{
	"id": "09541429-8998-4cbb-a580-7bed380b6f3e",
	"created_at": "2026-04-06T00:20:06.800703Z",
	"updated_at": "2026-04-10T03:32:26.635188Z",
	"deleted_at": null,
	"sha1_hash": "f8e6d2202acc1a19188282b5beb8c76b6619cd27",
	"title": "Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 460212,
	"plain_text": "Phorpiex morphs: How a longstanding botnet persists and thrives in the\r\ncurrent threat environment | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-05-20 · Archived: 2026-04-05 18:58:21 UTC\r\nPhorpiex, an enduring botnet known for extortion campaigns and for using old-fashioned worms that spread via removable\r\nUSB drives and instant messaging apps, began diversifying its infrastructure in recent years to become more resilient and to\r\ndeliver more dangerous payloads. Today, the Phorphiex botnet continues to maintain a large network of bots and generates\r\nwide-ranging malicious activities.\r\nThese activities, which traditionally included extortion and spamming activities, have expanded to include cryptocurrency\r\nmining. From 2018, we also observed an increase in data exfiltration activities and ransomware delivery, with the bot\r\ninstaller observed to be distributing Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony\r\nransomware, among other malware.\r\nThe botnet’s geographic targeting for bot distribution and installation expanded, too. Previous campaigns focused on targets\r\nin Japan, but more recent activity showed a shift to a more global distribution.\r\nFigure 1. Global distribution of Phorpiex botnet activity\r\nThe Phorpiex botnet has a reputation for being simplistic and lacking robustness, and it has been hijacked by security\r\nresearchers in the past. Its tactics, techniques, and procedures (TTPs) have remained largely static, with common commands,\r\nfilenames, and execution patterns nearly unchanged from early 2020 to 2021. To support its expansion, however, Phorpiex\r\nhas shifted some of its previous command-and-control (C2) architecture away from its traditional hosting, favoring domain\r\ngeneration algorithm (DGA) domains over branded and static domains.\r\nThis evolution characterizes the role of botnets in the threat landscape and the motivation of attackers to persist and remain\r\neffective. The threat ecosystem relies on older botnets with large and diverse network of compromised machines to deliver\r\npayloads at low costs. And while many of the older botnet architectures have been primarily classified as spam delivery\r\nmechanisms, these infrastructures are critical for newer, modular delivery mechanisms.\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 1 of 14\n\nPhorpiex also demonstrates that bots, which are some of oldest types of threats, continue to affect consumer users but\r\nnotably brings increasingly more serious threats to enterprise networks. Despite being traditionally associated with lower-risk activity like extortion and spamming, Phorpiex operators’ decision to move to more impactful malware and actions is\r\nentirely at the whim of the attackers.\r\nUnderstanding botnets and associated infrastructure, botnet malware, their activities and payloads, and how they evolve\r\nprovides insight into attacker motivation and helps ensure durable protection against some of the most prevalent threats\r\ntoday. At Microsoft, we continue to conduct in-depth research into these threats. These expert investigations add to the\r\nmassive threat intelligence that inform Microsoft 365 Defender services and the protections they provide. Microsoft 365\r\nDefender delivers coordinated cross-domain defense against the various malware, emails, network connections, and\r\nmalicious activity associated with Phorpiex and other botnets.\r\nDistribution, expansion, and operation\r\nPhorpiex’s sprawling botnet operation can be divided into three main portions:\r\n1. Distribution of the bot loader: The bot loader has been propagated through a variety of means over the years,\r\nincluding being loaded by other malware, freeware, and unwanted programs, or delivered by phishing emails from\r\nalready-infected bots. Phorpiex has also spread via productivity platforms, as well as via instant messaging and USB\r\ndrives.\r\n2. Mailing botnet: In addition to spreading the bot loader via email, the botnet is used to generate currency. It does so\r\nvia extortion and spam campaigns as well as through a variety of other types of financially motivated malware.\r\n3. Malware delivery botnet: In recent years, the botnet has been observed installing ransomware, cryptocurrency miner,\r\nand other malware types, indicating the expansion of the botnet’s activities by the Phorpiex operators or as part of\r\nmalware-as-a-service scheme.