Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Phorpiex

63
Global rank
111 infographic chevron month
Month rank
120 infographic chevron week
Week rank
0
IOCs

Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.

Botnet
Type
Unknown
Origin
1 August, 2016
First seen
4 October, 2025
Last seen
Also known as
Trik

How to analyze Phorpiex with ANY.RUN

Type
Unknown
Origin
1 August, 2016
First seen
4 October, 2025
Last seen

IOCs

IP addresses
66.79.104.155
37.254.198.8
185.68.20.67
5.77.178.216
46.100.181.186
217.12.85.22
217.30.163.6
154.65.129.46
42.248.182.124
213.230.69.229
37.255.84.218
42.248.183.92
78.39.229.161
188.253.34.178
42.248.182.188
200.93.73.250
213.230.121.128
37.144.204.226
42.248.183.150
5.239.159.10
Hashes
de9e7b371e27a86701d423606dcb5c4472e49d681fa6f8994464724b3e18aa8c
c753f9c3cee83abc58e9258f066eb9e6d9a44da2a39d01cac87631c9bce1ee2d
582aed06e28871acabfa97c8b713d1e6f265f512d1411cc551686b97b85e3930
d0fcb364a1d37c93740edcb88695de72de8b53fcf29c6bb0fcbc792897fd9b8b
20c7b6f5ce67edaa269fbd51eb731b86a003f36980fc563ae25cba7c758c4bb4
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
aa10aecc40005a86cfdabbde721dd61c9b43c4228f153bc8ba9300f8fb65c132
eebf8abed53781eff9290bba7ec213f7163bded1ed93a0bf35a3ac2be0e26d4b
eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675
cc05d8a74e44f660f2488e87383ea09e4d7b692c83b5a24174a067fb3b8fd9e3
14d65314a08424f24cb09ce03e9c46ff3cdca27bf5a50f0f4c83659f21290ddd
7d2da5bbed5b7adb816fdb8d9533daed59cc465d534a5d94b209498bbda5baaa
5f6d4c4b7ddc1666621752413be29d9d91d9e91baa1435e9d4ad69e562bf4175
9224fb7b92585ab7f05b8849fe29d7b065269b1f901f38dc12946354c3e2ab4c
fcd498935217755647d3d65b427b5d65e89a1326636e80a99e500d172aa80ed3
6ef47d12e5942fc573947b873fe63e4d67381e13681ef5e2aceb1fec709487dc
c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
ecf738d98ff2276fe206cb21432420e783328602264c8acc63f188b9a2b07e73
ca4a36212c31444ed2f0c173c0fb9a2ca43a8cfdf2ba7663b3eea52e150a02f3
932342c088921dde1cf7cb16ee9e7171f31b80a41c1a81ba729eae5de3f9c8c6
Domains
zzruuoooshfrohu.su
tsrv3.ru
thaus.ws
fuaiuebndieufeufu.com
ashihsijaediaehf.ru
gaghpaheiafhjefijp.su
egihaehefiejfjz.top
ndbvdamyxfsckitpf.su
tkahbnggslqygvsbo.su
ltmfkirbdviawukpf.su
jtmrfkmvwoxdvhwbe.su
iyyyccyvbgnhkqsrw.su
ypocehqcuxqyiewek.su
nyukvxbjhlhqrlayc.su
esrvqpevrjcffcflq.su
ouhgousgoahutpn.su
lwoekouututeuoo.ws
ktecmmtsxkaungjak.su
isohgohrusurgd.su
gbbdiluthmvysfppj.su
URLs
http://gaghpaheiafhjefijp.co/t.php
http://aeifaeifhutuhuhuso.io/8
http://aeifaeifhutuhuhuso.io/1
http://aeifaeifhutuhuhuso.io/7
http://aeifaeifhutuhuhuso.io/6
http://aeifaeifhutuhuhuso.io/5
http://aeifaeifhutuhuhuso.io/3
http://aeifaeifhutuhuhuso.io/t.php
http://geauhouefheuutiiil.cc/t.php
http://aeifaeifhutuhuhuso.io/2
http://aeifaeifhutuhuhuso.io/4
http://rzhsudhugugfugugsl.cc/t.php
http://aeufuaehfiuehfuhfl.cc/t.php
http://aeifaeifhutuhuhusl.cc/t.php
http://aeifaeifhutuhuhusl.cc/1
http://aaaeieiiiofffla.co/t.php
http://oeeoeuueueuuela.co/1
http://eobbeaubfeuuela.co/1
http://bnioooarubgzdla.co/1
http://aaaeieiiiofffla.co/1
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 184
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 542
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3778
comments 0

What is Phorpiex malware?

Phorpiex is a botnet malware written in C++ that was first spotted back in 2016. Originally, it relied on brute forcing for infiltrating devices through the use of default login credentials. Once on the system, the malicious software received instructions from its authors to deliver extra payloads, thus, serving as a loader. Another feature of the threat is its worm-like behavior that allows it to spread via USB drives.

