{"id":4459,"date":"2026-02-10T17:37:49","date_gmt":"2026-02-10T17:37:49","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/02\/10\/phorpiex-phishing-delivers-low-noise-global-group-ransomware\/"},"modified":"2026-02-10T17:37:49","modified_gmt":"2026-02-10T17:37:49","slug":"phorpiex-phishing-delivers-low-noise-global-group-ransomware","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/02\/10\/phorpiex-phishing-delivers-low-noise-global-group-ransomware\/","title":{"rendered":"Phorpiex Phishing Delivers Low-Noise Global Group Ransomware"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A high-volume phishing campaign delivering the long-running Phorpiex malware has been observed using emails with the subject line &#8220;Your Document,&#8221; a lure widely seen throughout 2024 and 2025.<\/p>\n<p>The messages include an attachment that appears to be a harmless document but is actually a weaponised Windows Shortcut file designed to initiate a multi-stage infection chain.<\/p>\n<p>According to a new advisory by Forcepoint, the campaign relies on the continued effectiveness of Windows shortcut (.lnk) files as an initial access vector and their role in delivering Global Group\u00a0ransomware, a stealthy, offline-capable ransomware-as-a-service (RaaS) operation.<\/p>\n<h2><strong>Why Windows Shortcut Lures Persist<\/strong><\/h2>\n<p>Windows shortcut files remain a reliable way to convert a single click into code execution. Attackers disguise the files using double extensions such as Document.doc.lnk and take advantage of Windows default settings that hide known file extensions.<\/p>\n<p>Visual cues also play a role, with icons copied from legitimate Windows resources to reinforce the illusion of a trusted document.<\/p>\n<p>Once opened, the shortcut launches cmd.exe, which in turn runs PowerShell to download and execute a second-stage payload. No installer is displayed and no obvious warning is shown to the user, allowing the process to run quietly in the background.<\/p>\n<p>The infection chain unfolds in a straightforward but effective sequence:<\/p>\n<ul>\n<li>\n<p>A phishing email presents a document-looking attachment<\/p>\n<\/li>\n<li>\n<p>The shortcut executes embedded commands via cmd.exe<\/p>\n<\/li>\n<li>\n<p>PowerShell downloads a remote payload and saves it as windrv.exe<\/p>\n<\/li>\n<li>\n<p>The binary is executed locally without visible user prompts<\/p>\n<\/li>\n<\/ul>\n<p>The payload retrieved in this campaign is associated with Phorpiex, a modular malware-as-a-service (MaaS) botnet active since around 2010 and commonly used to distribute ransomware and other secondary malware.<\/p>\n<p><em>Read more on phishing-delivered ransomware: Russian Phishing Campaign Delivers Phantom Stealer Via ISO Files<\/em><\/p>\n<h2><strong>Global Group&#8217;s Offline Ransomware Model<\/strong><\/h2>\n<p>In this case, Phorpiex ultimately deployed Global\u00a0Group\u00a0ransomware, which differs from many modern families by operating entirely offline.<\/p>\n<p>The malware generated\u00a0encryption keys locally, did not contact a command-and-control (C2) server and performed\u00a0no data exfiltration.<\/p>\n<p>This design allowed\u00a0it to function in isolated or air-gapped environments and reduced\u00a0reliance on network traffic that might otherwise trigger alerts.<\/p>\n<p>The ransomware encrypted\u00a0files using the ChaCha20-Poly1305 algorithm and appended\u00a0the .Reco extension. A ransom note titled README.Reco.txt was dropped across the system, while the desktop wallpaper was replaced with a GLOBAL GROUP message.<\/p>\n<p>The malware also deleted\u00a0itself after execution and removed\u00a0shadow copies, complicating forensic analysis and recovery.<\/p>\n<p>&#8220;This campaign demonstrates how long-standing malware families like Phorpiex remain highly effective when paired with simple but reliable phishing techniques,&#8221; Forcepoint said.<\/p>\n<p>&#8220;By exploiting familiar file types such as Windows shortcut files, attackers can gain initial access with minimal friction, enabling a smooth transition to high-impact payloads like Global\u00a0Group ransomware.&#8221;<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A high-volume phishing campaign delivering the long-running Phorpiex malware has been observed using emails with the subject line &#8220;Your Document,&#8221; a lure widely seen throughout 2024 and 2025. The messages include an attachment that appears to be a harmless document but is actually a weaponised Windows Shortcut file designed to initiate a multi-stage infection chain.<\/p>\n","protected":false},"author":2,"featured_media":4460,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4459","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4459-57f41468-44e2-4901-bfbb-52e1cfeb6175-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4459"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4459\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4460"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}