Organizations in Belarus, Kazakhstan and Russia have emerged as targets for phishing campaigns where previously undocumented hacking groups are called. Comic Form At least since April 2025.
Cybersecurity company F6 focuses primarily on activities targeting the industry, finance, tourism, biotechnology, research and trade sectors.
The attack chain will send an email with subjects such as “Waiting for Signed Document”, “Payment Invoice”, “Signing Settlement Act”, and encourage recipients to open the RR archive. Messages written in Russian or English will be sent from email addresses registered in the top-level domains of .ru, .by and .kz.
The executable is an obfuscated .NET loader designed to launch a malicious dll (“mechmatrix pro.dll”), then runs another DLL named “Montero.dll” which acts as a dropper for form book malware, but runs another dll named “Montero.dll” before creating a scheduled task and setting up Microsoft DefendEdions Extection.
Interestingly, we also know that this binary contains Tumblr links that point to completely harmless GIFs of comic book superheroes like Batman, giving the name to threat actors. “These images were not used in the attacks, but they were just part of the malware code,” said F6 researcher Vladislav Kugan.
An analysis of Comicform’s infrastructure revealed signs that phishing emails were also being directed to unspecified companies operating in Kazakhstan in June 2025 and to the Bank of Belarus in April 2025.
F6 also said it detected and blocked phishing emails sent to Russian manufacturers on July 25, 2025 from the email address of the Kazakhstan-based industrial company. These digital miscives have urged future targets to click on the embedded link to verify their accounts and avoid potential blocks.
Users who click on the link are redirected to a fake landing page that mimics the login page of domestic document management services to promote their credentials by sending the entered information to the attacker-controlled domain in the form of an HTTP POST request.
“In addition, JavaScript code was found in the body of the page that extracts the email address from the URL parameter, enters it into the input field with ID = “Email”, extracts the domain from the email address, sets a screenshot of the website for that domain (via Screenshotapi (.) Net API), like Kugan Expled), and sets a screenshot of the website for that domain.
The attack targeting Belarusian banks involves sending phishing emails with invoice-themed lures, where users enter their email address and phone number on the form, captured and sent to an external domain.
“The group has attacked companies in Russia, Belarus and Kazakhs in various fields, and the use of English email suggests that attackers are also targeting organizations from other countries,” F6 said. “Attackers employ both phishing emails that distribute Formbook malware and phishing resources, as well as phishing resources disguised as web services to harvest access qualifications.”
Pro-Russian Group targets Korea with its Formbook
The disclosure comes when the NSHC Thraretrecon team reveals details of the pro-Lucia cybercriminal group targeting the South Korean manufacturing, energy and semiconductor sectors. This activity is due to a cluster called SectorJ149 (aka UAC-0050).
The attack observed in November 2024 begins with spear phishing emails targeting executives and employees using lures associated with purchasing or requesting quotations for production facilities, leading to the execution of product malware families like Lumma Stealer, Formbook, and Remcos Rat, using visual basic scripts distributed as Microsoft Cabinet (CAB) Archives.
Visual Basic Script is designed to run PowerShell commands that reach for a BitBucket or GitHub repository to retrieve JPG image files. This hides the loader executable that is responsible for launching the final steeler and rat payload.
“PE malware that runs directly in memory area is a loader-type malware that downloads additional malicious data that is disguised as a text file (.txt) via the URL (.txt) contained in the provided parameter values, then decrypts it before generating and running PE malware.”
“In the past, the SectorJ149 group was run primarily for economic benefits, but recent hacking activities targeting Korean companies are believed to have the strong hackitivist nature of using hacking techniques to convey political, social, or ideological messages.”
