Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content



Also known as: xLoader

Category: Malware

Type: Spyware

Platform: macOS, Windows

Variants: As a MaaS, FormBook can have many variants

Damage potential: Malware infection, file corruption and loss, stolen keystrokes, system performance issues, network connectivity problems, unauthorized access, data theft


FormBook is a piece of malware, specifically spyware, that can extract files and data from the user’s device, their apps, and even keystroke and clipboard data. It can also grab data users enter such as web forms and login pages before the data is encrypted.

FormBook is often sold as malware as a service (MaaS). In other words, anyone can cheaply buy custom-made FormBook malware and use it to target whoever they want.

Possible symptoms

As FormBook is malware that steals the user’s files and sends them to the attacker, its most common symptoms include unusual network traffic. The malware needs to take many screenshots and infiltrate various apps, so often you can notice significant spikes in traffic.

Other FormBook symptoms include:

  • Your computer may start misbehaving, change settings, slow the system down, and even crash.
  • You may notice high CPU memory usage when you’re not doing anything on your computer.
  • The malware continuously communicates with the attacker, so you may experience much higher internet usage, especially outbound traffic.
  • Security software or updates may be disabled.

Sources of the infection

FormBook often infects a computer after the user clicks on a malicious link or a file. The most common way to spread this type of malware is by sending it via email as an attachment. Malicious links can also be embedded in emails as well as instant messages and even compromised websites.


Removing FormBook can prove to be a challenge not only because it uses advanced evasion techniques such as process injection and anti-analysis measures, but also because it can disable security tools and install new strings of malware. If this is the case on your device, enable your antivirus and anti-malware software, check for updates, and then run a deep scan of your system.

Other protection measures include:

  • Double checking with the sender before you click on any files and attachments in an email, especially if you were not expecting them.

  • NordVPN’s Threat Protection scans programs and files for malware before they’re downloaded. If a file contains FormBook, Threat Protection would likely catch it and alert the user.

Ultimate digital security