Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Phorpiex MaaS botnet ransomware-delivery activity

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The Phorpiex botnet is being delivered through a high-volume phishing chain that can hand off to ransomware, increasing the risk of secondary payload delivery. The lure uses emails titled "Your Document" and weaponised Windows shortcut (.lnk) attachments to start execution. The chain launches cmd.exe and PowerShell to fetch the next-stage payload and install it as windrv.exe.

Related Happenings

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
First: 06.03.2026 08:44 Last: 06.03.2026 08:44 Sources 1

About this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...

Open Happening

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
First: 05.03.2026 14:01 Last: 05.03.2026 14:01 Sources 1

About this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

RESTLEAF malware stack using Zoho WorkDrive C2 and removable media

Malware Activity
First: 27.02.2026 14:43 Last: 27.02.2026 14:43 Sources 1

About this happening: A **ScarCruft** malware stack built around **RESTLEAF** uses **Zoho WorkDrive** for C2 and **removable media** to reach **air-gapped systems**, expanding surveillance and exfiltra...

Latest development: 27.02.2026 21:21

APT37's Ruby Jumper campaign uses a malicious Windows shortcut file (LNK) and PowerShell to load RESTLEAF, then adds a Ruby-based loader, SNAKEDROPPER, plus THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to move data between internet-connected and air-gapped systems. The tooling relies on Zoho WorkDrive C2, installs a disguised Ruby 3.3.0 runtime as usbspeed.exe, modifies RubyGems operating_system.rb, and weaponizes removable drives to relay commands, stage files, exfiltrate data, and spread to new air-gapped machines.

Open Happening

ClickFix compromised-site MIMICRAT campaign

Campaign
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **ClickFix campaign** is abusing **compromised legitimate sites** to deliver the **MIMICRAT** remote access trojan through a **multi-stage infection chain**, widening risk acr...

Open Happening

Timeline

  1. 10.02.2026 18:00 2 articles · 3mo ago

    Forcepoint details Phorpiex-to-Global Group phishing chain

    Technical Analysis Update

    Forcepoint describes a high-volume phishing campaign that uses emails with the subject line "Your Document" and weaponised Windows shortcut (.lnk) attachments to launch cmd.exe and PowerShell, fetch windrv.exe, and deploy Phorpiex-associated Global Group ransomware. The advisory says Global Group generates encryption keys locally, avoids C2 contact and data exfiltration, encrypts files with ChaCha20-Poly1305, appends .Reco, drops README.Reco.txt, changes the desktop wallpaper to a GLOBAL GROUP message, and deletes shadow copies and itself after execution.

    Show sources
    Open in new tab