Phorpiex Botnet Campaign: Detecting LNK-Based Delivery of Global Group Ransomware

Introduction

The Phorpiex botnet (also known as Trik) has resurfaced with a high-volume social engineering campaign delivering a "low-noise" encryption payload targeting global groups. Unlike traditional spray-and-pray ransomware, this campaign leverages malicious Windows Shortcut (.lnk) files to obfuscate the attack chain, making detection challenging for legacy signature-based defenses.

The threat actors are banking on user interaction—clicking a seemingly benign file icon—to trigger a cascade that results in file encryption. For defenders, the urgency lies in the speed of encryption and the difficulty of recovery if the payload executes successfully. We need to shift from signature reliance to behavioral telemetry to stop this at the delivery stage.

Technical Analysis

Affected Platform: Windows endpoints (all supported versions).

Threat Actor/Vector: Phorpiex Botnet utilizing Social Engineering (Malicious .lnk files).

Attack Chain Breakdown:

Initial Access: Victims receive phishing emails containing attachments—often ZIP archives—housing the malicious .lnk file. These shortcuts are icon spoofed to resemble legitimate documents (PDFs, Excel sheets).
Execution: When a user double-clicks the LNK file, it does not open a document. Instead, it executes a command line instruction defined in the shortcut's Target field.
Payload Delivery: The LNK triggers cmd.exe or powershell.exe to retrieve and execute the Phorpiex payload. This "low-noise" approach leverages native Windows binaries (LOLBins) to bypass application allow-listing.
Impact: The final stage is the "Global Group" encryption routine, which locks files on the local system and potentially mapped network drives.

Exploitation Status: Confirmed active exploitation (In-the-wild).

Detection & Response

This campaign relies heavily on the abuse of Windows shortcuts to spawn shell processes. Defenders should focus on identifying explorer.exe (the shell) spawning command-line interpreters immediately after handling a file with the .lnk extension, followed by network activity indicative of payload staging.

Sigma Rules

YAML

---
title: Suspicious LNK File Spawning PowerShell
description: Detects when a Windows Shortcut (.lnk) file spawns a PowerShell process, a common TTP for Phorpiex delivery vectors involving social engineering.
id: 88c345a1-1a2b-4c3d-9e0f-1a2b3c4d5e6f
status: experimental
references:
 - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2025/04/06
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\explorer.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      '-NoP'
      '-W Hidden'
  condition: selection
falsepositives:
  - Legitimate administrative scripts triggered by shortcuts (rare)
level: high
---
title: CMD Spawning PowerShell via LNK
description: Detects cmd.exe spawning PowerShell with encoded commands, typical of Phorpiex LNK execution chains.
id: 99d456b2-2b3c-5d4e-0f1a-2b3c4d5e6f70
status: experimental
references:
 - https://attack.mitre.org/techniques/T1059/003/
author: Security Arsenal
date: 2025/04/06
tags:
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\cmd.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      'FromBase64String'
      'DownloadString'
  condition: selection
falsepositives:
  - System administration automation
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for LNK files initiating suspicious PowerShell processes
let suspiciousProcesses = DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("-NoP", "-W Hidden", "-enc", "DownloadString")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath;
// Correlate with file creation events for LNK extensions
let lnkCreation = DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".lnk"
| project Timestamp, DeviceName, FileName, FolderPath;
suspiciousProcesses
| join kind=inner (lnkCreation) on DeviceName, Timestamp
| where Timestamp <= ago(1m) // Correlation window

Velociraptor VQL

VQL — Velociraptor

-- Hunt for recently modified LNK files in user directories
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="\\Users\\*\\Downloads\\*.lnk")
WHERE Mtime < now() AND Mtime > -2h

-- Hunt for PowerShell processes spawned by Explorer (LNK trigger)
SELECT Pid, Name, CommandLine, Parent.Pid, Parent.Name
FROM pslist()
WHERE Name =~ "powershell.exe"
  AND Parent.Name =~ "explorer.exe"
  AND CommandLine =~ "-NoP|Hidden|DownloadString"

Remediation Script (PowerShell)

PowerShell

# Phorpiex Remediation & LNK Hardening Script
# Requires Administrator Privileges

Write-Host "[*] Initiating Phorpiex/Global Group Threat Hunt and Containment..." -ForegroundColor Cyan

# 1. Kill suspicious PowerShell processes spawned by Explorer
Write-Host "[+] Terminating suspicious PowerShell instances..." -ForegroundColor Yellow
Get-Process | Where-Object { 
    $_.ProcessName -eq "powershell" -and 
    $_.Parent.ProcessName -eq "explorer" -and 
    $_.CommandLine -match "-NoP|-W Hidden|DownloadString"
} | Stop-Process -Force -ErrorAction SilentlyContinue

# 2. Scan User Downloads and Temp for recent LNK files
Write-Host "[+] Scanning for recent malicious LNK files..." -ForegroundColor Yellow
$startTime = (Get-Date).AddHours(-24)
$paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA\Local\Temp")

$maliciousLnks = @()
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt $startTime } | 
        ForEach-Object {
            $maliciousLnks += $_.FullName
            Remove-Item $_.FullName -Force -ErrorAction SilentlyContinue
            Write-Host "[-] Removed suspicious LNK: $($_.FullName)" -ForegroundColor Red
        }
    }
}

if ($maliciousLnks.Count -eq 0) {
    Write-Host "[INFO] No recent LNK files found in standard directories." -ForegroundColor Green
}

# 3. Enable Macro/Powershell Hardening (If not already enforced)
Write-Host "[*] Verifying Script Execution Policy..." -ForegroundColor Yellow
$currentPolicy = Get-ExecutionPolicy
if ($currentPolicy -ne "Restricted" -and $currentPolicy -ne "Undefined") {
    Write-Host "[!] Warning: Execution Policy is currently set to $currentPolicy. Consider tightening for end-users." -ForegroundColor DarkYellow
}

Write-Host "[*] Remediation Complete. Please perform a full AV/EDR scan." -ForegroundColor Green

Remediation

Email Gateway Filtering: Immediately update email content filters to block ZIP archives containing .lnk files or files with double extensions (e.g., .pdf.lnk). n2. User Education: Issue an urgent security advisory to users highlighting the phishing campaign. Instruct users not to open unexpected "shipping" or "invoice" notifications, particularly those requiring them to open a ZIP file.
Endpoint Isolation: If a device is confirmed infected (evidence of Global Group encryption routines), isolate the host from the network immediately to prevent lateral movement to network shares.
PowerShell Constrained Language Mode: For users who do not require full scripting capabilities, enforce PowerShell Constrained Language Mode via Group Policy to prevent the execution of the obfuscated scripts typically used by Phorpiex.
Indicators of Compromise (IOCs): Check your defense telemetry for the specific C2 infrastructure associated with this Phorpiex iteration (refer to vendor intelligence feeds for specific IPs/Hashes).

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub