> Technique · Phorpiex loader initterm payload staging_

~/packetpursuit $ cat /intel/techniques/phorpiex-loader-initterm-hijack.md

typetechniquecreated2026-06-02updated2026-06-02loaderinittermmsvcr90peb-walkingpersistenceresearch-target

Phorpiex loader initterm payload staging

What it does

Phorpiex droppers (observed in the dropped-by-phorpiex corpus) use the MSVCR90 C runtime initterm / initterm_e callback arrays to execute a non-trivial payload before main() is reached. The binary presents a decoy entry point (main()) that does nothing useful (e.g. pop a fake error dialog), while the real behavior is hidden inside CRT initialization functions registered in the .rdata initterm table.

Detection / fingerprint

Indicators in the PE:

  1. initterm table in .rdata contains more than zero entries; addresses point to user-defined functions, not standard CRT helpers.
  2. Decoy main() is trivial — Sleep + MessageBox with a masquerade string ("Microsoft Screen Saver").
  3. Minimal IAT — no CreateProcess, VirtualAlloc, RegSetValue, WinExec in imports; payload uses runtime resolution.
  4. .rsrc icon abnormally large (> 50% of file size, entropy > 7.8) — payload blob masquerading as icon data.

Implementation patterns

  • MSVC9 static CRT linked (MSVCR90.dll import) ^[sample 755bed07/pefile.txt]
  • initterm_e table at .rdata offset contains one or more function pointers before the initterm table.
  • The function pointer at 0x401252 (observed in sample 755bed07) checks PE magic, validates IMAGE_NT_SIGNATURE, and appears to set up a secondary image context.

Defensive countermeasures

  • Monitor for PE files where .rsrc entropy > 7.5 and .rsrc size > 40% of total file size.
  • API hook LoadString, LoadIcon, LoadImage for unusually large resource reads in small binaries.
  • Static analysis: walk initterm tables and flag non-standard entries.

Pages where observed

  • phorpiex — entity page for the family.
  • /intel/analyses/755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b.html