{
	"id": "d21978c8-cf26-48e9-b5c4-7dc61a9e34c3",
	"created_at": "2026-04-06T00:10:09.916058Z",
	"updated_at": "2026-04-10T03:22:08.662217Z",
	"deleted_at": null,
	"sha1_hash": "c036a21a9b26318d0611f28de9f8768951e97cb1",
	"title": "Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38026,
	"plain_text": "Someone is uninstalling the Phorpiex malware from infected PCs\r\nand telling users to install an antivirus\r\nBy Written by Catalin Cimpanu, ContributorContributor Jan. 23, 2020 at 9:57 a.m. PT\r\nArchived: 2026-04-05 20:14:59 UTC\r\nA mysterious entity appears to have hijacked the backend infrastructure of the Phorpiex (Trik) botnet and is\r\nuninstalling the spam-bot malware from infected hosts, while also showing a popup telling users to install an\r\nantivirus and update their computers, ZDNet has learned.\r\nThe popups have started appearing on users' screens today, early morning, US Eastern time, and have been spotted\r\nby the research team at antivirus vendor Check Point.\r\nInitially, ZDNet and others thought this was a prank coded inside the malware by the Phorpiex team for the\r\npurpose of trolling security researchers analyzing the malware.\r\nHowever, as the hours passed, it became clear that this was actually taking place on customer systems, in the real\r\nworld, and was not just a popup that was appearing in virtual machines used as malware analysis sandboxes.\r\n\"This is truly happening,\" Yaniv Balmas, Head of Cyber Research at Check Point, told ZDNet. \"We are closely\r\nmonitoring this malware family and have noticed this behavior started just a few hours ago.\"\r\nBalmas listed several theories as what could have happened -- such as the malware operators deciding to quit and\r\nshut down the botnet on their own terms, a law enforcement action, a vigilante security researcher taking matters\r\ninto his own hands, or a rival malware gang sabotaging the Phorpiex crew by destroying their botnet.\r\nMost likely a hijack\r\n\"Hijack seems likely based on the track record for the Phorpiex developer,\" said a second malware analyst, who\r\ndeclined to have his name used in this article because he was not authorized to speak in his company's name --\r\nanother antivirus vendor.\r\n\"The Phorpiex developer has some pretty nasty rivals in the botnet game so it wouldn't surprise me if this is an\r\nattack motivated by jealousy or something along those lines,\" he added.\r\n\"The developer for the Phorpiex botnet is extremely lazy and careless,\" the malware analyst said, claiming that he\r\ncould have also hijacked the botnet in the past due to its simplistic IRC-based command and control mechanism.\r\nSame botnet suffered a data breach in 2018\r\nThe Phorpiex malware, which has been active for more than a decade, has suffered security breaches in the past,\r\nalso due to the malware developer's carelessness.\r\nhttps://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/\r\nPage 1 of 2\n\nIn 2018, the Phorpiex developer left one of the botnet's command and control backend servers exposed online, and\r\nsecurity researchers were able to retrieve a list of 43.5 million email addresses that the Phorpiex crew was\r\ntargeting with spam campaigns.\r\nPhorpiex is one of today's most active spam botnets. The Phorpiex team operates by infecting Windows computers\r\nand using these systems as spam bots to send out massive spam campaigns.\r\nThese spam campaigns keep the spam botnet alive, by infecting new PCs with Phorpiex, but they also send out\r\ncustom spam campaigns on behalf of other cybercrime groups -- the method through which the Phorpiex crew\r\nmakes its money.\r\nWhoever hijacked the botnet today and instructed bots to uninstall themselves has put a serious dent in the\r\nPhorpiex gang's future profits and operations. To give an idea about the size of the profits the Phorpiex crew lost,\r\nCheck Point previously reported that the same botnet made $115,000 in five months just from mass-spamming\r\nsextortion emails.\r\nThe FBI's most wanted cybercriminals\r\nSecurity\r\nSource: https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivir\r\nus/\r\nhttps://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/"
	],
	"report_names": [
		"someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c036a21a9b26318d0611f28de9f8768951e97cb1.pdf",
		"text": "https://archive.orkl.eu/c036a21a9b26318d0611f28de9f8768951e97cb1.txt",
		"img": "https://archive.orkl.eu/c036a21a9b26318d0611f28de9f8768951e97cb1.jpg"
	}
}