{
	"id": "fb106fbf-d551-4f54-8d97-3f2246c01079",
	"created_at": "2026-04-06T00:06:17.511438Z",
	"updated_at": "2026-04-10T03:20:05.632547Z",
	"deleted_at": null,
	"sha1_hash": "e3008f7c644df4fc537e97e782ab47a827c0480b",
	"title": "Phorpiex – A decade of spamming from the shadows | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 887327,
	"plain_text": "Phorpiex – A decade of spamming from the shadows | Proofpoint\r\nUS\r\nBy May 24, 2018 Proofpoint Staff\r\nPublished: 2018-05-24 · Archived: 2026-04-05 22:04:22 UTC\r\nOverview \r\nProofpoint researchers have recently begun tracking the Phorpiex/Trik botnet (SDBot fork, referred to\r\nas Trik throughout this post) as several sophisticated actors have been using it to distribute a range of malware.\r\nDespite the recent attention, though, Trik, not to be confused with the TrickBot banking Trojan, is a relatively old\r\nbotnet. It is not especially sophisticated or complex but has been active for almost a decade, flying under the radar\r\nand attracting a solid customer base of threat actors. As we began tracking this botnet more closely, we discovered\r\nthat a number of familiar actors were repeatedly leveraging Trik’s power and distribution capabilities for delivery\r\nof their malware.  \r\nAnalysis shows that Trik has been present for a decade and first began spreading via Windows Live Messenger\r\nand removable USB storage. It later began including Skype in its worming capabilities but this appears to have\r\nstopped a few years ago and Trik now propagates via removable media storage and email spam. \r\nDuring the initial investigation of this botnet, we observed the bot version included in the PDB string associated\r\nwith the malware. Pivoting on this data point, we identified several more versions, all spanning a timeframe\r\nof over five years. However, there is no real noticeable difference between bot versions; the version is more likely\r\nto increment when there is a change in infrastructure as opposed to a feature being added or a technique being\r\nmodified within the bot itself. \r\nMeet the customers \r\nMalware families associated with recent Trik activity include GandCrab, Pushdo (which in turn\r\ndownloads Cutwail), Pony, Trik updates, and various coin miners. Some of these, like coin miners, are not\r\ndistributed by Trik in spam but are, instead, sent to the hosts infected with Trik and\r\nexecuted, likely for improved monetization of the botnet for the operator. Taking a single day as an\r\nexample, on May 9 we observed instructions to download and distribute GandCrab, Pony, Pushdo, and multiple\r\ncoin miners being sent to the botnet.  \r\nThe bot, infrastructure, and sinkholing \r\nMost of the bot’s internals were already documented in a blog post from 2016 [1]; little has changed since\r\nthat post with respect to how the bot operates. However, one important difference between the 2016 Trik and the\r\ncurrent version of Trik is that operators have backtracked in sophistication by removing the anti-VM code from most of the samples we detected. However, they retained some of these features in other samples,\r\nincluding a version that uses a .NET loader and performs very basic anti-analysis.  \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 1 of 16\n\nProofpoint initially observed the aforementioned .NET loader variant several months prior to this investigation\r\nand discovered that it had been attempting to connect to an abuse.ch sinkhole after they had registered several\r\nof Trik's C\u0026C domains. We suspect that this version is still in circulation as a result of Trik’s worming\r\ncapabilities. We observed additional sinkholing activity at the end of April 2018 and the beginning\r\nof May 2018. Shortly thereafter, the Trik operators immediately stood up another four C\u0026Cs, some of which are\r\nbeing reused from prior months, dating as far back 2016. Shortly thereafter, the operators resumed\r\nsending campaigns -- in this case distributing GandCrab. \r\nTrik nodes communicate with their C\u0026C servers using the IRC protocol and campaign payloads are sent to the\r\nbot in an encrypted state using a custom implementation of RC4. We have also observed several C\u0026C servers that\r\nare active and spamming daily, each with a maximum bot count of 1024. Any connections to the botnet servers\r\nwhen the servers are full will result in a TCP packet with the RST flag set and, sometimes, an error message\r\nstating that the server has reached its maximum count of 1024 clients. We also noticed that, shortly after a spam\r\ncampaign, the C\u0026Cs would close their C\u0026C port until the following day at which point it would re-open, ready\r\nfor a new campaign. \r\nWe observed version v5.0 of the bot both during the GandCrab campaigns noted above and being sinkholed in\r\nApril and May. The PDB string for this version of Trik is shown in Figure 1. \r\n \r\nFigure 1: Trik v5.0 PDB \r\nHowever, v6.0 had already appeared prior to this activity with no changes to the codebase or infrastructure.  \r\n \r\nFigure 2: Trik v6.0 doc PDB \r\nThe only noticeable difference between these PDBs is the inclusion of ‘doc’. We observed another similar\r\nv6.0 PDB containing ‘js’ which, when analyzed, was associated with spam\r\ncampaigns sending .js attachments. While the PDB should not be relied upon exclusively, it may be an indication\r\nof which file types were distributed in any given campaign, especially considering that these bots last for a single\r\ncampaign before they are recycled.  \r\n \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 2 of 16\n\nFigure 3: Trik v6.0 js PDB \r\nReturn of the .NET loader variant \r\nOn May 23, 2018, we observed the return of a slightly different, older version of Trik (v2.5, see Figure 4). This\r\nversion of Trik uses a .NET loader that has the main bot split into several encrypted pieces saved in the resources\r\nof the .NET loader. Once the main bot is pieced together and decrypted, the differences between the bots is fairly\r\nobvious. In particular, the PDB shows a much older version and has a different user compared to the v5.0 and v6.0\r\nbots. Additionally, this version has never been observed outside of the .NET loader version. Based on samples\r\nanalyzed over the past few years, if this bot has this PDB, it appears to be exclusively associated with the .NET\r\nloader, whereas v5.0 and v6.0 have never been paired with the .NET loader. This begins to raise questions in terms\r\nof attribution and, initially, it appeared as though there may be several operators running different versions\r\nof Trik. However, after several days of downtime, the return of the .NET loader version is now using the same\r\nC\u0026C server as version v6.0. While the .NET loader itself is not particularly new, this version of Trik being\r\npointed at a live C\u0026C is new because, prior to this activity, we observed all .NET loaders communicating\r\nwith sinkhole servers for several months. \r\n \r\nFigure 4: Trik v2.5PDB from .NET loader variant \r\nThere are slight differences between versions in the behavior of the bot on the infected host. As noted, the first\r\ndifference is that v2.5 still carries basic anti-analysis techniques that were observed in Trik several years ago\r\nwhereas v5.0 and v6.0 do not include anti-analysis features.  \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 3 of 16\n\nFigure 5: Execution flow of Trik’s anti-analysis \r\nTrik utilizes several methods to determine whether it is being executed within a lab, but these techniques are\r\ntrivial to bypass. Version v2.5 of Trik performs the following: \r\nSnapshot current running process, query a hardcoded list of common analysis tools, and then try to match\r\none of them to one of the current running process names. \r\nQuery each entry in a hardcoded list of executable names for common file names when dealing with\r\nmalware. \r\nCheck the name of the current folder to determine whether the name implies that Trik is in an analysis\r\nenvironment. \r\nAttempt to establish a handle to each of the tools to determine if they are running \r\nUtilize the FindWindow API call with its list of hardcoded process names in attempt to find any of the\r\nanalysis tools listed. \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 4 of 16\n\nQuery a list of hardcoded users to determine if the current user matches any in the list. \r\nQuery Kernel32.dll and attempt to resolve the address of ‘wine_get_unix_file_name’ to determine whether\r\nWine is present. \r\nDetermine if it is being debugged with IsDebuggerPresent. \r\nFinally, as described in the 2016 blog post [1], Trik will query the properties of storage devices and attempt\r\nto match several strings to what it finds in the STORAGE_DESCRIPTOR_TABLE. \r\nEach of the described techniques have their search strings listed in Appendix 1. If any of these checks returns\r\ntrue, Trik will exit but only once each of the checks has been completed. If these checks all return false, Trik will\r\ncontinue with execution. The only exception to the above is the final check, which happens after Trik has created\r\nits mutex and generated its IRC NICK.  \r\n \r\nFigure 6: Showing the application exit if Trik determines it is being analyzed \r\nEmail templates \r\nTrik’s email templates are straightforward and are hardcoded into the bot; they have not changed\r\nfor several years, with randomly chosen, hardcoded email subjects (Figure 7). \r\n \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 5 of 16\n\nFigure 7: Trik email subjects \r\nAdditionally, the body of Trik spam emails has not changed in several years and has been observed in several\r\ncampaigns including Andromeda spam campaigns in Q4 2017. \r\n \r\nFigure 8: Trik email body and signature \r\nThe email closing, however, does change for each message sent by the bot. Trik generates 3 random letters,\r\nconverts them to uppercase, and prepends them to the email signature (‘aCustomerSuppor’ string in the above\r\nscreenshot, “Customer Support\\r\\n\\r\\n”). This behavior is shown below. \r\n \r\nFigure 9: Function snippet showing 3 character random generation for spam email signature \r\nThe resulting email template looks similar to those from a GandCrab campaign on April 23, 2018, with the\r\ncustomer support line varying. \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 6 of 16\n\nFigure 10: Trik email from the April 23rd 2018 GandCrab campaign \r\nSender names are randomly selected from two lists of first names and surnames, both hardcoded in\r\nevery Trik binary we have observed so far, as opposed to other spam botnets that tend to send lists from\r\nthe C\u0026C at the beginning of a campaign. The sender emails in these campaigns follow a very basic and obvious\r\nstructure: \u003chardcoded name in the EXE\u003e[0-9]{2}@[0-9]{4}.com \r\nSome of the sender addresses observed in the April 23 GandCrab campaign include: \r\nHumberto Anderson \u003cHumberto63@8117.com\u003e \r\nGlenn Murphy \u003cGlenn99@3968.com\u003e \r\nBobbie Adams \u003cBobbie57@9223.com\u003e \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 7 of 16\n\nFigure 11: Hardcoded names used for spam email sender names \r\nTraffic Analysis \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 8 of 16\n\nTrik’s command and control uses the IRC protocol and, as previously documented, the C\u0026C traffic flow for these\r\nbots is as follows:  \r\nInitially join a hardcoded IRC channel on the C\u0026C with nickname in format: a pipe enclosed ISO Alpha-3\r\ncountry code followed by a randomly generated string of [a-z].  \r\nIf a bot exists with the same NICK, the botnet responds with the code ‘433’ which forces the bot to retry\r\nwith a new, randomly generated NICK.  \r\nOnce the bot has joined the server, it immediately receives a list of instructions which are typically used to\r\njoin additional channels or close the connection.  \r\nSeveral different channels have been observed and they appear to rotate on a daily basis.  \r\nUpon joining these additional channels, the bot is provided several encrypted URLs that contain malicious\r\npayloads.  These payloads are then downloaded by the bot and either executed on the host infected\r\nwith Trik or sent in spam email campaigns, depending on the task specified by the botnet. \r\nFigure 12 shows a sample of the traffic from this botnet. \r\n \r\nFigure 12: Pcap snippet highlighting RC4 encrypted URLs (payload locations) sent to the bot for either execution\r\non the system infected by the bot or to be distributed in email spam campaigns. \r\nThe encrypted URLs sent from the botnet are the snippets of decimals in the form of pipe-enclosed digits. These\r\nURLs are encrypted with a custom implementation of RC4 and can be decrypted with the following modified RC4\r\nimplementation in Python: \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 9 of 16\n\nFigure 13: Pseudo-code of the custom RC4 implementation \r\n \r\nFigure 14: Python decryptor output \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 10 of 16\n\nFigure 15: Custom RC4 decryption Python script \r\nThe tasks mentioned previously are referring to the commands that follow ‘332’ and ‘.d’. In this case, ‘.d’ is the\r\ndownload command -- one of many different commands supported by Trik’s bots -- and when followed by ‘x’, the\r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 11 of 16\n\ndownloaded payload will execute on the host infected with Trik. When followed by ‘u’, the infected host will\r\ndownload the payload, execute that payload, and quit the current process. Trik uses this process to handle bot\r\nupdates and prepare for the next campaign. We observed Trik bots downloading updates that contained hardcoded\r\nchannels the bot would have to join to receive the new campaign payloads. Once the campaign ends, the