The long-running Phorpiex botnet, also known as Phorpiex or Trik, has resurfaced as a powerful cybercrime platform. Although it first appeared in 2011, it continues to evolve, making it more dangerous and difficult to dismantle. Today, it operates as a multi-functional threat capable of delivering ransomware, running sextortion campaigns, and stealing cryptocurrency—all simultaneously.
Most recently, researchers have identified a new variant called Twizt, which significantly enhances the botnet’s resilience. Unlike traditional botnets that rely solely on centralized command-and-control (C2) servers, this version combines C2 infrastructure with a peer-to-peer (P2P) network. As a result, even if authorities shut down one server, the botnet continues functioning because infected devices communicate directly with each other.
Currently, Phorpiex infects between 70,000 and 80,000 devices daily, while over 1.7 million unique IP addresses have been observed within the past 90 days. The most impacted regions include Iran, Uzbekistan, China, Kazakhstan, and Pakistan. According to Bitsight researchers, the botnet runs three major operations simultaneously: ransomware distribution, large-scale sextortion emails, and cryptocurrency wallet hijacking.
In particular, ransomware campaigns have intensified. For instance, in October 2025, attackers used Phorpiex to deploy LockBit Black into corporate environments and Windows domains. Later, in January 2026, they launched another campaign using a strain linked to the Global ransomware family. This version even used a public IP lookup API to verify a victim’s location before executing the attack.
Subsequently, attackers expanded their reach, targeting systems across 21 countries, including the United States, United Kingdom, Germany, and France. Each spam campaign typically targets between 2 million and 6 million email addresses, highlighting the massive scale of operations.
In addition to ransomware, the botnet drives sextortion scams. Victims receive threatening emails claiming hackers recorded them through webcams while visiting adult websites. The attackers demand approximately $1,800 in Bitcoin to avoid releasing the alleged footage. These campaigns have circulated since 2023, with ransom demands steadily increasing.
How the Botnet Maintains Persistence
Once it infects a device, Phorpiex quickly establishes persistence. It copies itself into system directories and creates autorun registry entries to restart after every reboot. Furthermore, it spreads through USB drives and shared networks using disguised files such as “DrvMgr.exe” and malicious shortcut files.
To remain undetected, the malware adds itself to the Windows Firewall as a trusted program labeled “Microsoft Corporation.” Additionally, it uses API hashing and constructs suspicious code in memory to bypass traditional detection systems.
Importantly, every command sent within the botnet is secured using a 256-byte RSA-encrypted header. This ensures that only attackers can issue valid instructions, preventing takeover attempts by external parties.
Mitigation Measures
To reduce risk, organizations should block known C2 IP addresses, monitor unusual registry changes, and restrict USB device usage. Moreover, disabling UPnP, applying regular system patches, and implementing advanced email filtering can significantly enhance protection.
Indicators of compromise (IOCs) and related wallet addresses are publicly available on Malware Bazaar under the tag dropped-by-phorpiex, enabling security teams to proactively defend against this evolving threat.
Recommended Cyber Technology News:
- FatPipe Partners With TD SYNNEX To Expand Global Reach
- HYCU Leadership Promotions Advance AI Data Protection Strategy
- OneSpan Launches Workato Integration to Simplify eSignature Automation
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