The malware has been used to infect thousands of devices and install various malicious programs, including ransomware and cryptojacking software. It was also employed in sextortion campaigns that involved distributing phishing emails to users from a leaked database, requesting them to pay to the attackers.

In August 2021, it was deactivated by its operators. During this time, Phorpiex’s source code was put up for sale on a dark web forum. This, however, did not spell the end to the malware, as it was back in operation by the end of the year. This time, the malware heavily targeted virtual currency users through crypto clipping. In these attacks, the botnet automatically replaced victims’ crypto wallet addresses with those of the operators, duping them into transferring funds to the criminals.

In 2024, the malware made a serious comeback as part of another large-scale phishing campaign, sending thousands of emails to victims containing the LockBit ransomware.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Phorpiex botnet execution process

To see how the latest version of the malware operates on an infected system, let’s upload its sample to ANY.RUN’s cloud malware sandbox .

Phorpiex analysis in ANY.RUN Phorpiex sample analysis in ANY.RUN sandbox

After Phorpiex malware is delivered and installed on the machine, it adds a registry key to ensure it runs automatically at startup. It also introduces a mutex to prevent multiple instances from running.

Phorpiex analysis in ANY.RUN Phorpiex process graph in ANY.RUN

Since the malware acts as a worm, it instantly starts infecting removable and shared drives by creating copies of itself on these drives to spread. Phorpiex can compromise system security by disabling security features, allowing it to maintain persistence and continue spreading.

The malware also tries to connect to malicious command and control (C2) servers. If the connection is successful, Phorpiex downloads and executes additional malware, such as cryptominers or ransomware like LockBit Black.

As mentioned, Phorpiex can be used to send spam emails, including those with malicious attachments or links. In the absence of active C2 servers, Phorpiex can operate in P2P mode, enabling it to continue spreading and executing malware without relying on centralized control.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Phorpiex malware technical details

Phorpiex is a modular malware, meaning that it has dedicated modules for different types of malicious activities.

The key function of Phorpiex since its launch has been creating a network of bots, compromised systems, which then can be leveraged to conduct malicious activities. Unlike botnets, such as Mirai or Gafgyt, Phorpiex does not use its infrastructure to carry out DDoS attacks. Instead, it has been observed to orchestrate spam email campaigns. In 2018, the malware’s database of over 40 million target email addresses was exposed, revealing the extent of its campaigns. A typical spam email from Phorpiex involves an attachment containing a malicious payload and a message, accompanying it, that asks the user to open the attachment.

The malware is equipped with a loader module that lets it distribute other malicious payloads on the systems it manages to infiltrate. Over the years, it has been utilized to push different malware families, including Nemty and GandCrab

It also has crypto clipping capabilities, supporting dozens of wallet types and cryptocurrencies. The malware changes the crypto addresses copied by the victim to the clipboard and tricks them into sending their virtual funds to the attacker’s wallets.

The latest version of the malware operates in the peer-to-peer mode. This means that devices infected with Phorpiex can not only spread the malware further but also control other machines in the network.

Some of the older variants of the malware also used XMRig to mine the Monero cryptocurrency using the resources of the infected hosts.

The malware possesses anti-vm and anti-debugging capabilities. It ensures persistence by modifying registry entries to run automatically. Some versions of the malware are also capable of disabling common detection systems, such as Windows Defender.

Phorpiex malware distribution methods

According to some estimates, since its release, Phorpiex has been used to infect over a million devices. One of the primary reasons for its extensive reach is its worm module, which allows it to self-propagate across networks and devices. A worm module is a component of malware that enables it to replicate itself and spread to other systems without the need for human interaction.

However, the worm module is not the only method Phorpiex uses for distribution. It has also been known to spread through spam emails. These emails often contain malicious attachments or links to download sites. Additionally, Phorpiex has been observed being dropped by other loader malware.

Conclusion

Phorpiex remains a significant cybersecurity threat to organizations and individuals. To ensure the infection does not occur it is crucial to implement proper security controls. One of the key components of a solid security strategy is the use of a malware analysis sandbox.

ANY.RUN's interactive sandbox offers a number of features that simplify and accelerate the process of malware analysis, as it:

  • Identifies threats in files and URLs in less than 40 seconds.
  • Allows for direct interaction with the samples and the system, similar to a regular computer.
  • Provides customizable Windows and Linux virtual machines to suit your specific needs.
  • Generates detailed reports outlining the nature and extent of the identified threats.
  • Reveals all malicious activities related to the network, registry, and files, as well as the processes involved.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Ramnit screenshot
Ramnit
ramnit
Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
X-Files screenshot
X-Files
xfiles
X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
Godfather screenshot
Godfather
godfather
The Godfather malware is an Android banking Trojan capable of bypassing MFA that targets mobile banking and cryptocurrency applications. Known for its ability to evade detection and mimic legitimate software, it poses a significant threat to individuals and organizations by stealing sensitive data and enabling financial fraud.
Read More