{
	"id": "161454f6-7dcc-4d58-abd3-3dec66ac47b9",
	"created_at": "2026-04-06T00:15:57.871485Z",
	"updated_at": "2026-04-10T03:21:14.593437Z",
	"deleted_at": null,
	"sha1_hash": "8ac77fc9c3d070a4fce2fa92c07377b54887d3df",
	"title": "Phorpiex botnet shuts down, source code goes up for sale",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 115204,
	"plain_text": "Phorpiex botnet shuts down, source code goes up for sale\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-15 · Archived: 2026-04-05 22:35:11 UTC\r\nThe operators of the Phorpiex malware have shut down their botnet and put its source code for sale on a dark web\r\ncybercrime forum, The Record has learned.\r\nThe ad, posted earlier today by an individual previously linked to the botnet's operation, claims that none of the\r\nmalware's two original authors are involved in running the botnet, hence the reason they decided to sell its source\r\ncode.\r\n\"As I no longer work and my friend has left the biz, I'm here to offer Trik (name from coder) / Phorpiex (name\r\nfomr AV firms) source for sell [sic],\" the individual said today in a forum post spotted by British security firm\r\nCyjax.\r\nThe source code for the Phorpiex botnet is being sold on the darknet... pic.twitter.com/GxBsnUacvh\r\n— Cyjax (@Cyjax_Ltd) August 27, 2021\r\nAlexey Bukhteyev, a malware reverse engineer for security firm Check Point, helped The Record today confirm\r\nthe ad's validity.\r\n\"The description of the malware is very similar to what we saw in the code,\" Bukhteyev told us.\r\nThe researcher, who previously analyzed the Phorpiex malware back in 2019, said that the malware's command\r\nand control (C\u0026C) servers have not been active for almost two months.\r\nBukhteyev, who has been running a fake Phorpiex bot in order to spy on its activity, told The Record that the last\r\ncommand the bot received from the Phorpiex C\u0026C servers was on July 6, 2021, and the command was a self-explanatory \"SelfDeletion\" instruction.\r\nSince then, the botnet appears to have disappeared from open-source reporting.\r\n\"As we know, the source code is private and hasn't been sold before. Therefore, this [forum ad] looks really\r\nbelievable,\" Bukhteyev told The Record.\r\n\"However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm\r\nthat the source code is for this bot indeed, if we get it,\" the researcher added.\r\n\"One thing that points to that the seller is likely a real author is: 'Main bot right now is FUD from windows\r\ndefender', because all the modules I know currently get AV detections on VT even if they are uploaded there for\r\nthe first time.\"\r\nBuyer gets access to all the Phorpiex infected systems too\r\nhttps://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nPage 1 of 7\n\nHowever, Bukhteyev also warns that even if the botnet C\u0026C servers are down, once someone buys the code, they\r\ncan set up new ones and hijack all the previously infected systems.\r\n\"There are still a lot of infected machines = active bots. We can't definitely say how many, but we constantly see\r\nmany hits on our gateways,\" the Check Point researcher added.\r\nHowever, it is unclear if the botnet will be bought.\r\nThere's both an upside and a downside to operating the botnet.\r\nThe upside is that the botnet has a tried and tested history of generating profits, primarily through its spam module\r\nand cryptocurrency clipboard hijacking feature.\r\nFor example, the spam module has helped the botnet's authors generate more than $115,000 in profits from a\r\nclassic sextortion scheme back in 2019.\r\nThe malware has also sold access to its infected bots to ransomware gangs, with the now-defunct Avaddon\r\ngang using Phorpiex bots to deploy their ransomware inside corporate networks last year.\r\n\"Also, the bot architecture allows the botmaster to passively earn some money from crypto-clipping (changing\r\ncrypto-currency wallet addresses in the clipboard) even without any active C\u0026C servers,\" Bukhteyev also said.\r\nThe downside is, however, a pretty big one. The botnet isn't as secure as other malware botnets and has often\r\nbeen hijacked by third parties to deploy their own payloads or issue rogue \"uninstall\" commands, something that\r\nmay deter buyers.\r\nAdditional details on the Phorpiex malware are available on this Malpedia page. Some reports refer to the botnet\r\nas Phorpiex, the name given to it by antivirus companies, while others refer to it as Trik, is the name used by the\r\nbotnet's authors.\r\nThe full text of the Phorpiex ad is below:\r\nHello,\r\nas I no longer work and my friend has left the biz, I'm here to offer Trik\r\n(name from coder) / Phorpiex (name fomr AV firms,) source for sell.\r\nThe Trik / Phorpiex botnet is no longer active.