Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/Phorpiex Botnet Spreads Ransomware, Sextortion, and Crypto-Clipping Malware
Threats

Phorpiex Botnet Spreads Ransomware, Sextortion, and Crypto-Clipping Malware

Key Takeaways The Phorpiex botnet, also known as Trik, has significantly evolved since 2011, now operating as a sophisticated, multi-threat platform. The latest “Twizt” variant...

Sarah simpson
Sarah simpson
April 3, 2026 2 Min Read
27 0

Key Takeaways

  • The Phorpiex botnet, also known as Trik, has significantly evolved since 2011, now operating as a sophisticated, multi-threat platform.
  • The latest “Twizt” variant incorporates a resilient peer-to-peer (P2P) network alongside traditional command-and-control (C2) servers, making it exceptionally difficult to disrupt.
  • Phorpiex actively spreads ransomware, conducts large-scale sextortion campaigns, and performs cryptocurrency clipping on an estimated 70,000 to 80,000 daily active devices, with over 1.7 million unique IP addresses observed in the last 90 days.
  • Affected regions include Iran, Uzbekistan, China, Kazakhstan, and Pakistan, with recent ransomware campaigns also targeting corporate networks in the US, UK, Germany, and France.
  • No singular fix is available for the botnet itself, but robust defensive measures can mitigate infection and impact.

The Phorpiex botnet, a persistent threat actor since its inception in 2011, has garnered renewed scrutiny from cybersecurity researchers. Its continued relevance stems not from recent emergence, but from a relentless campaign of evolution and adaptation.

Known also as Trik, Phorpiex has transformed from a rudimentary spam tool into a comprehensive criminal infrastructure. It now simultaneously deploys ransomware, orchestrates widespread sextortion email campaigns targeting millions, and surreptitiously steals cryptocurrency from compromised systems. For a detailed analysis, consult the report.

The most recent iteration, dubbed the Twizt variant, presents enhanced resilience. It leverages a hybrid architecture combining traditional command-and-control (C2) servers with a peer-to-peer (P2P) network. This design ensures that even if specific C2 infrastructure is dismantled, the botnet can continue its operations through direct communication between infected nodes.

Currently, the botnet maintains a daily active presence on approximately 70,000 to 80,000 devices. Over the past 90 days, researchers have identified more than 1.7 million unique IP addresses associated with Phorpiex activity. The countries most affected by this persistent threat include Iran, Uzbekistan, China, Kazakhstan, and Pakistan. This data is highlighted in a Bitsight report.

Multi-pronged Attack Strategy

Bitsight researchers have documented Phorpiex’s simultaneous engagement in three primary criminal activities: mass ransomware distribution, large-scale sextortion email campaigns, and real-time cryptocurrency wallet hijacking. Their telemetry indicates approximately 125,000 daily active infections, with roughly 70,000 of these contributing to the botnet’s P2P network.

Ransomware operations have been notably aggressive. In October 2025, Phorpiex was observed deploying LockBit Black ransomware against devices confirmed to be part of corporate networks or Windows domains

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarePatchransomwareSecurity

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Microsoft Forcing Upgrades to Unmanaged Windows 11 24H2

Next Post

Venom Stealer Exploits ClickFix Lures for Full Data Exfiltration

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us