Phorpiex Botnet Spreads Ransomware, Hackers Sextortion

The Phorpiex botnet, operational since 2011, has once again drawn attention. Its renewed prominence isn’t due to recent emergence, but rather its consistent evolution and adaptation.

Phorpiex, also known as Trik, has grown from a basic spam tool into a full-scale criminal platform capable of delivering ransomware, sending sextortion emails to millions of victims, and silently stealing cryptocurrency from infected computers, all at the same time.

The latest version, known as the Twizt variant, has become harder to stop than ever.

It combines traditional command-and-control (C2) servers with a peer-to-peer (P2P) network, meaning that even if one server is taken down, the botnet continues to operate because infected machines talk directly to each other.

The botnet currently runs on between 70,000 and 80,000 active devices each day, and over 1.7 million unique IP addresses have been tracked over the past 90 days. The most affected countries are Iran, Uzbekistan, China, Kazakhstan, and Pakistan.

Bitsight researchers noted that Phorpiex simultaneously carries out three major criminal operations — mass ransomware delivery, large-scale sextortion email campaigns, and real-time cryptocurrency wallet hijacking.

Their telemetry shows approximately 125,000 active infections each day, with around 70,000 of those belonging to the P2P network.

The ransomware campaigns have been particularly aggressive. In October 2025, Phorpiex was used to deliver LockBit Black ransomware to devices confirmed to be inside corporate networks or Windows domains.

Then in January 2026, a strain resembling the Global ransomware family was deployed against devices in China, using a public IP-lookup API to verify the target’s location before dropping the payload.

A follow-up campaign shortly after hit machines across 21 countries, including the United States, the United Kingdom, Germany, France, and several others. Each spam campaign is estimated to target between 2 million and 6 million email addresses.

Alongside ransomware, the same botnet infrastructure delivers sextortion emails that falsely claim hackers recorded victims through their webcams while visiting explicit websites, demanding $1,800 in Bitcoin to keep the footage private.

These messages are crafted to frighten recipients into paying quickly, and they have been circulating since at least 2023 with the demanded amount steadily climbing over time.

How the Botnet Persists and Hides

Once a device is infected, Phorpiex quickly establishes a strong foothold and begins working to stay invisible. It copies itself into system directories and writes an autorun registry key to ensure it restarts after every reboot.

The malware also spreads to removable USB drives and shared network folders by dropping a hidden executable named DrvMgr.exe alongside a disguised shortcut file (.lnk) that launches Phorpiex on any machine where the infected drive is connected.

To avoid detection, the malware silently adds itself to the Windows Firewall’s list of allowed programs under the name “Microsoft Corporation,” making it appear as a trusted system component.

It also uses API Hashing to conceal the Windows functions it calls at runtime, and builds suspicious strings in memory byte by byte to bypass static security scanners.

Every command pushed to the botnet is wrapped in a 256-byte RSA-encrypted header, meaning only the attacker holds the key to issue valid instructions, preventing external parties from taking over the network.

Organizations are strongly advised to block known Phorpiex C2 IP addresses, monitor for unexpected autorun registry changes, and restrict USB device access on corporate machines.

Disabling UPnP on network routers, keeping operating systems fully patched, and deploying layered email filtering solutions can significantly reduce the risk of infection.

All indicators of compromise (IOCs) and related cryptocurrency wallet addresses are publicly available on Malware Bazaar under the tag dropped-by-phorpiex.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.