
Malicious SCR file | Source: Cybereason
The Cybereason Security Services Team has uncovered a new attack campaign where the Phorpiex botnet is being used to automatically deliver and execute LockBit Black Ransomware (LockBit 3.0). Unlike previous LockBit attacks, which often relied on human operators, this method automates ransomware deployment, making attacks faster and harder to detect.
According to the Cybereason report, “Unlike the past LockBit ransomware incidents, the threat actors relied on Phorpiex to deliver and execute LockBit ransomware. This technique is unique as ransomware deployment usually consists of human operators conducting the attack.”
Phorpiex, also known as Trik, is a botnet active since 2010, previously used for spam campaigns, cryptocurrency mining, and malware distribution. Although its source code was sold in 2021, its successors appear to have made minimal changes to its core functionality.
“After the developers of Phorpiex sold the source code of the botnet back in 2021, the successors have likely not changed much of the code base of the malware.”
This new iteration of Phorpiex is now being leveraged by LockBit affiliates to distribute ransomware, proving that botnets remain a key tool for cybercriminals.
The infection flow starts with phishing emails containing malicious ZIP attachments. These emails originate from spoofed senders, such as: jenny@gsd[.]com, and ebe6941ee8a10c14dc933ae37a0f43fc@gsd[.]com.
Once the malicious SCR file is executed, it:
1️⃣ Establishes a connection to 193.233.132[.]177, a Command-and-Control (C2) server.
2️⃣ Downloads the LockBit binary (lbbb.exe) to the %TEMP% directory.
3️⃣ Executes the ransomware payload to begin file encryption.
Unlike traditional ransomware, this version does not attempt lateral movement. Instead, it immediately executes LockBit, reducing the attack’s footprint and making detection harder.
“LockBit downloader variant of Phorpiex downloaded LockBit right away without expanding the infection area within the victim’s network.”
Phorpiex and LockBit employ multiple anti-detection strategies to evade security tools:
✅ Deletes URL Cache – Prevents forensic recovery of downloaded files.
✅ Obfuscates Function Calls – Uses encrypted library strings to avoid detection.
✅ Removes Zone.Identifier Metadata – Hides C2 origin from security logs.
✅ Modifies Windows Registry – Ensures ransomware runs automatically at startup.
“The downloader ensures to delete the Zone.Identifier file in order to hide the trace and evidence of C2 metadata.” These methods allow persistent infections and ensure ransomware deployment without triggering security alerts.
The Phorpiex-LockBit collaboration signals a new evolution in ransomware tactics. By using botnets to automate deployment, threat actors can expand attack reach, reduce detection, and increase infection speed.
Related Posts:
- Leaked LockBit Tools: Novice Hackers Target Vulnerabilities
- Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools
- Massive Ransomware Campaign: LockBit Black Distributed by Phorpiex Botnet