HomesecurityPhorpiex botnet: Spreads new ransomware campaign via phishing email!

Phorpiex botnet: Spreads new ransomware campaign via phishing email!

An infamous botnet returned last month, with them hackers try to distribute a ransomware campaign through it, along with others malware. His researchers "Check Point" analyzed the most common cyber threats targeting organisms, and observed a huge increase in attacks carried out through the Phorpiex botnet. Phorpiex botnet distributes a number of malware and spam campaigns, including sextortion email campaigns. This number increased significantly in June compared to May. In particular, the number increased to such an extent that Phorpiex was the 2nd most frequently detected malware campaign in June, while in May it was in 13th place. In addition, the number of attack attempts was so high that 2% of the organizations were targeted by the botnet. The botnet sends spam email trying to transfer malicious payload to potential victims. In the last month it has been used in the Avaddon ransomware campaign.

This particular ransomware family appeared only in June, while Phorpeix is ​​trying to motivate potential victims to open a Zip attachment in a phishing email that uses an emoji wink theme. While it may sound like a common form of cyber attack, the hackers behind the campaign would not have used it if it had not been effective.


Phorpiex, also known as "Trick", has been used in the past to distribute spam campaigns for other forms of ransomware, including GandCrab and Pony, as well as for mining cryptocurrencies in infected Appliances.

Check Point researchers point out that organizations need to educate their employees on how to identify the types of malspam that pose these threats, such as the most recent email campaign targeting users that contain emoji wink, while they must ensure that they develop safety which effectively prevents the contamination of their networks.

While Phorpiex attacks have increased significantly, the most common malware detected in June was agent tesla, an advanced trojan remote access which targeted about 3% of organizations.


Agent Tesla is an information "thief" and keylogger, which allows attackers to see everything on an infected computer, including usernames, passwords, history browser, system information and more. In other words, intruders have access to everything they need to compromise a network.

The third most malware detected in June was XMRig, an open source cryptocurrency mining software that uses the CPU power of infected devices to create Monero. This malware seems to be working since May 2017.

Other malware that makes up the top ten most frequently detected malware in June Dridex, Trickbot, Ramnit and Emotet who have long been active in cybercrime, either stealing the same information or using it as a "stepping stone" to much more destructive campaigns. For example, Trickbot and Emotet are often used as the first stage of large-scale ransomware attacks.

Finally, it is worth noting that many of the common forms of malware are based on exploits and vulnerabilities that have been known for a long time. Therefore, it is possible to protect against these malware by applying updates code security.

Every accomplishment starts with the decision to try.