The Reveal Platform
Intel Name: Chameleon_net spreads formbook via darktortilla
Date of Scan: November 10, 2025
Impact: High
Summary: CHAMELEON_NET is a targeted malspam campaign delivering the DarkTortilla .NET loader to distribute FormBook. Infection starts with a phishing email and a .bz2 archive that drops an obfuscated JavaScript file. The JS launches a VB.NET loader that decrypts an embedded DLL via an index-based XOR and reflectively loads it in memory. FormBook then disables defenses, creates persistence (registry/startup), and gives attackers full remote access.