\r\nFrom December 2020 to February 2021, the Phorpiex bot loader was encountered in 160 countries, with Mexico,\r\nKazakhstan, and Uzbekistan registering the most encounters.\r\nFigure 2. Countries with the most encounters of the Phorpiex bot loader\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 2 of 14\n\nIn December 2020 and January 2021, we observed non-weaponized staging of Knot ransomware on Phorpiex servers. In\r\nFebruary, we also detected commodity malware such as Mondfoxia (also known as DiamondFox) in these servers. These\r\nrecent developments indicate new loader and monetization strategies under active development.\r\nThe combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first\r\nglance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains,\r\ncommand-and-control (C2) mechanisms, and source code.\r\nThe wide range of infection vectors used by Phorpiex requires a unified security approach that ensures protection is\r\ndelivered on the endpoint, network, email, and applications. Microsoft 365 Defender’s advanced threat protection\r\ntechnologies detect malicious activity in each of these domains. Moreover, the correlation of these cross-domain threat data\r\nsurfaces additional malicious activity, allowing Microsoft 365 Defender to provide coordinated and comprehensive\r\nprotection against Phorpiex.\r\nBot distribution and installation\r\nPhorpiex maintains and expands its network of bot-infected computers by distributing the Phorpiex bot loader. In 2020 and\r\n2021 we observed the bot loader being spread through Phorpiex bot-delivered emails with .zip or other archive file\r\nattachments, downloaded from fake download sites for software (such as photo editing software, screensaver, or media\r\nplayers), or downloaded by other malware also delivered through email. These multiple entry points demonstrate the\r\nmodular nature of the malware economy.\r\nRegardless of distribution mechanism, however, the bot loader operates in a fairly uniform fashion. It uses three distinct\r\ntypes of C2 to fulfil different goals during and after installation:\r\nDownloading the Phorpiex malware implant\r\nDownloading updates to the Phorpiex implant and new exploit modules\r\nChecking in with C2 infrastructure to deliver cryptocurrency or return data\r\nThe malware implant is initially downloaded from sites such as trik[.]ws (historically) or, more recently, a malware hosting\r\nrepository, worm[.]ws. We are also noticing a shift to using more dedicated IP-based C2 and delivery sites, such as\r\n185[.]215[.]113[.]10 and 185[.]215[.]113[.]8. A notable Phorpiex behavior is the downloading of numbered modules,\r\ntypically numbered 1-10, with URL paths such as \u003cdomain\u003e.com/1, \u003cdomain\u003e.com/2, \u003cdomain\u003e.com/3, continuing this\r\npattern for as many additional components as needed. As these downloads do not happen through standard web traffic,\r\nnetwork-level protection is necessary to prevent malicious downloads. In a very recent development, we observed that most\r\nPhorpiex bot loader malware have  abandoned branded C2 domains and have completely moved to using IPs or DGA\r\ndomains. However, as in the past, the operators neglected to register all the potential sites that the DGA domains resolve to.\r\nWhen downloaded and run, the implant attempts to connect to legitimate external sites like WIPMANIA.com to get IP\r\ninformation. It does this repeatedly during subsequent check-ins, and then begins connecting to hardcoded C2 servers.\r\nDuring these check-ins, the implant checks the device’s regional settings and exits if it’s operating in a non-desired region,\r\nsuch as Ukraine. Favored regions include countries in East Asia as well as English-speaking countries.\r\nThe loader modules and updates are pulled from a variety of attacker-owned domains. These domain-names typically begin\r\nwith a second-level domain (2LD) of TLDR, TSRV, or THAUS and end with an assortment of unorthodox TLD such as\r\n.WS, .TOP, .RU, .CO, .TO, .SU., .CC, and .IO. As has been pointed out by other researchers, the TSRV and TLDR are likely\r\nreferences to “Trik Server” or “Trik Loader”, as many of the internals of the malware use Trik as proprietary name.\r\nRegular connections to these attacker-owned domains continue during infection, such that devices that have been infected\r\nfor months receive new loader versions and capabilities. Modules downloaded from C2 can include additional malware,\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 3 of 14\n\nransomware, cryptocurrency mining functionality, worming functionality, and the Phorpiex mailing botnet functionality. It is\r\nmost common for a bot to be participating in mailing and crypto mining, as these seem to be driving revenue generation for\r\nthe operators during non-ransomware initiatives.