Phorpiex Botnet Spreads Ransomware, Sextortion, and Crypto-Clipping Malware
Key Takeaways The Phorpiex botnet, also known as Trik, has significantly evolved since 2011, now operating as a sophisticated, multi-threat platform. The latest “Twizt” variant...
Key Takeaways
- The Phorpiex botnet, also known as Trik, has significantly evolved since 2011, now operating as a sophisticated, multi-threat platform.
- The latest “Twizt” variant incorporates a resilient peer-to-peer (P2P) network alongside traditional command-and-control (C2) servers, making it exceptionally difficult to disrupt.
- Phorpiex actively spreads ransomware, conducts large-scale sextortion campaigns, and performs cryptocurrency clipping on an estimated 70,000 to 80,000 daily active devices, with over 1.7 million unique IP addresses observed in the last 90 days.
- Affected regions include Iran, Uzbekistan, China, Kazakhstan, and Pakistan, with recent ransomware campaigns also targeting corporate networks in the US, UK, Germany, and France.
- No singular fix is available for the botnet itself, but robust defensive measures can mitigate infection and impact.
The Phorpiex botnet, a persistent threat actor since its inception in 2011, has garnered renewed scrutiny from cybersecurity researchers. Its continued relevance stems not from recent emergence, but from a relentless campaign of evolution and adaptation.
Known also as Trik, Phorpiex has transformed from a rudimentary spam tool into a comprehensive criminal infrastructure. It now simultaneously deploys ransomware, orchestrates widespread sextortion email campaigns targeting millions, and surreptitiously steals cryptocurrency from compromised systems. For a detailed analysis, consult the report.
The most recent iteration, dubbed the Twizt variant, presents enhanced resilience. It leverages a hybrid architecture combining traditional command-and-control (C2) servers with a peer-to-peer (P2P) network. This design ensures that even if specific C2 infrastructure is dismantled, the botnet can continue its operations through direct communication between infected nodes.
Currently, the botnet maintains a daily active presence on approximately 70,000 to 80,000 devices. Over the past 90 days, researchers have identified more than 1.7 million unique IP addresses associated with Phorpiex activity. The countries most affected by this persistent threat include Iran, Uzbekistan, China, Kazakhstan, and Pakistan. This data is highlighted in a Bitsight report.
Multi-pronged Attack Strategy
Bitsight researchers have documented Phorpiex’s simultaneous engagement in three primary criminal activities: mass ransomware distribution, large-scale sextortion email campaigns, and real-time cryptocurrency wallet hijacking. Their telemetry indicates approximately 125,000 daily active infections, with roughly 70,000 of these contributing to the botnet’s P2P network.
Ransomware operations have been notably aggressive. In October 2025, Phorpiex was observed deploying LockBit Black ransomware against devices confirmed to be part of corporate networks or Windows domains
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.