Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Phorpiex

48
Global rank
29 infographic chevron month
Month rank
65 infographic chevron week
Week rank
0
IOCs

Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.

Botnet
Type
Unknown
Origin
1 August, 2016
First seen
11 February, 2025
Last seen
Also known as
Trik

How to analyze Phorpiex with ANY.RUN

Type
Unknown
Origin
1 August, 2016
First seen
11 February, 2025
Last seen

IOCs

IP addresses
199.21.76.81
173.231.184.122
173.231.184.124
72.5.161.12
63.251.126.10
72.26.218.86
37.254.198.8
66.79.104.155
185.68.20.67
5.77.178.216
46.100.181.186
217.12.85.22
217.30.163.6
188.253.34.178
42.248.182.124
42.248.182.188
78.39.229.161
213.230.69.229
5.239.159.10
154.65.129.46
Domains
agsisirfjjdissofjl.in
eeoooeghgosofofjso.biz
oegoafaueoueuueuu.info
aeuignjsosjfhgidil.in
eiiaibegieieieif.ru
rgouusrsuoonenueu.info
nfaiiaeiinbbiviiy.com
ssorgurufsogusruy.com
erosugoshurgurhuso.biz
mamakaeklaegjaeuy.com
addissisifigifidil.in
emamakaeklaegjaeuo.biz
ssorgurufsogusru.ru
eeoppgjrsokoedosho.biz
nfaiiaeiinbbiviiu.info
eoppgjrsokoedosh.ru
effkrrooooorhsorgo.biz
aeogoehoshefheguhl.in
anfaiiaeiinbbiviil.in
aoegoafaueoueuueul.in
URLs
http://185.215.113.66/5
http://185.215.113.66/4
http://185.215.113.66/3
http://185.215.113.66/peinf.exe
http://185.215.113.66/2
http://185.215.113.66/tcoin.exe
http://185.215.113.66/1
http://twizt.net/peinstall.php
http://twizt.net/newtpp.exe
http://185.215.113.66/32.exe
http://185.215.113.66/rvndel.exe
http://91.202.233.141/5
http://91.202.233.141/4
http://91.202.233.141/3
http://91.202.233.141/2
http://91.202.233.141/1
http://rddissisifigifidi.net/tdrpload.exe
http://loeghaiofiehfihf.to/nxmr.exe
http://deauduafzgezzfgm.top/pei.exe
http://185.215.113.66/mindel.exe
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 220
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 596
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1488
comments 0

What is Phorpiex malware?

Phorpiex is a botnet malware written in C++ that was first spotted back in 2016. Originally, it relied on brute forcing for infiltrating devices through the use of default login credentials. Once on the system, the malicious software received instructions from its authors to deliver extra payloads, thus, serving as a loader. Another feature of the threat is its worm-like behavior that allows it to spread via USB drives.

The malware has been used to infect thousands of devices and install various malicious programs, including ransomware and cryptojacking software. It was also employed in sextortion campaigns that involved distributing phishing emails to users from a leaked database, requesting them to pay to the attackers.

In August 2021, it was deactivated by its operators. During this time, Phorpiex’s source code was put up for sale on a dark web forum. This, however, did not spell the end to the malware, as it was back in operation by the end of the year. This time, the malware heavily targeted virtual currency users through crypto clipping. In these attacks, the botnet automatically replaced victims’ crypto wallet addresses with those of the operators, duping them into transferring funds to the criminals.

In 2024, the malware made a serious comeback as part of another large-scale phishing campaign, sending thousands of emails to victims containing the LockBit ransomware.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Phorpiex botnet execution process

To see how the latest version of the malware operates on an infected system, let’s upload its sample to ANY.RUN’s cloud malware sandbox .

Phorpiex analysis in ANY.RUN Phorpiex sample analysis in ANY.RUN sandbox

After Phorpiex malware is delivered and installed on the machine, it adds a registry key to ensure it runs automatically at startup. It also introduces a mutex to prevent multiple instances from running.

Phorpiex analysis in ANY.RUN Phorpiex process graph in ANY.RUN

Since the malware acts as a worm, it instantly starts infecting removable and shared drives by creating copies of itself on these drives to spread. Phorpiex can compromise system security by disabling security features, allowing it to maintain persistence and continue spreading.

The malware also tries to connect to malicious command and control (C2) servers. If the connection is successful, Phorpiex downloads and executes additional malware, such as cryptominers or ransomware like LockBit Black.

As mentioned, Phorpiex can be used to send spam emails, including those with malicious attachments or links. In the absence of active C2 servers, Phorpiex can operate in P2P mode, enabling it to continue spreading and executing malware without relying on centralized control.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Phorpiex malware technical details

Phorpiex is a modular malware, meaning that it has dedicated modules for different types of malicious activities.

The key function of Phorpiex since its launch has been creating a network of bots, compromised systems, which then can be leveraged to conduct malicious activities. Unlike botnets, such as Mirai or Gafgyt, Phorpiex does not use its infrastructure to carry out DDoS attacks. Instead, it has been observed to orchestrate spam email campaigns. In 2018, the malware’s database of over 40 million target email addresses was exposed, revealing the extent of its campaigns. A typical spam email from Phorpiex involves an attachment containing a malicious payload and a message, accompanying it, that asks the user to open the attachment.

The malware is equipped with a loader module that lets it distribute other malicious payloads on the systems it manages to infiltrate. Over the years, it has been utilized to push different malware families, including Nemty and GandCrab

It also has crypto clipping capabilities, supporting dozens of wallet types and cryptocurrencies. The malware changes the crypto addresses copied by the victim to the clipboard and tricks them into sending their virtual funds to the attacker’s wallets.

The latest version of the malware operates in the peer-to-peer mode. This means that devices infected with Phorpiex can not only spread the malware further but also control other machines in the network.

Some of the older variants of the malware also used XMRig to mine the Monero cryptocurrency using the resources of the infected hosts.

The malware possesses anti-vm and anti-debugging capabilities. It ensures persistence by modifying registry entries to run automatically. Some versions of the malware are also capable of disabling common detection systems, such as Windows Defender.

Phorpiex malware distribution methods

According to some estimates, since its release, Phorpiex has been used to infect over a million devices. One of the primary reasons for its extensive reach is its worm module, which allows it to self-propagate across networks and devices. A worm module is a component of malware that enables it to replicate itself and spread to other systems without the need for human interaction.

However, the worm module is not the only method Phorpiex uses for distribution. It has also been known to spread through spam emails. These emails often contain malicious attachments or links to download sites. Additionally, Phorpiex has been observed being dropped by other loader malware.

Conclusion

Phorpiex remains a significant cybersecurity threat to organizations and individuals. To ensure the infection does not occur it is crucial to implement proper security controls. One of the key components of a solid security strategy is the use of a malware analysis sandbox.

ANY.RUN's interactive sandbox offers a number of features that simplify and accelerate the process of malware analysis, as it:

  • Identifies threats in files and URLs in less than 40 seconds.
  • Allows for direct interaction with the samples and the system, similar to a regular computer.
  • Provides customizable Windows and Linux virtual machines to suit your specific needs.
  • Generates detailed reports outlining the nature and extent of the identified threats.
  • Reveals all malicious activities related to the network, registry, and files, as well as the processes involved.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More