\r\nThe bot also establishes persistence and attempts to disable security controls. This includes modifying registry keys to\r\ndisable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and\r\nexecutables to run at startup, and adding these executables to the authorized application lists. A sample of the keys changed\r\nis below, with minor changes from version to version of the loader:\r\n\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\r\n\\Microsoft\\Windows\\CurrentVersion\\Run\\Host Process for Windows Services\r\n\\Microsoft\\Security Center\\AntiVirusOverride\r\n\\Microsoft\\Security Center\\AntiVirusDisableNotify\r\n\\Microsoft\\Security Center\\FirewallOverride\r\n\\Microsoft\\Security Center\\FirewallDisableNotify\r\n\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings\r\n\\Microsoft\\Security Center\\UpdatesOverride\r\n\\Microsoft\\Security Center\\UpdatesDisableNotify\r\n\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\r\n\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring\r\n\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection\r\n\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable\r\nEnabling tamper protection in Microsoft Defender for Endpoint prevents the bot from making modifications related to\r\nMicrosoft Defender services. Microsoft Defender for Endpoint automatically cleans up changes made by the bot (if any)\r\nduring threat cleanup and remediation. Security operations teams can use advanced hunting capabilities to locate these and\r\nsimilar modifications. Administrators can also disable “Local Policy Merge” to prevent local firewall policies from getting\r\nin effect over group policies.\r\nAs the bot loader updates, the key values change to reflect new files, randomized file paths, and masqueraded system files.\r\nThe example below illustrates a change from SVCHOST to LSASS:\r\nKEY NAME: HKEY_CURRENT_USER\\[ID]\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nOLD VALUE: C:\\1446621146296\\svchost.exe\r\nNEW VALUE: C:\\19197205241657\\lsass.exe\r\nAt varying intervals, the bot implant collects lists of files and exfiltrates that data to external IP addresses leased by the\r\nattacker, many of which also serve as C2. When additional malware is installed, the pull is initiated from the implant itself.\r\nThe malware is staged on the Phorpiex operators’ servers prior to new campaigns or on the shared sites such as worm[.]ws.\r\nThe bot checks in routinely, often weekly and sometimes even daily. It does this to upload any outcomes from the various\r\nmodules that the bot installs, such as coin mining deposits or spam activity.\r\nIn addition to detecting and blocking the bot malware through its endpoint protection platform (EPP) and endpoint detection\r\nand response (EDR) capabilities, Microsoft Defender for Endpoint’s network protection defends against botnet activities like\r\nconnecting to attacker-controlled servers, mimicking system files, and downloading implants and additional payloads.\r\nSelf-spreading via remote drives\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 4 of 14\n\nOne of the more unique and easily identifiable Phorpiex behavior when it spread primarily via USB involves a check that\r\noccurs routinely for all connected remote drives. The bot then creates a series of hidden folders on those drives with\r\nunderscores (e.g., “__”) and then changes the registry attributes to make these appear invisible to the user. The bot then\r\ncopies all its file configurations and include a malicious DriveMgr.exeI, a copy of the loader, as well as  a .lnk file that runs\r\nthe malware when opened. This activity has been largely consistent since 2019. This functionality offers a self-spreading\r\nmechanism that offers a backup way to expand the bot implant base. Commands consistent with this Phorpiex worming\r\nactivity are:\r\nShEllExECutE=__\\\\DriveMgr.exe\r\n“cmd.exe” /c start __ \u0026 __\\DriveMgr.exe \u0026 exit\r\nMicrosoft Defender for Endpoint offers multiple layers of protection against USB threats. This includes real-time scanning\r\nof removable drives and attack surface reduction rule to block untrusted and unsigned processes that run from USB.\r\nMicrosoft Defender for Endpoint also enables organizations to monitor and control removable drives, for example allow or\r\nblock USB based on granular configurations, and monitor USB activities.