bot\r\nlistens for PINGs, as you would expect with the standard IRC protocol, until a new update is issued and the cycle\r\nrepeats. \r\nIn some cases, we observed several payloads after the initial connection but for the most part, only 2-3\r\npayloads were downloaded per campaign. \r\n \r\nFigure 16: Another traffic example highlighting 5 encrypted URLs that are hosting various different payloads \r\nTrik uses a layer of SOCKS proxies to hide the real C\u0026C servers. We observed other malware\r\nincluding Ursnif using the same proxies. \r\nConclusion \r\nDespite being a decade old and using IRC as a command and control protocol, Trik remains an active and\r\npowerful botnet based on the types of malware that it is distributing. Many different malware families have\r\nbeen being distributed by Trik and this activity appears to be ramping up with multiple daily campaigns. We will\r\ncontinue to monitor Trik activity as actors increasingly rely on this infrastructure. \r\nReferences \r\n[1] https://www.johannesbader.ch/2016/02/phorpiex/ \r\nET and ETPRO Suricata/Snort Signatures \r\n2008124 - ET TROJAN Likely Bot Nick in IRC (USA +..) \r\n2017319 - ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code \r\n2801390 - ETPRO TROJAN Malware Worm.Win32.Phorpiex.A Activity \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 12 of 16\n\n2826005 - ETPRO TROJAN MSIL/Trik Backdoor IRC Checkin \r\n2821422 - ETPRO TROJAN Win32.Phorpiex.A EXE Download \r\nIndicators of Compromise (IOCs) \r\nIOC \r\nIOC\r\nType \r\nDescription \r\n92.63.197.106:5050 \r\nIP\r\nAddress \r\nTrik/Pony C\u0026C \r\n112.126.94.107:5050 \r\nIP\r\nAddress \r\nTrik C\u0026C \r\n123.56.228.49:5050 \r\nIP\r\nAddress \r\nTrik C\u0026C \r\n220.181.87.80:5050 \r\nIP\r\nAddress \r\nTrik C\u0026C \r\n185.189.58.222:5050 \r\nIP\r\nAddress \r\nTrik C\u0026C \r\nauoegfiaefuageudn.ru:5050  Domain  Trik/Pony C\u0026C \r\n7ba150c8808edf187a1ccf8d0532d0732fff2bbe28f76d6e2f02f8196669dd06  SHA256 \r\nPony sample\r\nfrom May\r\n15th 2018 \r\n0b4996c03b059d1a10349f715b6b21ad9926912faae834581f0c96b24ff1b33f  SHA256 \r\nPushdo sample\r\nfrom May\r\n9th 2018 \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 13 of 16\n\n9f3f80167c5d39efb9e81507efec6d9bdc5e31323f9d6d89630374c7fe490f33  SHA256 \r\nGandCrab sample\r\nfrom May\r\n9th 2018 \r\nef1563a962d2d86ceb1dd09056f87fcab4c32e3ca6481c51950d3b6db49d1087  SHA256 \r\nTrik sample from\r\nMay 9th 2018 \r\n5bf79a111467a85abe57f1f3e92f2279b277cccae53ed28c584267717ba372f8  SHA256 \r\nTrik sample from\r\nMay 12th 2018 \r\n2035ef02a014f9ae2a21d39c98604ca4863d77c47dcc12d31bb9b7b2d3e5fc98  SHA256 \r\nTrik sample from\r\nMay 18th 2018 \r\n3df16261b28f30683dce6a66331452f4ddc1d3472fb194ff5b505270a8f64311  SHA256 \r\nTrik sample from\r\nMay 19th 2018 \r\nAppendix 1 – Anti-analysis strings \r\nRunning processes \r\nMsseces.exe \r\nMrt.exe \r\nMsascui.exe \r\nRstrui.exe \r\nWuauclt.exe \r\nWireshark.exe \r\nNetstat.exe \r\nNetmon.exe \r\nNetworkminer.exe \r\nTnm.exe \r\nSbiectrl.exe \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 14 of 16\n\nSbiesvc.exe \r\nJoeboxserver.exe \r\nJoeboxcontrol.exe \r\nVirtualbox.exe \r\nWpePro.exe \r\nTcpview.exe \r\nModules \r\nSbiedll.dll \r\nSbiedllx.dll \r\nVboxhook.dll \r\nWpespy.dll \r\nVmcheck.dll \r\nWindow titles \r\nOllydbg \r\nPortmonclass \r\nProcexplr \r\nGdkwindowtoplevel \r\nCurrent users \r\nTest \r\nHoney \r\nVmware \r\nMalware \r\nLab \r\nSandbox \r\nTestuser \r\nCurrentuser \r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 15 of 16\n\nPotentially renamed malware names \r\nSample.exe \r\nMalware.exe \r\nTest.exe \r\nCurrent folder \r\n\\LAB \r\n\\MALWARE \r\n\\VIRUS \r\n\\SAMPLE \r\n\\TEST \r\nSource: https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nhttps://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows\r\nPage 16 of 16\n\n https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows      \nFigure 15: Custom RC4 decryption Python script     \nThe tasks mentioned previously are referring to the commands that follow ‘332’ and ‘.d’. In this case, ‘.d’ is the\ndownload command --one of many different commands supported by Trik’s bots--and when followed by ‘x’, the\n   Page 11 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows"
	],
	"report_names": [
		"phorpiex-decade-spamming-shadows"
	],
	"threat_actors": [],
	"ts_created_at": 1775433977,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3008f7c644df4fc537e97e782ab47a827c0480b.pdf",
		"text": "https://archive.orkl.eu/e3008f7c644df4fc537e97e782ab47a827c0480b.txt",
		"img": "https://archive.orkl.eu/e3008f7c644df4fc537e97e782ab47a827c0480b.jpg"
	}
}