Organizations in Belarus, Kazakhstan, and Russia are currently facing a phishing campaign orchestrated by a previously unknown hacking group named ComicForm, which has been active since at least April 2025. This group has primarily targeted various sectors, including industrial, financial, biotechnology, tourism, trade, and research, according to an analysis by cybersecurity company F6.
The phishing attacks employ deceptive email subject lines like "Waiting for the signed document," "Invoice for Payment," and "Reconciliation Act for Signature." Recipients are prompted to open an archive file containing a Windows executable that is disguised as a PDF document (e.g., "Акт_сверки pdf 010.exe"). The emails are sent from domains associated with Russia, Belarus, and Kazakhstan, and are written in either Russian or English.
The malicious executable functions as an obfuscated .NET loader that activates a harmful DLL referred to as "MechMatrix Pro.dll." This DLL subsequently triggers another DLL, "Montero.dll," which acts as a dropper for Formbook malware. The malware’s infection process includes creating scheduled tasks and configuring exclusions in Microsoft Defender to avoid detection.
Interestingly, some malware binaries also feature links to innocent GIFs of comic superheroes, which seemingly serve no purpose in the attacks but contribute to the group’s name. F6 researcher Vladislav Kugan noted that these images were not involved in any attacks, merely existing within the malware code.
Further investigation revealed that ComicForm also targeted an unidentified company in Kazakhstan in June 2025 and a bank in Belarus in April 2025. On July 25, 2025, F6 blocked phishing emails aimed at Russian manufacturing firms, which used a Kazakhstan-based industrial company’s email address. These messages encouraged recipients to click on links to confirm accounts and avoid blocking.
Victims clicking these links are redirected to a fake login page mimicking a domestic document management service, which is designed to harvest user credentials through HTTP POST requests to an attacker-controlled domain.
The group not only targets operations within Russia, Belarus, and Kazakhstan, but the use of English in their phishing attempts suggests an intention to extend their reach internationally. F6 reported that this hacking group leverages emails distributing FormBook malware as well as phishing sites that look like legitimate web services to collect login credentials.
In another related development, the NSHC ThreatRecon Team disclosed information regarding a pro-Russian cybercrime organization that has been targeting South Korea’s manufacturing, energy, and semiconductor industries. This group’s activity, identified as SectorJ149, was tied to spear-phishing campaigns that began in November 2024. The emails contained lures regarding production facility purchases or quotation requests and ultimately deployed various malware types, including Lumma Stealer and Remcos RAT.
SectorJ149’s methods involve distributing Visual Basic Scripts through Microsoft cabinet (CAB) archives, which contain PowerShell commands that connect to Bitbucket or GitHub repositories to fetch hidden loader executables that install further malware.
Initially focused on financial gain, the group’s recent activities suggest a shift towards hacktivism, utilizing hacking techniques to advance political or ideological motives against South Korean targets.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.