Worm:Win32/Phorpiex (also known as Trik) is a massive, highly resilient botnet predominantly known for powering global spam campaigns, sextortion schemes, and distributing secondary malware payloads.
Understanding Phorpiex
To the average user, a Phorpiex infection might result in their email account being locked for sending spam, or their CPU spiking as the malware mines cryptocurrency. For threat researchers, Phorpiex is a formidable botnet infrastructure that has been active for over a decade. It operates as a multi-purpose malware-as-a-service, primarily monetized through massive email spam runs, clipboard hijacking (to steal cryptocurrency), and dropping ransomware (like GandCrab or Avaddon).
Execution and Evasion Strategies
Phorpiex spreads via multiple vectors: malicious spam attachments, exploit kits, and lateral movement via infected USB drives and open network shares. Once on a system, it establishes persistence by adding a shortcut to the Windows Startup folder or modifying the Run registry keys. It then contacts its C2 infrastructure to download the latest spam templates and a list of target email addresses. Phorpiex heavily utilizes Domain Generation Algorithms (DGA) or hardcoded IP arrays to maintain resilient C2 communications.
Indicators of Compromise (IoCs)
Incident responders should monitor network traffic for massive volumes of outbound SMTP connections (port 25) originating from client endpoints—a massive red flag for a spam botnet. Furthermore, investigators should audit the Windows clipboard for unexpected modifications (e.g., a Bitcoin address being dynamically swapped when a user copies it). High CPU utilization from dropped XMRig cryptominers is also a frequent secondary indicator.
Threat reports may refer to this family under multiple names:
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_PHORPIEX {
meta:
description = "Detects Phorpiex (spam_bot)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "phorpiex" ascii wide nocase
$s2 = "trik" ascii wide nocase
$s3 = "win32.phorpiex" ascii wide nocase
$s4 = "phorpiex.a" ascii wide nocase
$s5 = "phorpiex.b" ascii wide nocase
$s6 = "trik_botnet" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Phorpiex Activity
id: 9a756d7e2e3beebfcf7488306c1b0f31
status: experimental
description: Detects generic indicators of the phorpiex malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*phorpiex*"
- "*trik*"
- "*win32.phorpiex*"
- "*phorpiex.a*"
- "*phorpiex.b*"
- "*trik_botnet*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Spam and sextortion campaigns, USB-based spreading, and clipboard-hijacking to steal cryptocurrency.
Through removable drives and large spam campaigns.
Malware that watches the clipboard and replaces a copied wallet address with the attacker's address to divert payments.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/phorpiex.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.