Resurgence of Phorpiex Twizt botnet with hybrid P2P-C2 model and cryptocurrency clipper payloads
Summary
Hide ▲
Show ▼
A new variant of the Phorpiex (Trik) botnet, identified as Twizt, has evolved into a hybrid peer-to-peer (P2P) and HTTP polling command-and-control (C2) architecture using both TCP and UDP protocols, enabling resilience against takedowns. The malware primarily functions as a cryptocurrency clipper to reroute financial transactions, while also distributing sextortion spam, facilitating ransomware deployment (LockBit Black, Global), and exfiltrating sensitive data such as mnemonic phrases. Worm-like propagation occurs via removable and remote drives, alongside scanning for Local File Inclusion (LFI) vulnerabilities. The botnet maintains an average of 125,000 active infections daily, with the highest concentration of compromised hosts in Iran, Uzbekistan, China, Kazakhstan, and Pakistan.
Timeline
-
09.04.2026 15:57 1 articles · 4h ago
Phorpiex Twizt variant deploys hybrid P2P-C2 model with cryptocurrency clipper payloads
A new Phorpiex (Trik) botnet variant, designated Twizt, has been observed utilizing a hybrid command-and-control architecture combining traditional HTTP polling with peer-to-peer (P2P) protocols over TCP and UDP. The malware serves as a conduit for encrypted payloads, cryptocurrency clipper functionality to reroute transactions, sextortion spam distribution, and ransomware deployment. Propagation occurs via removable and remote drives, with additional modules scanning for Local File Inclusion (LFI) vulnerabilities and exfiltrating sensitive data such as mnemonic phrases. The botnet maintains approximately 125,000 active infections daily, with geographic concentrations in Iran, Uzbekistan, China, Kazakhstan, and Pakistan.
Show sources
- ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories — thehackernews.com — 09.04.2026 15:57
Information Snippets
-
Phorpiex Twizt uses a hybrid C2 model combining HTTP polling with P2P protocols over TCP/UDP to ensure operational continuity despite server takedowns.
First reported: 09.04.2026 15:571 source, 1 articleShow sources
- ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories — thehackernews.com — 09.04.2026 15:57
-
The malware drops a cryptocurrency clipper to modify wallet addresses copied to the clipboard, high-volume sextortion spam modules, and ransomware payloads such as LockBit Black and Global.
First reported: 09.04.2026 15:571 source, 1 articleShow sources
- ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories — thehackernews.com — 09.04.2026 15:57
-
Twizt exhibits worm-like behavior by spreading through removable and remote drives and includes modules for exfiltrating mnemonic phrases and scanning for Local File Inclusion (LFI) vulnerabilities.
First reported: 09.04.2026 15:571 source, 1 articleShow sources
- ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories — thehackernews.com — 09.04.2026 15:57
-
The botnet averages 125,000 infections per day globally, with Iran, Uzbekistan, China, Kazakhstan, and Pakistan accounting for the highest infection rates.
First reported: 09.04.2026 15:571 source, 1 articleShow sources
- ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories — thehackernews.com — 09.04.2026 15:57