Phorpiex
Phorpiex, also known as Trik and in newer variants as Twizt, is a long-running Windows botnet/malware platform active since 2011 that has evolved from a spam bot into a multi-purpose criminal service. The provided reporting describes it as a malware-as-a-service ecosystem capable of ransomware delivery, sextortion spam, cryptocurrency wallet hijacking, downloader/loader activity, USB worm propagation, and peer-to-peer botnet operations. Recent reporting links Phorpiex to delivery of LockBit Black ransomware, Global Group ransomware, and infrastructure associated with the Needle crimeware platform, private Monero mining, and wallet-drainer activity.
The malware is described as using both centralized command-and-control and a peer-to-peer architecture, with the Twizt variant specifically noted as combining standard web communication with a P2P layer. Reported capabilities include clipboard hijacking for more than 100 attacker-controlled wallet addresses across over 30 blockchain families; USB/removable-drive worm propagation using shortcut files; spreading via shared folders; downloader behavior; spam delivery including sextortion campaigns; and persistence via autorun registry keys. One analyzed Twizt build used six persistence mechanisms, installed itself under %APPDATA% as sysdvrnshost.exe, created the mutex h7g6f5d6h, deleted Zone.Identifier data, modified Explorer NoDrives settings, stored peer data in %USERPROFILE%\tbtnds.dat and command data in %USERPROFILE%\tbtcmds.dat, and used UPnP NAT traversal plus RC4/RSA-protected P2P communications. Reporting also states Phorpiex adds itself to the Windows Firewall allow-list under the name "Microsoft Corporation," uses API hashing, and wraps commands in a 256-byte RSA-encrypted header.
Observed infection and delivery vectors include phishing emails, especially campaigns using ZIP attachments containing double-extension Windows shortcut files such as Document.doc.lnk; cmd.exe and PowerShell living-off-the-land execution chains; fake video player/plugin update prompts on illicit movie and TV streaming sites; and worm-style propagation through removable media. Forcepoint-linked reporting states Phorpiex malware was used to deliver Global Group ransomware in campaigns active through 2024 and 2025, with emails using the subject "Your Document." The ransomware chain used LNK files, cmd.exe, and PowerShell to fetch a Phorpiex dropper and then deploy Global Group. Separate incident-response reporting tied Twizt-related delivery to fake plugin updates on streaming sites and identified twizt.net and 193.233.132.177 as indicators.
The malware primarily targets Windows systems. Reporting notes broad victim geography, with heavily affected countries including Iran, Uzbekistan, China, Kazakhstan, and Pakistan, and campaigns spanning at least 21 countries in some ransomware operations. It has been observed on Syrian Telecom infrastructure and on OMEGATECH LTD-hosted infrastructure. Associated infrastructure and indicators directly mentioned in the content include twizt.net, 193.233.132.177, 94.252.245.193, 178.16.54.109, and 158.94.211.162. The IP 178.16.54.109 is repeatedly described as a Phorpiex/Twizt C2 and payload host, including serving /newtpp.exe and endpoints such as /new.php, /peinstall.php, /1, /2, /32.exe, and /64.exe; it was also linked to a live Needle panel on port 3000 and a private XMRig mining pool on port 6060. A related Twizt sample compiled on 2026-03-05 had SHA-256 98e5fdce85ab8e17472f95eecb4c22f08a28933828e0afd0b5db831fe222e373. Another Phorpiex worm dropper first seen on 2026-04-20 had SHA-256 d55ec8ebbf308993bbb517f0281fe4296c8e9864e43ff51ba5e0b639b840b085.
The content associates Phorpiex with financially motivated cybercrime rather than a named state actor. It is linked to the TWIZT operator handle in one payload string (TWIZTPEINF), to the Needle MaaS ecosystem, and to bulletproof hosting providers including OMEGATECH LTD. Reporting also notes adjacent infrastructure overlap with Fuery C2 infrastructure on the same /24 subnet. High-confidence IOCs explicitly mentioned in the content include domains twizt.net and historical references to Phorpiex hosting on twizt.net; IPs 193.233.132.177, 94.252.245.193, 178.16.54.109, and 158.94.211.162; mutex h7g6f5d6h; dropped/installed filenames such as sysdvrnshost.exe, DrvMgr.exe, and DrvSvcsrMgr.exe; storage files tbtnds.dat and tbtcmds.dat; and sample hashes including 98e5fdce85ab8e17472f95eecb4c22f08a28933828e0afd0b5db831fe222e373 and d55ec8ebbf308993bbb517f0281fe4296c8e9864e43ff51ba5e0b639b840b085.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A single 11KB Phorpiex worm dropper hit MalwareBazaar at 02:10 UTC on April 20, 2026.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesMITRE ATT&CK Mapping ... Lateral Movement Replication Through Removable Media T1091 Phorpiex USB spreading
Each spam campaign is estimated to target between 2 million and 6 million email addresses. Alongside ransomware, the same botnet infrastructure delivers sextortion emails that falsely claim hackers recorded victims through their webcams while visiting explicit websites, demanding $1,800 in Bitcoin to keep the footage private.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Phishing: Spearphishing Attachment T1566.001 Phorpiex worm delivery
Execution
5 techniques"...it hijacks your computer’s 'healthy' programs, like PowerShell and Command Prompt... These commands download the actual virus..."
