Phorpiex "Your Document" phishing campaign
Campaign
Summary
Hide ▲
Show ▼
Phorpiex is driving a high-volume phishing campaign that uses the lure "Your Document" and weaponised .lnk attachments to start a multi-stage infection chain. The operation matters because it converts a single click into initial access and can culminate in Global Group ransomware deployment across 2024 and 2025.
Related Happenings
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
Campaign
First: 20.04.2026 18:01
Last: 20.04.2026 18:01
Sources 1
About this happening:
The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
CampaignAbout this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
Campaign
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
Campaign
First: 12.03.2026 19:02
Last: 12.03.2026 19:02
Sources 1
About this happening:
Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
CampaignAbout this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
InstallFix Claude Code malvertising campaign
Campaign
First: 06.03.2026 17:00
Last: 06.03.2026 17:00
Sources 1
About this happening:
**InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...
InstallFix Claude Code malvertising campaign
CampaignAbout this happening: **InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...
Timeline
-
10.02.2026 18:00 2 articles · 3mo ago
Forcepoint discloses Phorpiex "Your Document" phishing campaign
Initial DisclosureForcepoint identified a high-volume phishing campaign using emails with the subject line "Your Document" to deliver Phorpiex through weaponised Windows shortcut (.lnk) attachments, launch cmd.exe and PowerShell, fetch windrv.exe, and deploy Global Group ransomware. The campaign relied on double-extension shortcut files and disguised icons to help a single click trigger a multi-stage infection chain.
Show sources
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00
- Phorpiex Phishing Delivers Low-Noise Global Group Ransomware — www.infosecurity-magazine.com — 10.02.2026 18:00