\r\nPhorpiex as a mailing botnet\r\nFor several years, Phorpiex used infected machines to deliver extortion, malware, phishing, and other content through large-scale email campaigns. These emails span a large set of lures, subject lines, languages, and recipients, but there are key sets\r\nof characteristics that can identify emails sent from the Phorpiex botnet:\r\nSpoofed sender domain, sender username, and sender display name\r\nSender domain of 4 random digits\r\nSender username using a generic name with a variety of numbers\r\nSubjects or lures referencing singular names, heights and weights, surveillance\r\nBody of the message often referencing dating services or extortion material for ransom\r\nPresence of Bitcoin, DASH, Etherium, or other cryptocurrency wallets\r\nZIP files or other file types purporting to be images such as JPG files or photo types\r\nThese patterns include language more commonly used in consumer extortion emails, which reference having illicit photos or\r\nvideos of the recipient. These are also the same lures that are used to distribute the bot installer as well as ransomware or\r\nother malware. The messages often include old passwords of individuals gathered from publicly available lists, a method\r\nthat attackers use to add credibility whether the mail is received in a corporate environment or at home.\r\nMicrosoft Defender for Office 365 detects malicious emails sent by the Phorpiex botnet. These include the extortion and\r\nphishing emails, as well as messages carrying malware, whether the Phorpiex loader itself or other malware. Microsoft\r\nDefender for Office 365 users AI and machine learning to detect user and domain impersonation, informed by its\r\ncomprehensive visibility into email threats as well as through in-depth research like this.\r\nSpam and extortion campaigns\r\nPhorpiex is well known for illicit image or video-based extortion phish and spam campaigns, also known as “sextortion”.\r\nThese campaigns target a large variety of regions and languages, which is a different set of targets from bot distribution\r\nactivities. These generally do not deliver malware directly. They are meant to collect revenue for the operator by asserting\r\nthat they have already compromised a device and have access to damaging material regarding the recipient.\r\nSextortion campaigns have been quite popular in recent years and generally require payment from the victim in\r\ncryptocurrency. We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 5 of 14\n\nsuch cryptocurrency profit volume from a campaign in late February 2021 targeting English speaking users is below, with\r\nthe subject “Payment from your account”.\r\nThere are several public monitors of extortion wallets operated by Phorpiex, which have seen the operators of the botnet\r\nrunning numerous wallets during any given week. We observed the below example in which an operator requested $950\r\nfrom users and accumulated over $13,000 in 10 days.\r\nFigure 3. Cryptocurrency profit volume from a single wallet used in spam extortion campaign in late February 2021. Data\r\nfrom BitInfoCharts.\r\nIn late 2020 and early 2021 we also observed this extortion scheme exploiting fears about security vulnerabilities in\r\nteleconferencing applications such as Zoom. The messages claimed that a vulnerability is what allowed the operators to\r\ncapture their extortion material.\r\nFigure 4. Example of an extortion email lure from late 2020\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 6 of 14\n\nFigure 5. Example of a Korean language extortion email lure from early 2021\r\nIn addition to the examples above, Phorpiex is often distributed via business email compromise and contain no links or\r\nURLs. This hampers many automatic detection capabilities an organization might have in place.\r\nPhishing, malware, and ransomware campaigns\r\nPhorpiex-powered phishing campaigns as well as bot implant installations deliver secondary malware as well as standard\r\nextortion and spam. The tactics involving the spread of emails are the same, with the only differences being in the\r\nattachments or links. Malware involving malicious Office documents is interspersed with deliveries of the bot implant or\r\ndirect ransomware deliveries, which are often contained within .ZIP attachments.\r\nSince 2019, many of the malware-carrying emails from Phorpiex use the same lures, subject lines, and attachment file\r\nnames. The emails use a randomly generated feminine name in the subject or reference an embarrassing or improperly\r\nobtained photo, and either contain extortion or deliver ransomware. As part of the social engineering lure, he malware\r\nattachments masquerade as .jpg files or other file types, while appearing as .zip or .js files.