Phorpiex Botnet’s Evolving Threats: Ransomware and More

Phorpiex, a botnet operational since 2011, remains a significant cybersecurity threat through its continuous evolution. Known also as Trik, this botnet has expanded from a simple spam network into a comprehensive criminal operation. It now facilitates ransomware attacks, sextortion scams, and crypto-clipping malware, affecting numerous users globally.

The recent iteration of Phorpiex, named the Twizt variant, presents a formidable challenge for cybersecurity experts. By integrating traditional command-and-control (C2) servers with a peer-to-peer (P2P) network, it ensures its operations persist even if some servers are taken down. This decentralized approach enables infected devices to communicate directly, making the botnet more resilient.

Global Impact and Reach

Phorpiex has been detected on an estimated 70,000 to 80,000 devices daily, with over 1.7 million unique IP addresses identified in the past three months. The most impacted regions include Iran, Uzbekistan, China, Kazakhstan, and Pakistan, according to reports by Bitsight.

Bitsight researchers highlight Phorpiex’s engagement in three primary criminal activities: ransomware distribution, sextortion email campaigns, and real-time crypto wallet theft. Their data shows approximately 125,000 active infections daily, with a significant portion linked to the botnet’s P2P network.

Ransomware Campaigns and Sextortion Tactics

Phorpiex’s ransomware operations have intensified. In October 2025, it was utilized to deploy LockBit Black ransomware within corporate networks utilizing Windows domains. In January 2026, a new ransomware strain similar to the Global ransomware family targeted devices in China, verifying locations via a public IP-lookup API before executing attacks.

Moreover, Phorpiex conducts large-scale sextortion scams. These fraudulent emails threaten recipients with fabricated evidence of webcam recordings on adult sites, demanding $1,800 in Bitcoin to suppress the supposed footage. These intimidating messages have been circulating since at least 2023, with ransom amounts increasing over time.

Persistent Infections and Evasion Techniques

Once a device is compromised, Phorpiex secures its presence by embedding itself into system directories and creating autorun entries for persistence. Additionally, it propagates through USB drives and shared network folders by deploying a hidden executable, DrvMgr.exe, and a disguised .lnk file.

To evade detection, Phorpiex masquerades as a legitimate program by adding itself to the Windows Firewall’s permitted list under “Microsoft Corporation.” It employs API Hashing and constructs suspicious strings in memory to bypass static security tools. Commands are encrypted with a 256-byte RSA header, ensuring only the botnet operator can issue instructions.

Organizations are urged to take precautions against Phorpiex. This includes blocking known C2 IP addresses, monitoring for unauthorized autorun changes, and restricting USB device use. Disabling UPnP on routers and maintaining updated systems can further mitigate risks. Indicators of compromise and associated cryptocurrency wallet addresses are available on Malware Bazaar under the tag dropped-by-phorpiex.

Stay informed with our updates by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for instant notifications.