The Unstoppable Phoenix: How the Phorpiex Botnet Reborn as a P2P Crypto-Thief

An ancient botnet, long relegated to the periphery of collective memory, has re-emerged with a lethality far exceeding previous estimations. The Phorpiex network, a fixture of the threat landscape since 2011, has not merely endured but has transmuted into a versatile instrument for large-scale incursions, extortion, and the illicit exfiltration of cryptocurrency.

Researchers at Bitsight Research have scrutinized the latest manifestations of Phorpiex, specifically the “Twizt” variant. Throughout its protracted existence, the botnet has undergone a profound metamorphosis, evolving from a rudimentary spam engine into a sophisticated distribution platform for malicious payloads. The architecture cleverly integrates traditional command-and-control servers with a peer-to-peer (P2P) protocol among compromised hosts, rendering the infrastructure nearly indestructible. Even should the central servers be dismantled, the infected nodes continue to propagate instructions amongst themselves.

The magnitude of the infection is staggering. Approximately 125,000 compromised devices are identified daily, with 70,000 actively participating in the P2P network. Over the past trimester, these infected machines have surfaced from more than 1.7 million unique IP addresses, with a notable concentration in Iran, Uzbekistan, China, Kazakhstan, and Pakistan. This geographical distribution is intrinsically linked to the botnet’s primary monetization strategy: “clipper” attacks that surreptitiously substitute cryptocurrency wallet addresses within the system clipboard. Phorpiex perpetually monitors user activity; should it detect a wallet address, it instantaneously replaces it with an adversary’s address, utilizing a library of nearly 90 distinct wallets across various digital currencies.

Beyond the theft of digital assets, the botnet serves as a conduit for ransomware delivery. In the autumn of 2025, Phorpiex was leveraged to disseminate a version of LockBit Black. Infected machines received a loader that assessed whether the host was integrated into a corporate network or functioning as a server; if these criteria were met, the encryption payload was deployed. Similarly, in January 2026, operators initiated a campaign utilizing the “Global” ransomware variant, specifically targeting users within China. The malware geolocated the host through public network services, triggering encryption only on designated devices. This resulted in a precipitous decline in activity across 7,000 infected nodes—approximately 10% of the observed fleet.

Propagation is achieved through voluminous email campaigns featuring malicious attachments. Victims receive archives ostensibly containing documents, which actually conceal links to PowerShell commands. Upon execution, the system retrieves subsequent stages of the assault, culminating in the deployment of ransomware. A single campaign can encompass between 2 and 6 million email addresses. Concurrently, the botnet disseminates sextortion threats, claiming unauthorized access to the victim’s webcam and demanding a ransom of approximately 1,800 USD in Bitcoin.

Phorpiex exhibits worm-like characteristics, replicating itself onto removable media and network drives by masquerading as benign files. Furthermore, the code injects itself into other executable files to ensure persistence. To circumvent defenses, the malware adds itself to the Windows Firewall exclusion list and attempts to reconfigure home routers via automated protocols to permit unsolicited inbound connections, effectively transforming the compromised device into a functional component of the command infrastructure.

A defining attribute of the botnet is its resilience against hijacking. All commands and files are secured using public-key cryptography; without the adversaries’ private key, injecting unauthorized instructions into the network is virtually impossible. Despite its seniority, Phorpiex remains a dynamic and evolving threat. Its operators employ a cautious methodology, meticulously verifying the extent of infections before launching full-scale campaigns—a tactical prudence that ensures sustained control over the network while maximizing illicit dividends.