\r\nFigure 6. Example of an email lure including malicious ZIP attachment masquerading as an image of an actress\r\nIn Summer and Fall 2020 many new Phorpiex infections began to spread using archive files to deliver BitRansomware and\r\nAvaddon. Avaddon only began spreading in mid to late 2020 and its distribution seems to have been tightly coupled with\r\nPhorpiex since its inception.\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 7 of 14\n\nIn the month of August 2020, there was also an increase in the number of bot implants installed on devices, corresponding\r\nwith the ransomware increase. At this time, most instances of ransomware perpetrated by Phorpiex were carried through the\r\nbot implant itself.\r\nPhorpiex as malware delivery botnet\r\nIn addition to operating as a mailing botnet, Phorpiex has evolved to deliver other malware as well, most notably\r\ncryptocurrency mining malware and ransomware.\r\nCryptocurrency mining malware\r\nIn 2019 Phorpiex started utilizing an XMRIG miner to monetize the hosts with Monero. This module is included in almost\r\nall bot installations at the time of infection and communicates primarily over port 5555. This behavior might be coupled\r\nwith other malware, but in this instance, it is associated with the masqueraded system process used by the rest of the\r\nPhorpiex implant (i.e., SVCHOST.exe or LSASS.exe).\r\nThe miner is downloaded as a module masquerading as WINSYSDRV.exe It stores its configuration locally and checks it\r\nperiodically. The miner does this from additional masqueraded system processes injected into legitimate processes to read its\r\nconfiguration and to mine.\r\nThe WINSYSDRV.exe file routinely kicks off a series of heavily nested processes preceded by a PING with a long wait,\r\nwhich is intended to avoid sandboxes. This command is shown below:\r\ncmd.exe /C ping [INTERNAL IP] -n 8 -w 3000 \u003e Nul \u0026 Del /f /q “C:\\ProgramData\\PnQssBdbSh\\winsysdrv.exe” \u0026\r\n“C:\\Users\\[USER]\\AppData\\Local\\Temp\\winsysdrv.exe”\r\nIn prior versions, this command utilized the legitimate but hijacked WUAPP.exe process. Recently we have seen\r\nNOTEPAD.exe used to read the path, which is a variant of C:\\ProgramData\\[RandomString]cfg:\r\n“C:\\Windows\\System32\\wuapp.exe” -c “C:\\ProgramData\\ADwXcSSGvY\\cfgi” (2019-2020)\r\n“C:\\Windows\\System32\\wuapp.exe” -c “C:\\ProgramData\\PnQssBdbSh\\cfgi” (2020)\r\n“notepad.exe” -c “C:\\ProgramData\\PnQssBdbSh\\cfgi” (2020-2021)\r\n“notepad.exe” -c “C:\\ProgramData\\PnQssBdbSh\\cfg” (2020-2021)\r\nIn addition to mining Monero, versions of the bot loader also upload to Bitcoin wallets. We were able to scrape those\r\naddresses via downstream executables dropped by the Phorpiex loader masquerading as SVCHOST.exe or LSASS.exe. Below\r\nis an example of the balance in one such wallet address that was active from September to November 2020, embedded in a\r\nspecific sample.\r\nFigure 7. Cryptocurrency profit from a single wallet used in a miner dropped on an infected machine from September to\r\nNovember 2020. Data from BitInfoCharts.\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 8 of 14\n\nIn February of 2021, infected implants also downloaded additional Etherium miners. These miners create scheduled tasks\r\nare labeled “WindowsUpdate” but run the miner every minute. The miners search for graphics cards as well as other\r\nresources to use for mining with an ethermine.org mining pool. Here’s an example task creation:\r\nschtasks /create /sc minute /mo 1 /tn WindowsUpdate /tr %TEMP%\\System.exe\r\nMicrosoft has also observed Phorpiex variants with cryptocurrency-clipping functionality accompanying the installation of\r\nthe loader. In these instances, the malware checks clipboard values for a valid cryptocurrency wallet ID. If it finds one, it\r\nsets its own hardcoded value. This method allows attackers to profit from existing mining installations or prior malware\r\nwithout having to bring in new software or remove old instances.\r\nMicrosoft Defender for Endpoint detects and blocks cryptocurrency mining malware and coin mining activity in general. To\r\ncontinue enhancing this detection capability, Microsoft recently integrated Intel Threat Detection Technology (TDT) into\r\nMicrosoft Defender for Endpoint, allowing our endpoint detection and response capabilities to use silicon-based threat\r\ndetection to better protect against coin mining malware.\r\nRansomware\r\nPhorpiex has been associated with multiple ransomware families through the years. Phorpiex either delivers ransomware on\r\nbehalf of other groups using those operators’ infrastructure or host the ransomware themselves. The latter is more common\r\nin the case of commodity kits like Avaddon and Knot.\r\nAs recently as February 2021, Avaddon was under active development. Like the Phorpiex loader itself, Avaddon performs\r\nlanguage and regional checks for Russia or Ukraine before running to ensure only favored regions are targeted.\r\nThe initial Avaddon executable is located in the TEMP folder, and it generally uses a series of random characters as file\r\nextension for encrypted files. Before deleting backups and encrypting the drive, it validates that UAC is disabled by\r\nchecking if certain registry keys are set to “0”, modifying the value if not:\r\n\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA = “0”\r\n\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmi\r\n= “0”\r\n\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections\r\n= “1”\r\nAfter achieving the privilege level needed, encryption usually occurs on the individual machine without lateral movement,\r\nthough that is subject to change based on the operator’s monetization strategy. The procedure for deleting backups, like most\r\nransomware, is performed with the following commands:\r\ncmd /c wmic.exe SHADOWCOPY /nointeractive\r\ncmd /c wbadmin DELETE SYSTEMSTATEBACKUP\r\ncmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\ncmd /c bcdedit.exe /set {default} recoveryenabled No\r\ncmd /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\ncmd /c vssadmin.exe Delete Shadows /All /Quiet\r\nMicrosoft Defender for Endpoint detects and blocks the ransomware. It also detects and raises the following alerts for the\r\nencryption and backup deletion behaviors, enabling security operations teams to be notified and immediately respond to\r\nransomware activity on their environment:\r\nRansomware behavior detected in the file system\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 9 of 14\n\nFile backups were deleted\r\nWe have observed that the external commands and behaviors of the Avaddon ransomware have largely remained the same\r\nsince its introduction in June-July 2020. This includes the tendency to masquerade as the system file Taskhost.exe. Avaddon,\r\nwhich demands a ransom in Bitcoin equivalent to $700, is still active today and being actively distributed by Phorpiex using\r\nnew bot loaders that are not substantially different in behavior. Microsoft Defender for Endpoint continues to provide\r\ndurable protection against these new campaigns.\r\nOther ransomware is slightly less common lately, but in December 2020, a non-weaponized version of Knot ransomware\r\nwas staged on Phorpiex-operated servers. It did not seem to have had any infections yet as this may have been a test version.\r\nThis ransomware shares a high degree of similarity to the Phorpiex loader itself and improved versions have not yet been\r\nseen. Like Avaddon, Knot typically demands relatively smaller sums of money in Bitcoin, equivalent to $350. The ransom\r\nnotes generally require Bitcoin payment to a wallet, though no payments seem to have been made that month.\r\nFigure 8. Cryptocurrency profit volume from a single wallet attached to a Knot ransomware sample in early 2021, showing\r\nno payments of the asking price. Data from BitInfoCharts.\r\nDefending against botnets and associated activity\r\nBotnets drive a huge portion of the malware economy, and as the resilience of Phorpiex shows, they evolve to adapt to the\r\never-changing threat environment. Our many years of experience analyzing, monitoring, and even working with law\r\nenforcement and other partners to take down botnets tell us that alternative infrastructures rise as attackers try to fill in the\r\nvoid left by disrupted botnets. Typically, new infrastructures are born as a result of these movements, but in the case of\r\nPhorpiex, an established botnet adapts and takes over.\r\nThe wide range of malicious activities associated with botnets, as we detailed in this in-depth research into Phorpiex,\r\nrepresent the spectrum of threats that organizations face today: various attack vectors,  multiple spreading mechanisms, and\r\na diverse set of payloads that attackers can change at will. To combat these threats, organizations need security solutions that\r\ndeliver cross-domain visibility and coordinated defense.\r\nMicrosoft 365 Defender leverages the capabilities and signals from the Microsoft 365 security portfolio to correlate threat\r\ndata from endpoints, email and data, identities, and cloud apps to provide comprehensive protection against threats.\r\nMicrosoft Defender for Endpoint detects and blocks malware, other malicious artifacts, and malicious behavior associated\r\nwith botnet activity, as well as the deployment of secondary payloads like cryptocurrency miners and ransomware. Features\r\nlike attack surface reduction, tamper protection, and security controls for removable media further help prevent these attacks\r\nand harden networks against threats in general. Microsoft Defender for Office 365 detects the malicious attachments and\r\nURLs in emails generated by the mailing operations of the Phorpiex botnet.\r\nOur industry-leading visibility informs AI and machine learning technologies that power the automatic prevention,\r\ndetection, and remediation of threats, as well as the rich set of investigation tools available to defenders for hunting,\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 10 of 14\n\nanalyzing, and resolving attacks. The recently generally available unified Microsoft 365 Defender security center integrates\r\ncapabilities so defenders can manage all endpoint, email, and cross-product investigations, configuration, and remediation\r\nwith a single portal.\r\nOur understanding of how botnets operate and evolve, through in-depth research like this, further enriches our ability to\r\ncontinue delivering defenses against the threats of today and the future. Learn how Microsoft 365 Defender stops attacks\r\nwith automated, cross-domain security and built-in AI.\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nAdvanced hunting\r\nThe Phorpiex botnet used highly varied payloads and delivery methods after email distribution. You can use the provided\r\nadvanced hunting queries to surface activities associated with Phorpiex and similar threats.\r\nPhorpiex variable command-and-control connections\r\nLooks for a series of registered and unregistered delivery and installation domains that have been used by Phorpiex upon\r\ninstallation of the bot implant and at regular intervals for updates of the bot implant. These network connections are often\r\ninitiated by the DriveMgr process or one of the later faked system processes. Regex was included to limit scope and for use\r\nin other queries based on all of the currently known URL paths associated with Phorpiex component downloads such as\r\ncc11, cc22 and, others. Regex and RemoteUrl statements can be removed if query is slow in a particular environment or to\r\ngather more results from broad DriveMgr.exe network connections. Run query.\r\nDeviceNetworkEvents\r\n|whereInitiatingProcessFileName==\"DriveMgr.exe\"\r\n|whereRemoteUrlhas(\"api.wipmania.com\")or\r\nRemoteUrlmatchesregex\"\\\\/(([a-z]{2}[0-6]{2})|([0-6]{2}[a-z]{2})|([0-6]{1,2})|(pepwn|t|m|r|s|p|consensus.z))\r\n(\\\\.exe)?\"\r\nPhorpiex bot Implant DriveMgr strings \r\nLooks for a series of persistent strings used in the Phorpiex bot implant for self-replication via removable drives.\r\nThis implant will often search for any removable drives and create hidden empty folders to copy the loader to. This\r\noffers Phorpiex a way of self-propagation via the  removable drives or attached storage and appears invisible to the user of\r\nthe drive. This has occasionally been reused in other named worms but is most common in Phorpiex, especially if\r\naccompanied by C2 activity. Run query.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName == \"cmd.exe\"\r\n| where InitiatingProcessCommandLine has \"\\\\DriveMgr.exe \u0026 exit\"\r\nPhorpiex masqueraded system process network activity\r\nLooks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a\r\nrandom algorithm 13-15 numbers long. This pattern has changed slightly over time, but this is the current iteration as of\r\nMay 2021. The portions that are most likely to change are the service names and the length of the random pattern and the\r\nexplicit faked process name. Run query.\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 11 of 14\n\nlet\r\nFakeProcesses=\r\npack_array(\"lsass.exe\",\"svchost.exe\",\"audiodg.exe\",\"wininet.exe\",\"winmanager.exe\",\"smss.exe\",\"sedsvc.exe\",\r\n\"csrss.exe\",\"winmanager.exe\",\"dllhost.exe\",\"drivemgr.exe\",\"winsysdrv.exe\",\"winsvcs.exe\",\"notepad.exe\");\r\nDeviceNetworkEvents\r\n|whereInitiatingProcessFileNamein(FakeProcesses)\r\n|whereInitiatingProcessFolderPathmatchesregex\"\\\\\\\\[\\\\d]{13,15}\"\r\nIndicators\r\nNon-DGA domains\r\ntsrv1[.]com tsrv1[.]ws tsrv2[.]top\r\ntsrv3[.]ru tsrv4[.]ws tsrv5[.]top\r\ntldrbox[.]com tldrbox[.]top tldrbox[.]ws\r\ntldrhaus[.]top tldrnet[.]top tldrzone[.]com\r\ntldrzone[.]top tsrv2[.]ws tsrv3[.]ws\r\nthaus[.]ws worm[.]ws thaus[.]to\r\ngotsomefile[.]top feedmefile[.]top gotsomefile[.]top\r\nxmrupdtemall[.]top vitamind[.]top w4tw4tw4tw4t4[.]jo\r\nDGA domain samples\r\naiiaiafrzrueuedur[.]ru afeifieuuufufufuf[.]su ssofhoseuegsgrfnj[.]su\r\nuoaeogauhduadhug[.]su aeiziaezieidiebg[.]su osheoufhusheoghuesd[.]ru\r\nplpanaifheaighai[.]su rzhsudhugugfugugsh[.]co ndrxbezrsdgsergdfs[.]co\r\nbfagzzezgaegzgfaih[.]co aegohaohuoruitiieh[.]co gaoehuoaoefhuhfugh[.]co\r\ngaghpaheiafhjefijh[.]co gaohrhurhuhruhfsdh[.]co eaeuafhuaegfugeudh[.]co\r\nbefaheaiudeuhughgh[.]co aefofhhfouahugr[.]ws urusurofhsorhfuuhd[.]io\r\nafaeigaifgsgrhhafd[.]io eaougheofhuaez[.]top seuufhehfueughem[.]top\r\nseuufhehfueughek[.]ws feauhueudughuurk[.]ws eafueudzefverrgk[.]ws\r\neafuebdbedbedggk[.]ws efeuafubeubaefur[.]ws eafuebdbedbedggr[.]ws\r\ngaueudbuwdbuguur[.]ws okdoekeoehghaoer[.]ws eafueudzefverrgr[.]ws\r\ngeaohgoehagugeh[.]su zrziqezrizrizzf[.]su efaejfojegohgut[.]su\r\nzzruuoooshfrohu[.]su osheoufhusheoghuesd[.]ru ouhfuosuoosrhfzr[.]su\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 12 of 14\n\nrubbfibididhiei[.]ru koekfoaejfoefok[.]ru aeguaheoufuhfhu[.]ru\r\ngaehaejehgaefgz[.]ru ploeuahfueugeug[.]ru efniaenfinefing[.]ru\r\nmokaeduegfuaehh[.]ru geafneiefiefnin[.]ru loeofaihefihfhg[.]ru\r\nawwararuhuedhhf[.]ru aefiaefidjidghh[.]ru lpiauefhuheufhg[.]ru\r\naeaagegaegeahrh[.]ru mnenneaihfihegi[.]ru avdbawudhafiehf[.]ru\r\nefaejfojegohgut[.]ru geaohgoehagugeh[.]ru zrziqezrizrizzf[.]ru\r\naoekfoaefoahfoh[.]ru ebufaehfahefheh[.]ru rohgoruhgsorhugih[.]ru\r\nunokaoeojoejfghr[.]ru aeifaeifhutuhuhusr[.]su urusurofhsorhfuuhr[.]su\r\nrzhsudhugugfugugsr[.]su bfagzzezgaegzgfair[.]su eaeuafhuaegfugeudr[.]su\r\naeufuaehfiuehfuhfr[.]su daedagheauehfuuhfr[.]su aeoughaoheguaoehdr[.]su\r\neguaheoghouughahsr[.]su huaeokaefoaeguaehr[.]su afaeigaifgsgrhhafr[.]su\r\nafaigaeigieufuifir[.]su geauhouefheuutiiir[.]su gaoheeuofhefefhutr[.]su\r\ngaouehaehfoaeajrsr[.]su gaohrhurhuhruhfsdr[.]su gaghpaheiafhjefijr[.]su\r\ngaoehuoaoefhuhfugr[.]su aegohaohuoruitiier[.]su befaheaiudeuhughgr[.]su\r\nurusurofhsorhfuuhz[.]io aeifaeifhutuhuhusz[.]io rzhsudhugugfugugsz[.]io\r\nbfagzzezgaegzgfaiz[.]io eaeuafhuaegfugeudz[.]io aeufuaehfiuehfuhfz[.]io\r\ndaedagheauehfuuhfz[.]io aeoughaoheguaoehdz[.]io eguaheoghouughahsz[.]io\r\nhuaeokaefoaeguaehz[.]io afaeigaifgsgrhhafz[.]io afaigaeigieufuifiz[.]io\r\ngeauhouefheuutiiiz[.]io gaoheeuofhefefhutz[.]io gaouehaehfoaeajrsz[.]io\r\ngaohrhurhuhruhfsdz[.]io gaghpaheiafhjefijz[.]io gaoehuoaoefhuhfugz[.]io\r\naegohaohuoruitiiez[.]io befaheaiudeuhughgz[.]io urusurofhsorhfuuhu[.]cc\r\naeifaeifhutuhuhusu[.]cc rzhsudhugugfugugsu[.]cc bfagzzezgaegzgfaiu[.]cc\r\neaeuafhuaegfugeudu[.]cc aeufuaehfiuehfuhfu[.]cc daedagheauehfuuhfu[.]cc\r\naeoughaoheguaoehdu[.]cc eguaheoghouughahsu[.]cc huaeokaefoaeguaehu[.]cc\r\nafaeigaifgsgrhhafu[.]cc afaigaeigieufuifiu[.]cc geauhouefheuutiiiu[.]cc\r\ngaoheeuofhefefhutu[.]cc gaouehaehfoaeajrsu[.]cc gaohrhurhuhruhfsdu[.]cc\r\ngaghpaheiafhjefiju[.]cc gaoehuoaoefhuhfugu[.]cc aegohaohuoruitiieu[.]cc\r\nbefaheaiudeuhughgu[.]cc urusurofhsorhfuuhl[.]co aeifaeifhutuhuhusl[.]co\r\nrzhsudhugugfugugsl[.]co bfagzzezgaegzgfail[.]co eaeuafhuaegfugeudl[.]co\r\naeufuaehfiuehfuhfl[.]co daedagheauehfuuhfl[.]co aeoughaoheguaoehdl[.]co\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 13 of 14\n\neguaheoghouughahsl[.]co huaeokaefoaeguaehl[.]co afaeigaifgsgrhhafl[.]co\r\nafaigaeigieufuifil[.]co geauhouefheuutiiil[.]co gaoheeuofhefefhutl[.]co\r\ngaouehaehfoaeajrsl[.]co gaohrhurhuhruhfsdl[.]co gaghpaheiafhjefijl[.]co\r\ngaoehuoaoefhuhfugl[.]co aegohaohuoruitiiel[.]co befaheaiudeuhughgl[.]co\r\nurusurofhsorhfuuhm[.]to aeifaeifhutuhuhusm[.]to rzhsudhugugfugugsm[.]to\r\nbfagzzezgaegzgfaim[.]to eaeuafhuaegfugeudm[.]to aeufuaehfiuehfuhfm[.]to\r\ndaedagheauehfuuhfm[.]to aeoughaoheguaoehdm[.]to eguaheoghouughahsm[.]to\r\nhuaeokaefoaeguaehm[.]to afaeigaifgsgrhhafm[.]to afaigaeigieufuifim[.]to\r\ngeauhouefheuutiiim[.]to gaoheeuofhefefhutm[.]to gaouehaehfoaeajrsm[.]to\r\ngaohrhurhuhruhfsdm[.]to gaghpaheiafhjefijm[.]to gaoehuoaoefhuhfugm[.]to\r\naegohaohuoruitiiem[.]to befaheaiudeuhughgm[.]to sefuhsuifhishffo[.]ru\r\nsefuhsuifhishfy[.]in seiiamefiaigaefo[.]ru seuufhehfueugheg[.]to\r\nseuufhehfueugheh[.]ws seuufhehfueughek[.]ws seuufhehfueughem[.]top\r\nseuufhehfueughet[.]to sisfiusnrsruisfo[.]ru sisfiusnrsruisy[.]in\r\nsndiuenidniueifo[.]ru soijodneoiauoefo[.]ru wduufbaueeubffgh[.]ws\r\nIP addresses\r\n185[.]215[.]113[.]10 185[.]215[.]113[.]8 45[.]182[.]189[.]251\r\n185[.]215[.]113[.]93 45[.]66[.]156[.]175 45[.]66[.]156[.]176\r\n154[.]35[.]175[.]225 62[.]210[.]177[.]189 130[.]185[.]250[.]214\r\n213[.]32[.]71[.]116 51[.]15[.]42[.]19  \r\nSource: https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-enviro\r\nnment/\r\nhttps://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/"
	],
	"report_names": [
		"phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775791946,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8e6d2202acc1a19188282b5beb8c76b6619cd27.pdf",
		"text": "https://archive.orkl.eu/f8e6d2202acc1a19188282b5beb8c76b6619cd27.txt",
		"img": "https://archive.orkl.eu/f8e6d2202acc1a19188282b5beb8c76b6619cd27.jpg"
	}
}