article featured image


Having been hijacked itself early last year, Phorpiex has recently raised major interest from Microsoft, since it has developed the capability of disabling Microsoft Defender Antivirus.

Check Point noted more than half a year ago that Phorpiex was distributing the new Avaddon cybersecurity service that was destined to be rented out to cybercrime groups to infect targets.

Phorpiex is one of the oldest and most persistent botnets and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams.


Since recently, when it has been found out that Phorpiex has the capacity to disable Microsoft Defender, Microsoft specialists looked more closely into the botnet and found out that it is “modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists.”

In order to prevent this, enterprise customers need to enable the tamper protection feature inside MS Defender for endpoint and Microsoft’s cloud-based advanced security feature that should be able to revert changes made by the bot automatically, without any human intervention.

Checkpoint states that Phorpiex was the second-largest botnet aside from the Emotet botnet in January this year. Emotet Botnet was decommissioned by law enforcement this year.

In a very short span of time – from Dec 20 to Feb 21 – the botnet was found in 160 countries – the highest level of encounters in Mexico and Kazakhstan and curiously with the US not even making the top 10.

The combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first glance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains, command-and-control (C2) mechanisms, and source code.

While the bot loader targets computers in Mexico and western Asia, its spam and extortion campaigns target multiple regions and languages.

We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one such cryptocurrency profit volume from a campaign in late February 2021 targeting English-speaking users is below, with the subject ‘Payment from your account.


In only 10 days using social media and social engineering schemes over 13.000 US dollars have been paid into the threat actors’ accounts using either Dash or Bitcoin as a method of payment.

It looks like Phorpiex distributes the Avaddon ransomware, which “performs language and regional checks for Russia or Ukraine before running to ensure only favored regions are targeted.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Avaddon usually demands 700 dollars in bitcoin and is more of an automated type of ransomware, different from HoK operated ransomware (hands-on-keyboard).

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *