Phishing, Ransomware

Phorpiex malware delivers global group ransomware via phishing

(Adobe Stock)

A new phishing campaign is leveraging the Phorpiex malware to distribute Global Group ransomware, targeting unsuspecting users with deceptive shortcut files. This sophisticated attack utilizes a unique offline encryption mode to evade detection and lock sensitive data, according to a recent report by HackRead.

The campaign, active throughout 2024 and 2025, begins with emails containing attachments disguised as documents, often using double extensions like Document.doc.lnk. These are actually Windows shortcut files (.lnk) that, when clicked, employ Living off the Land techniques to run malicious commands using legitimate system tools like PowerShell. The final payload is Global Group ransomware, a successor to Mamona, which features a "mute" mode. This allows it to generate encryption keys locally and operate without an internet connection, making it capable of infecting offline computers. It uses the ChaCha20-Poly1305 encryption algorithm and attempts to delete volume shadow copies to prevent data recovery. The malware also includes a three-second timer using a ping command to 127.0.0.7 before self-deleting, leaving minimal evidence.

This campaign highlights the effectiveness of simple social engineering tactics combined with advanced malware capabilities. The ability of Global Group ransomware to operate offline and actively target backups poses a significant threat to data security across various industries. Users are urged to exercise caution with unsolicited emails and attachments.

Source: HackRead

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds