> Family · Phorpiex_

~/packetpursuit $ cat /intel/families/phorpiex.md

typeentityfamilyphorpiexconfidencemediumcreated2026-06-02updated2026-06-07malware-familyloadermalware-bazaarattribution

Phorpiex

A crimeware botnet/dropper family active since at least 2016. Known to distribute ransomware, cryptocurrency miners, and other commodity payloads via spam campaigns. The label originates from MalwareBazaar/OpenCTI where multiple samples are tagged dropped-by-phorpiex. The family label itself is an umbrella: samples vary widely in size (10–300 KB), build toolchain, and payload (static-only analysis shows this is not a single-codebase cluster).

Observed Build Patterns

  • MSVC C++ x32 stubs linked statically against MSVCR90.dll, mimicking Microsoft Screen Saver binaries ^[/intel/analyses/755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b.html]
  • Go droppers with packed UPX overlays (observed in sibling dropped-by-phorpiex samples)
  • Minimal IAT — only a handful of KERNEL32 and MSVCR90 imports; actual payload imported via runtime resolution or reflective injection

Observed Deploy / ATT&CK

  • T1204.002 — User Execution: Malicious File — spam-distributed PEs with social-engineered names
  • T1053 — Scheduled Task/Job (inferred from historical reporting for Phorpiex)
  • Payload delivery mechanism: runtime-decoded shellcode or PE via phorpiex-loader-initterm-hijack ^[/intel/analyses/755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b.html]
  • New variant: cplapplet-png-payload-dropper — x64 CPlApplet that expects a payload.png companion file, decrypts/decompresses a second-stage DLL, self-erases, and executes. May 2026 build.

Capabilities

  • initterm-hijack-payload-decoder
  • anti-debug-isdebuggerpresent
  • iat-minimization-runtime-api-resolution
  • screensaver-masquerade
  • msvcr90-static-crt
  • zip-header-manual-assembly
  • smtp-self-spoofing
  • http-chrome-ua-downloader
  • sexttortion-email-template
  • bitcoin-wallet-hardcoded
  • thread-storm-spam-delivery
  • xor-not-string-decryption
  • dns-mx-resolution
  • mime-multipart-zip-attachment
  • external-ip-http-check
  • temp-file-spam-staging
  • zone-identifier-deletion
  • mutex-single-instance
  • cplapplet-png-payload-dropper (new x64 variant, May 2026)
  • api-name-xor-decryption
  • custom-byte-pair-decompression
  • self-text-erasure
  • gettickcount-anti-emulation-loop
  • marker-file-mutex-gating
  • wininet-urlmon-dual-download
  • createprocessw-create_no_window
  • rtlgversion-build-gating
  • x64-arch-check-progfiles-x86
  • sextortion-500-usd-variant (May 2026; earliest cluster build)
  • sextortion-1200-usd-variant (May 2026; standard cluster build)
  • chrome-outdated-user-agent

Notable Analyses

  1. x32 MSVC9 stub / MSVCR90 dropper (e.g. 755bed07) — 21 KB, pre-main payload through initterm, masquerades as Microsoft Screen Saver
  2. Go/UPX droppers (siblings in corpus) — much larger, UPX-packed
  3. Sextortion spam bot — $500 variant (bb77ef06) — 19 KB, earliest May-22 campaign build (13:05 UTC), mutex efaefaef, hardcoded BTC 1NXeVuYtcVwJ1do2EUS6qJS8FQSPFabxeE, Chrome/202 UA, $500 ransom demand. Precedes the $1200 builds by ~4 hours. ^[/intel/analyses/bb77ef06de83dc5e450572c04f69224c44786bda5eadc9e7a698dc4ef1445edf.html]
  4. Sextortion spam bot — $1200 variant (e.g. 150e4652) — 23 KB, self-contained SMTP engine + ZIP constructor + hardcoded BTC wallet
  5. Sextortion spam bot sibling (e.g. 17960bcb) — 24 KB, same build day, identical payload architecture, mutex ww88ww8w8
  6. Thin HTTP downloader (6b8527a7) — 10 KB, MSVC9, dual WinInet+URLMon fetch, marker-file gating, Zone.Identifier deletion, x64+build gating for xmr.exe/xmrget.exe. No initterm hijack; honest main() flow. 2026-05-22 16:56 UTC
  7. Thin HTTP downloader sibling (025f5798) — 10 KB, confirmed campaign sibling compiled 3h51m earlier (2026-05-22 13:06 UTC). Same C2 (178.16.54.109), same gating, same dual-fetch. Delta: omits 15.exe payload present in later build.

Notes

No deep-analysis report existed for any dropped-by-phorpiex sample in the corpus prior to this one. The label aggregates disparate builders under a single campaign umbrella. Individual samples should be characterized by their actual build/behavior rather than by the umbrella label alone.

Related Analyses

  • /intel/analyses/150e46523ae4a3e90ce949f15630b2f07d475d3a781188301edded1d527f03af.html — sextortion spam bot with SMTP engine, ZIP constructor, and hardcoded BTC wallet
  • /intel/analyses/755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b.html — screensaver masquerade stub with .rsrc payload staging
  • /intel/analyses/17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3.html — sextortion spam bot sibling (same build timestamp)