\r\nInformation about phorpiex:\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nThe main bot and all modules are coded in C++\r\nhttps://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nPage 2 of 7\n\nVisual studio 2008 express projects, only PE infector is vs 2010\r\nEverything is compiled with ignoring default libs and linking of msvcrt.lib\r\nfrom w2k sdk, to reduce size and make it work on all WINOS\r\n30kb\r\nThe bot nor modules trigger any firewall / UAC prompts\r\nBot works fine on 32 and 64 bit\r\nMain bot right now is FUD from windows defender runtime, its easy to keep it\r\nFUD runtime from windef, I can explain how\r\nTries to copy to %systemdrive% and create regkey @ HKLM, if this fails it\r\nmoves to %userprofile% and create regkey @ HKCU\r\nThe main core of bot (one project) has the following\r\nInstaller\r\nUSB / rem drive spreader\r\nLoader\r\nClipper\r\nUSB / Remote drive spreader works with creating directory on drive, move all exisiting files from drive\r\nin the hidden folder, create shortcut with the name of the drive and drive icon when open the shortcut it\r\nwill open the hidden folder with all files and the bot, so the user doesnt really notice something is\r\nwrong\r\nClipper support those addresses\r\nLISK\r\nPOLKADOT\r\nBITCOIN\r\nWAVES\r\nDASH\r\nDOGECOIN\r\nETHEREUM\r\nhttps://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nPage 3 of 7\n\nLITECOIN\r\nRIPPLE\r\nBITTORRENT\r\nZCASH\r\nTEZOS\r\nICON\r\nQTUM\r\nRAVENCOIN\r\nNEM\r\nNEO\r\nSMARTCASH\r\nZILLIQA\r\nZCASH PRIVATE\r\nYCASH\r\nBITCOIN CASH\r\nCOSMOS\r\nMONERO\r\nCARDANO\r\nGROESTLCOIN\r\nSTELLAR\r\nBITCOIN GOLD\r\nBAND PROTOCOL\r\nPERFECT MONEY $ € BTC\r\nPERFECT MONEY €\r\nPERFECT MONEY BTC\r\nThe bot has no panel and checks for files every 30 minutes (can be changed), files 1 - 5\r\nhttps://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nPage 4 of 7\n\nIt comes with a signing tool for files, with your private key, bots execute\r\nthe files only if the key is right and they can decrypt the file, else it\r\nsimple is removed\r\nBot ddownload and execute the file only if its a new file and doesn't download\r\nexecute the same file multiple times\r\nSo the logic behind this is simply, you just need to sign the files with your\r\nkey and upload them to your websever, bot automatically download, decrypt and execute them\r\nThe signing tool has those options\r\n-genkey, generate new keys\r\n-sign, to sign file\r\n-verify, to make sure the file is decrypted fine with current key\r\nModules:\r\nSpambot\r\nPossible to spam attachment or normal mail\r\nComes with a PHP script wich simple gives emails or emails with pass each request, the amount can be\r\nconfigured in the script\r\nAll you need is to upload the php script and your list to your server\r\nBot checks for connection on port 25, if connection is ok, it start download the mails in %temp%, read\r\nthe list, split the mail, connect to MX server directly of the provider else [0.0.0.0] is used\r\nAfter the list is spammed, the script will rename the list, and output \"0\" to\r\nstops mailing\r\nVNC Spreader and autoinfector\r\nAll you need todo is change direct link to exe in the source, everything else is automatically\r\nSpreader gnerate random IPs, checks for port 5900, if port is open it start\r\nbruteforce and if logged in, it downloads your file with powershell and bitsadmin\r\nPE Infector\r\nhttps://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nPage 5 of 7\n\nAll you need to make your botnet bigger is to download it on whole botnet, it will scans all drives\r\nincluding USB and remote drives for .exe files and infect them with ddownload and exec shellcode\r\nInfection works with 32 and 64 bit files\r\nSo those modules can be used to make botnet bigger\r\nPE Infector\r\nVNC spreader\r\nSpambot\r\nAnd it has the .LNK spreader in it\r\nVNC spreader is also good for ransomware, as example alot of firms, schools are affected\r\nThe mailer can be used for sextortion and more\r\nhttps://www.zdnet.com/article/phorpiex-botnet-made-115000-in-five-months-just-from-mass-spamming-sextortion-emails/\r\nWith Trik you only can be richer and your botnet will never shrink\r\nThe price for everything with source is 9k$\r\nGarant is no problem, proofs are no problem!\r\nI will fund my account here today too\r\nKids, timewaster, stay away from me kthx.\r\nFirst contact - PM.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nhttps://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nPage 6 of 7\n\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nhttps://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/"
	],
	"report_names": [
		"phorpiex-botnet-shuts-down-source-code-goes-up-for-sale"
	],
	"threat_actors": [],
	"ts_created_at": 1775434557,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ac77fc9c3d070a4fce2fa92c07377b54887d3df.pdf",
		"text": "https://archive.orkl.eu/8ac77fc9c3d070a4fce2fa92c07377b54887d3df.txt",
		"img": "https://archive.orkl.eu/8ac77fc9c3d070a4fce2fa92c07377b54887d3df.jpg"
	}
}