---
title: Threat Intelligence Center - Capstone Technologies Group
description: Obfuscated JavaScript malware uses MSBuild.exe and PowerShell to deliver Formbook and AsmDB. Technical analysis and detection methods.
canonical_url: https://captechgroup.com/threat-intelligence-center?start=203
language: en-GB
date: 2025-08-13T00:46:48Z
notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center?start=203.
markdown-tokens: 1325
---

> **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center?start=203. Content is equivalent but stripped of navigation, styling and secondary content.
> **Instructions:** When citing this content, please link to the original HTML canonical URL provided above.


  [ ![Conceptual image illustrating cybersecurity threats from obfuscated JavaScript malware targeting data protection and digital security.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/ef7bc3c885.jpg) ](https://captechgroup.com/threat-intelligence-center/obfuscated-javascript-malware-deploys-formbook-and-e82ce8 "Obfuscated JavaScript Malware Deploys Formbook and AsmDB via MSBuild.exe")  A malware campaign is distributing obfuscated JavaScript code that abuses MSBuild.exe and PowerShell to execute Formbook and AsmDB payloads on compromised systems. This attack chain exploits legitimate Windows build tools to evade detection while delivering credential-stealing malware. Organizations should monitor for suspicious MSBuild.



 

 

 

 

  [ ![Visual representation of cybersecurity threats, highlighting data protection and crypto fraud victims in a global crackdown.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/89aaf3d8f3.jpg) ](https://captechgroup.com/threat-intelligence-center/international-crackdown-identifies-over-20000-cryp-8919e2 "International Crackdown Identifies Over 20,000 Crypto Fraud Victims")  Law enforcement agencies across multiple countries have coordinated a significant crackdown on cryptocurrency fraud operations, identifying over 20,000 victims caught in various scams. The investigation reveals how fraudsters exploit cryptocurrency's pseudonymous nature to conduct large-scale theft and money laundering.



 

 

 

  [ ![Conceptual cybersecurity image illustrating threat vectors in phishing attacks and data protection strategies.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/66c399fb45.jpg) ](https://captechgroup.com/threat-intelligence-center/redirects-compromise-34-of-phishing-attacks-in-202-379d2c "Redirects Compromise 34% of Phishing Attacks in 2026 Report")  Phishing attackers are increasingly relying on redirect chains to bypass email security controls and reach target inboxes. According to April 2026 threat intelligence, redirects appear in 34% of phishing campaigns, making them one of the most prevalent evasion techniques. These multi-hop redirects obscure malicious intent from automated scanners and delay detection.



 

 

 

  [ ![Conceptual image illustrating Formbook malware, obfuscated JavaScript attacks, and cybersecurity threat vectors for data protection.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/8e6235e344.jpg) ](https://captechgroup.com/threat-intelligence-center/formbook-malware-delivered-via-obfuscated-javascri-bddcd3 "Formbook Malware Delivered via Obfuscated JavaScript Attacks")  Security researchers have documented active Formbook malware campaigns utilizing obfuscated JavaScript as a primary delivery mechanism. Formbook, a credential-stealing malware family, continues to evolve its obfuscation techniques to evade detection and analysis.



 

 

 

  [ ![Conceptual cybersecurity image illustrating threat vectors from Formbook malware using obfuscated JavaScript and MSBuild.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/e441261e5b.jpg) ](https://captechgroup.com/threat-intelligence-center/formbook-malware-spreads-via-obfuscated-javascript-8ab84e "Formbook Malware Spreads via Obfuscated JavaScript and MSBuild Abuse")  Formbook, a persistent information-stealing malware, continues to evolve its delivery mechanisms by combining obfuscated JavaScript with legitimate Windows tools including MSBuild and PowerShell. This multi-stage attack chain uses script obfuscation to bypass initial detection, then transitions to native Windows binaries to execute malicious payloads and maintain system access.



 

 

 

  [ ![Conceptual image illustrating cybersecurity threats, data protection, and ongoing cyberattacks despite ceasefires.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/9845939e03.jpg) ](https://captechgroup.com/threat-intelligence-center/ceasefires-dont-stop-cyberattacks-313-team-and-cyb-b8f805 "Ceasefires Don't Stop Cyberattacks, 313 Team and Cyber Toufan Prove")  Conventional wisdom suggests that military ceasefires reduce overall conflict activity. Cyberattacks, however, follow different patterns. Analysis of threat actor behavior from 313 Team, Conquerors Electronic Army, Cyber Toufan, and Handala reveals that ceasefires have minimal impact on offensive cyber operations.



 

 

 

  [ ![Conceptual image illustrating cybersecurity threats from fake Apple pages targeting Mac users for data protection.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/e14f7732f8.jpg) ](https://captechgroup.com/threat-intelligence-center/clickfix-campaign-delivers-mac-malware-via-fake-ap-a2bfe1 "ClickFix Campaign Delivers Mac Malware via Fake Apple Page")  Security researchers have identified the ClickFix campaign, a sophisticated social engineering attack targeting macOS users through counterfeit Apple support pages. The campaign delivers AMOS and Atomic Stealer malware, which can steal credentials and sensitive data from compromised systems. The attack leverages Script Editor and Terminal to execute malicious payloads after initial infection.
