Back to Intelligence

Defending Against Phorpiex: Mitigating Malicious Shortcut Attacks and Global Group Encryption

SA
Security Arsenal Team
April 1, 2026
5 min read

Introduction

A recent resurgence of the Phorpiex botnet has been observed leveraging high-volume social engineering campaigns to deliver malicious payloads. This campaign specifically targets organizations using malicious Windows Shortcut (.lnk) files to initiate a "Low-Noise Global Group" encryption-based cyber incident.

For security defenders, this highlights a critical blind spot: the exploitation of trivial file types to bypass initial email filters and user vigilance. Understanding the mechanics of this attack is essential for configuring defenses to detect the execution chain rather than just the initial delivery vector.

Technical Analysis

Threat Overview: The Phorpiex botnet (also known as Trik) is a long-standing modular malware known for distributing ransomware and crypto-miners. In this recent campaign, threat actors are spamming victims with emails containing attachments disguised as documents (e.g., invoices, orders). However, these files are actually malicious .lnk (Windows Shortcut) files.

Attack Vector: When a user interacts with the malicious LNK file, it executes a command line instruction embedded within the shortcut's properties. This typically invokes Windows PowerShell or CMD to download and execute the Phorpiex payload. The use of LNK files is particularly effective because it bypasses many email filtering mechanisms that block executable extensions (like .exe or .js) but often allow .lnk files.

Payload and Encryption: Once executed, Phorpiex establishes a foothold, often communicating with Command and Control (C2) servers to receive instructions. The "Global Group" encryption referenced in the threat intelligence suggests a ransomware module designed to encrypt files on local and mapped network drives, using low-noise techniques to evade detection during the encryption phase.

Affected Systems:

  • Microsoft Windows operating systems.
  • Environments where users have permissions to launch PowerShell or CMD.

Patch/Fix Details: Since this is a social engineering attack vector exploiting a legitimate OS feature (shortcuts), there is no specific "patch." Defense relies on configuration hardening, application control, and detection.

Defensive Monitoring

Detection requires identifying the suspicious process execution chains initiated by the interaction with shortcut files.

SIGMA Rules

YAML
---
title: Suspicious PowerShell Execution via LNK File
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects PowerShell execution triggered by explorer.exe or outlook.exe, typical of malicious LNK file execution.
references:
  - https://attack.mitre.org/techniques/T1566/001/
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\outlook.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX'
      - 'Invoke-Expression'
      - 'FromBase64String'
  condition: selection
falsepositives:
  - Legitimate administrative scripts run by IT staff
level: high
---
title: Phorpiex Service Manipulation via Net1
id: b2c3d4e5-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Phorpiex botnet behavior using net1.exe to stop or start services, often used to disable security software.
references:
  - https://attack.mitre.org/techniques/T1562/001/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\net1.exe'
    CommandLine|contains:
      - ' stop '
      - ' start '
  condition: selection
falsepositives:
  - Legitimate system administration
level: medium

KQL (Microsoft Sentinel/Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious processes spawned by Explorer or Outlook (LNK execution)
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe")
| where ProcessCommandLine has_any ("DownloadString", "IEX", "Invoke-Expression", "-enc", "FromBase64String")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently created or modified LNK files in user directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="C:/Users/*/AppData/Local/**/*.lnk")
WHERE Mtime < now() - 24h // Created or modified in last 24 hours

-- Hunt for PowerShell processes with encoded commands (common in Phorpiex)
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell"
  AND CommandLine =~ "-enc|DownloadString|IEX"

PowerShell (Verification)

PowerShell
# Scan for suspicious LNK files in user downloads
$UserDirs = Get-ChildItem "C:\Users" -Directory
foreach ($User in $UserDirs) {
    $DownloadPath = Join-Path -Path $User.FullName -ChildPath "Downloads"
    if (Test-Path $DownloadPath) {
        Write-Host "Scanning $DownloadPath for LNK files..."
        Get-ChildItem -Path $DownloadPath -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | 
        Select-Object FullName, LastWriteTime, Length
    }
}

Remediation

  1. Email Filtering: Immediately update email security gateways to quarantine or block emails containing .lnk attachments or nested archives containing them.
  2. User Awareness: Issue a security advisory to end-users warning against opening unexpected invoices or documents, specifically those that appear as shortcuts or icons that look like files but are actually links.
  3. Application Control: Configure AppLocker or Windows Defender Application Control (WDAC) to prevent PowerShell and CMD from executing from standard user directories (e.g., Downloads, AppData\Local\Temp) or when spawned directly by Explorer/Outlook without code signing verification.
  4. Attack Surface Reduction (ASR): Enable the ASR rule "Block Office applications from creating child processes" and "Block Win32 API calls from Office macros" to impede similar macro-based and script-based execution vectors.
  5. Indicators of Compromise (IOC) Scanning: Scan endpoints for IOCs associated with this Phorpiex campaign, specifically looking for the presence of unusual LNK files in temp folders or recent downloads.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsphorpiexsocial-engineeringwindowsthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action