"...LNK attachments to run PowerShell code that fetches a Phorpiex dropper..."
“…using CMD and PowerShell to execute the payload.”
"Once clicked, the shortcut quietly tells your computer to run background commands..."
MITRE ATT&CK Mapping ... Execution User Execution: Malicious File T1204.002 Dropper execution
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
4 techniquesIt also uses API Hashing to conceal the Windows functions it calls at runtime, and builds suspicious strings in memory byte by byte to bypass static security scanners.
To avoid detection, the malware silently adds itself to the Windows Firewall’s list of allowed programs under the name “Microsoft Corporation,” making it appear as a trusted system component.
In October 2025, Phorpiex was used to deliver LockBit Black ransomware to devices confirmed to be inside corporate networks or Windows domains. Verification that a device is inside a domain... Then in January 2026, a strain resembling the Global ransomware family was deployed against devices in China, using a public IP-lookup API to verify the target’s location before dropping the payload.
Discovery
2 techniquesIn October 2025, Phorpiex was used to deliver LockBit Black ransomware to devices confirmed to be inside corporate networks or Windows domains. Verification that a device is inside a domain... Then in January 2026, a strain resembling the Global ransomware family was deployed against devices in China, using a public IP-lookup API to verify the target’s location before dropping the payload.
Lateral Movement
2 techniquesMITRE ATT&CK Mapping ... Lateral Movement Replication Through Removable Media T1091 Phorpiex USB spreading
The malware also spreads to removable USB drives and shared network folders by dropping a hidden executable named DrvMgr.exe alongside a disguised shortcut file (.lnk) that launches Phorpiex on any machine where the infected drive is connected.
Collection
2 techniquesEach batch file contained approximately 8,000 plaintext email:password credential pairs.
The spam coordination server ... had served 120,000+ credential batches containing plaintext email:password pairs from victims across 15+ countries
Command and Control
4 techniquesmore than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months. | The Phorpiex (Twizt) botnet was found running on Syrian Telecom infrastructure, using a hybrid setup combining standard web communication with a peer-to-peer layer to deliver encrypted payloads
MITRE ATT&CK Mapping ... Command and Control Application Layer Protocol: Web T1071.001 HTTP C2 to port 80/3000
The Phorpiex (Twizt) botnet was found running on Syrian Telecom infrastructure, using a hybrid setup combining standard web communication with a peer-to-peer layer
The .rdata section contains 7 hardcoded download URLs ... The dropper calls URLDownloadToFileW for each URL, saves to %TEMP%, then executes via ShellExecuteW.
Exfiltration
1 techniqueCredentials, wallets, and browser cookies exfiltrated from victims will be processed on whichever panel belongs to the customer who ran the worm — not only on the one panel we originally documented.
Impact
2 techniquesincluding a cryptocurrency miner that has previously distributed LockBit Black ransomware.
The bundles do not contain the Phorpiex worm, the wallet-drainer stage, or the Monero miner — those are server-issued payloads documented in the original April 20 report.
Other
1 techniqueIOCs tracked for this family
52 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The content only explicitly references Phorpiex as a downloader in the cited reference. No additional behavioral details are provided in the content itself.
A botnet using hybrid HTTP and peer-to-peer C2 to deliver encrypted payloads, including a cryptocurrency miner, and previously associated with distribution of LockBit Black ransomware.
Phorpiex/Trik is described as the delivery worm used to distribute or deliver the Needle platform to victims.
Phorpiex is used here as the initial worm/dropper, downloading and executing seven payloads from actor-controlled infrastructure, including mining, file-harvesting, propagation, and spam modules.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.