Phorpiex Phishing Campaign Delivers Global Group Ransomware

First reported

10.02.2026 18:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A high-volume phishing campaign using the Phorpiex malware has been observed delivering Global Group ransomware. The campaign employs emails with the subject line "Your Document" and weaponized Windows Shortcut (.lnk) files to initiate a multi-stage infection chain. The ransomware operates offline, generating encryption keys locally and avoiding command-and-control (C2) server communication, making it effective in isolated environments. The malware uses the ChaCha20-Poly1305 algorithm, appends the .Reco extension to encrypted files, and deletes itself after execution, complicating forensic analysis and recovery.

Timeline

10.02.2026 18:00 1 articles · 7h ago

Phorpiex Phishing Campaign Delivers Global Group Ransomware
A high-volume phishing campaign using Phorpiex malware has been observed delivering Global Group ransomware. The campaign employs weaponized Windows Shortcut (.lnk) files to initiate a multi-stage infection chain. The ransomware operates offline, generating encryption keys locally and avoiding command-and-control (C2) server communication, making it effective in isolated environments. The malware uses the ChaCha20-Poly1305 algorithm, appends the .Reco extension, and deletes itself after execution, complicating forensic analysis and recovery.
Show sources

Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00
Open in new tab

Information Snippets

The phishing campaign uses emails with the subject line "Your Document" and weaponized Windows Shortcut (.lnk) files.
First reported: 10.02.2026 18:00

1 source, 1 article
Show sources
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00
The shortcut files execute embedded commands via cmd.exe and PowerShell to download and execute a second-stage payload.
First reported: 10.02.2026 18:00

1 source, 1 article
Show sources
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00
The payload is associated with Phorpiex, a modular malware-as-a-service (MaaS) botnet active since around 2010.
First reported: 10.02.2026 18:00

1 source, 1 article
Show sources
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00
Phorpiex deploys Global Group ransomware, which operates entirely offline and generates encryption keys locally.
First reported: 10.02.2026 18:00

1 source, 1 article
Show sources
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00
The ransomware uses the ChaCha20-Poly1305 algorithm, appends the .Reco extension, and deletes itself after execution.
First reported: 10.02.2026 18:00

1 source, 1 article
Show sources
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00
The campaign demonstrates the continued effectiveness of Windows shortcut files as an initial access vector.
First reported: 10.02.2026 18:00

1 source, 1 article
Show sources
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00