Phorpiex

Category: spam_bot · Aliases: trik, win32.phorpiex, phorpiex.a, phorpiex.b, trik_botnet · Sample count (EMBER 2018): 115 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Worm:Win32/Phorpiex (also known as Trik) is a massive, highly resilient botnet predominantly known for powering global spam campaigns, sextortion schemes, and distributing secondary malware payloads.

Understanding Phorpiex
To the average user, a Phorpiex infection might result in their email account being locked for sending spam, or their CPU spiking as the malware mines cryptocurrency. For threat researchers, Phorpiex is a formidable botnet infrastructure that has been active for over a decade. It operates as a multi-purpose malware-as-a-service, primarily monetized through massive email spam runs, clipboard hijacking (to steal cryptocurrency), and dropping ransomware (like GandCrab or Avaddon).

Execution and Evasion Strategies
Phorpiex spreads via multiple vectors: malicious spam attachments, exploit kits, and lateral movement via infected USB drives and open network shares. Once on a system, it establishes persistence by adding a shortcut to the Windows Startup folder or modifying the Run registry keys. It then contacts its C2 infrastructure to download the latest spam templates and a list of target email addresses. Phorpiex heavily utilizes Domain Generation Algorithms (DGA) or hardcoded IP arrays to maintain resilient C2 communications.

Indicators of Compromise (IoCs)
Incident responders should monitor network traffic for massive volumes of outbound SMTP connections (port 25) originating from client endpoints—a massive red flag for a spam botnet. Furthermore, investigators should audit the Windows clipboard for unexpected modifications (e.g., a Bitcoin address being dynamically swapped when a user copies it). High CPU utilization from dropped XMRig cryptominers is also a frequent secondary indicator.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1566.001Phishing: Spearphishing AttachmentInitial Access
T1091Replication Through Removable MediaLateral Movement
T1115Clipboard DataCollection
T1496Resource HijackingImpact
T1568.002Dynamic Resolution: Domain Generation AlgorithmsCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_PHORPIEX {
    meta:
        description = "Detects Phorpiex (spam_bot)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "phorpiex" ascii wide nocase
        $s2 = "trik" ascii wide nocase
        $s3 = "win32.phorpiex" ascii wide nocase
        $s4 = "phorpiex.a" ascii wide nocase
        $s5 = "phorpiex.b" ascii wide nocase
        $s6 = "trik_botnet" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Phorpiex Activity
id: 9a756d7e2e3beebfcf7488306c1b0f31
status: experimental
description: Detects generic indicators of the phorpiex malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*phorpiex*"
            - "*trik*"
            - "*win32.phorpiex*"
            - "*phorpiex.a*"
            - "*phorpiex.b*"
            - "*trik_botnet*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Block outbound SMTP traffic (TCP port 25) at the perimeter firewall for all client workstations to neuter the spam botnet capabilities.
  2. Isolate the endpoint to prevent the lateral spread of the worm via network shares and USB drives.
  3. Deploy EDR to hunt for unexpected cryptomining processes (e.g., <code>cgminer.exe</code>, <code>xmrig.exe</code>) utilizing high CPU.
  4. Audit all email accounts associated with the user for signs of compromise, as Phorpiex harvests local Outlook credentials to send spam.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not ignore a Phorpiex infection as 'just a spam bot'; it is frequently used to drop highly destructive ransomware as a secondary payload.
  2. Avoid paying any sextortion demands generated by the Phorpiex botnet; these are automated scams based on leaked credential dumps, and the attackers do not possess compromising video.

References & External Analysis

Frequently Asked Questions

What is Phorpiex known for?

Spam and sextortion campaigns, USB-based spreading, and clipboard-hijacking to steal cryptocurrency.

How does Phorpiex spread?

Through removable drives and large spam campaigns.

What is a crypto clipper?

Malware that watches the clipboard and replaces a copied wallet address with the attacker's address to divert payments.

Related Families (Category: spam_bot)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/phorpiex.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.