they may also be targeting organizations in other countries.
Pro-Russian Hacktivists Target South Korea
A separate report from the NSHC ThreatRecon Team revealed details about a pro-Russian cybercrime group called SectorJ149 that has been targeting South Korea’s manufacturing, energy, and semiconductor industries.
These attacks, which were observed in November 2024, began with spear-phishing emails related to production or quotation requests. The emails led to the installation of various types of malware, including Lumma Stealer, Formbook, and Remcos RAT. The malware was hidden in a JPG image file and was used to download and execute additional payloads.
The NSHC ThreatRecon Team noted that while the SectorJ149 group previously focused on financial gain, their recent attacks on Korean companies seem to have a strong "hacktivist" nature, suggesting a shift to promoting political or social messages.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
