Wednesday, February 26, 2025
HomeBotnetPhorpiex Botnet Distributes LockBit Ransomware Through Compromised Websites

Phorpiex Botnet Distributes LockBit Ransomware Through Compromised Websites

Published on

SIEM as a Service

Follow Us on Google News

Cybereason Security Services has published a comprehensive threat analysis highlighting the resurgence of the Phorpiex botnet, which is being leveraged to deploy LockBit Black Ransomware (also known as LockBit 3.0).

This report sheds light on the botnet’s technical evolution and its role in advancing ransomware operations.

Automated Deployment of LockBit Ransomware

Unlike traditional ransomware attacks where human operators are directly involved, the attackers behind this campaign employed Phorpiex to automate the delivery and execution of LockBit ransomware.

This approach underscores the sophistication and efficiency of utilizing botnets for ransomware distribution.

Phorpiex’s variant delivered LockBit ransomware without expanding the infection laterally within the victim’s network, signaling a shift from the typical strategy of maximizing impact by encrypting multiple systems.

Phorpiex Botnet
Phorpiex to LockBit Execution FlowChart

The report reveals that Phorpiex, also known as “Trik,” has maintained its core structure despite being sold in 2021.

The malware still attempts to delete Zone.Identifier metadata files, a tactic consistent across different Phorpiex variants.

This minimal evolution in code design aligns with its sustained role in delivering various malicious payloads over the years.

Technical Connection Between Phorpiex and LockBit

Phorpiex, which has historically been used for spam campaigns and cryptocurrency mining, has now become an effective vector for distributing LockBit ransomware.

LockBit, operational since 2019, is a high-profile Ransomware-as-a-Service (RaaS) group, infamous for its rapid encryption mechanism, double extortion strategies, and targeting of high-value industries ranging from defense to logistics.

Phorpiex’s widespread reach and modular functionality make it an attractive tool for deploying LockBit efficiently. O

perators behind LockBit have strategically incorporated Phorpiex into their ecosystem of tools to maximize profitability while evading detection.

The infection process begins with phishing emails sent from compromised domains such as “gsd[.]com.” These emails contain ZIP files with either a LockBit downloader (.SCR) or TWIZT downloader (.LNK).

Phorpiex Botnet
Code Snippet Of LockBit Download

Upon execution, these files establish connections with command-and-control (C2) servers, download the ransomware payload, and execute additional obfuscation techniques.

For example, the LockBit variant uses anti-analysis mechanisms like library obfuscation and URL cache deletion to ensure stealth.

TWIZT downloader, associated with Phorpiex, relies on unique infection checks such as verifying the presence of specific JPEG files to identify newly infected hosts.

It also employs mutex creation and registry manipulation for persistence.

The resurgence of Phorpiex as a delivery mechanism for LockBit ransomware highlights the evolving tactics employed by cybercriminals.

As the threat landscape intensifies, organizations must adopt proactive measures to defend against such layered and automated attacks.

The Cybereason report emphasizes the urgent need for organizations to fortify their defenses against botnet-driven ransomware campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group

In a significant breakthrough, cybersecurity firm Silent Push has uncovered sensitive infrastructure tied to...

Ransomware Group Data-Leak Sites Increasing as Six New Groups Emerge

The cybersecurity landscape has witnessed a significant uptick in ransomware activity, with six new...

Threat Actors Exploit DeepSeek Craze to Distribute Vidar Stealer Malware

In a concerning new development, cybercriminals are exploiting the widespread popularity of the recently...

MITRE Releases OCCULT Framework to Address AI Security Challenges

MITRE has unveiled the Offensive Cyber Capability Unified LLM Testing (OCCULT) framework, a groundbreaking...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group

In a significant breakthrough, cybersecurity firm Silent Push has uncovered sensitive infrastructure tied to...

Ransomware Group Data-Leak Sites Increasing as Six New Groups Emerge

The cybersecurity landscape has witnessed a significant uptick in ransomware activity, with six new...

Threat Actors Exploit DeepSeek Craze to Distribute Vidar Stealer Malware

In a concerning new development, cybercriminals are exploiting the widespread popularity of the recently...