LockBit Ransomware Goes Fully Automated via Phorpiex Botnet: A New Era in Cyber Threats

Listen to this Post

Featured Image

Introduction

In a stark reminder that cybercriminals are constantly evolving, security researchers have identified a new wave of LockBit ransomware attacks that no longer require manual intervention. This campaign utilizes the aging but still dangerous Phorpiex botnet (also known as Trik) to deploy ransomware automatically, eliminating the need for human operators. This shift in the threat landscape reflects how threat actors are refining their techniques to maximize reach while minimizing exposure. Cybereason Security Services has spotlighted this development, noting that automation may soon become the standard in ransomware operations.

A 30-Line Breakdown of the Automated LockBit Campaign

  • A new ransomware campaign has surfaced, employing Phorpiex (Trik) to deliver LockBit ransomware in an automated fashion.
  • Unlike past LockBit operations which involved human control for network navigation, this method skips lateral movement and directly infects endpoints.
  • The attackers use phishing emails containing ZIP files to initiate the infection chain.
  • These ZIP files include either SCR files (LockBit downloader) or LNK files (Phorpiex TWIZT variant).
  • Once executed, these files reach out to known C2 servers linked to the LockBit infrastructure.
  • Though no live connection was observed during analysis, behavior patterns confirm the LockBit signature.
  • Phorpiex variants have been active since the botnet’s source code was sold in 2021.
  • TWIZT and GandCrab downloader are the main Phorpiex variants seen in this campaign.
  • Infection begins by tricking users into opening malicious ZIP email attachments.
  • Malicious files install under standard Windows directories to avoid suspicion.
  • Once executed, the malware downloads LockBit or other payloads automatically.
  • It deletes evidence by removing Zone.Identifier metadata associated with the file.
  • Persistence is ensured by modifying the Windows registry and creating mutexes.
  • TWIZT also checks for a JPEG marker file to avoid re-infecting the same device.
  • The GandCrab variant includes anti-sandbox mechanisms to detect and evade analysis.
  • It also disables Windows Defender to allow unrestricted execution.
  • These adaptations make it harder for defenders to distinguish between automated malware and more sophisticated targeted attacks.
  • LockBit’s shift to automation may be a response to increased global enforcement actions.
  • In early 2024, Operation Cronos disrupted LockBit, but it appears the group has rebounded quickly.
  • By offloading tasks to botnets, LockBit affiliates minimize operational risks and timelines.
  • Automation accelerates attacks while keeping operators at arm’s length.
  • The combination of phishing and botnet deployment bridges traditional and modern cybercrime tactics.
  • This new tactic makes LockBit even more dangerous and harder to detect.
  • Researchers emphasize the importance of strong email security filtering.
  • Monitoring registry changes and tracking odd file downloads is critical.
  • Phishing remains the most effective entry vector—users must remain cautious.
  • Enterprises should revisit their incident response plans to include botnet-ransomware hybrids.
  • Endpoint Detection and Response (EDR) tools should be updated to detect Phorpiex and LockBit behaviors.
  • Cybersecurity teams must monitor legacy threats like Phorpiex, even if they seem outdated.
  • Old threats paired with new tactics are proving just as dangerous as fresh malware families.
  • LockBit’s evolution serves as a warning: automation in cybercrime is no longer theoretical—it’s operational.

What Undercode Say: A Deeper Look at the Campaign and Its Implications

This latest development in ransomware delivery mechanisms reflects a strategic shift from traditional manual compromise techniques toward scalable, automated attacks. By exploiting the long-standing Phorpiex botnet infrastructure, LockBit operators are effectively leveraging “malware-as-a-service” capabilities without exposing themselves to unnecessary risks. The automation seen in this campaign reveals a clear intention: speed, stealth, and scalability.

From a technical perspective, the use of phishing emails carrying ZIP files with different payloads (SCR or LNK files) shows that the attackers are tailoring their tactics depending on the desired infection pathway. This dual strategy also serves as a backup mechanism—if one variant fails, the other may still succeed. It’s an efficiency model borrowed straight from corporate systems, except weaponized.

The Phorpiex TWIZT variant adds a layer of infection control by using marker files and mutexes. This demonstrates that the malware authors are not only thinking about successful infections but are also planning for stability and efficiency—preventing repeat infections which might tip off defenders. On the other hand, the GandCrab variant introduces a clear evasion focus, with built-in sandbox detection and anti-analysis routines, as well as disabling native protections like Windows Defender. These capabilities signal professional-grade malware engineering.

The broader implication is chilling: LockBit is adapting in real-time. After global crackdowns—like Operation Cronos—many expected the group to fade into obscurity. Instead, LockBit has doubled down by decentralizing and automating, making attribution and takedown efforts significantly more difficult.

This blurs the once-clear line between commodity malware (mass phishing, botnets) and advanced persistent threats (custom payloads, manual lateral movement). Now, an infected home PC could receive a full-featured ransomware payload without ever interacting with a human adversary. This creates a scalable threat model that can target individuals, small businesses, and enterprises alike.

In practical terms, this means traditional security perimeters—email filters, antivirus software—are no longer enough. Security operations must pivot toward behavior-based detection, anomaly hunting, and proactive threat intelligence. This includes monitoring registry keys for persistence attempts, unusual mutex behavior, and changes in file metadata like Zone.Identifier flags.

The campaign also underscores the need for robust employee training. Social engineering remains the primary delivery method. No matter how advanced the payload is, it still relies on human error at the beginning. Educating users on phishing signs and securing email gateways can drastically reduce initial infection success rates.

Moreover, the use of repurposed botnets like Phorpiex indicates that cybercriminals are resourceful. They don’t always need new infrastructure—they can breathe new life into old tools. Security teams must resist the urge to de-prioritize older threats based on age alone.

In summary, this automated LockBit campaign is not an isolated experiment—it’s a sign of things to come. If automation becomes the norm, we can expect a wave of similar campaigns that blend legacy botnets with cutting-edge ransomware. The cybersecurity community must prepare now, or face being overwhelmed by the speed and volume of attacks that no longer require human hands to cause devastation.

Fact Checker Results

  • LockBit ransomware is indeed being distributed automatically via the Phorpiex botnet, according to multiple security sources.
  • Phorpiex’s variants like TWIZT and GandCrab remain active despite the botnet’s code being sold years ago.
  • The campaign highlights a real shift toward automated, scalable ransomware delivery that complicates detection and response.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram