{"id":15768,"date":"2026-02-10T12:00:53","date_gmt":"2026-02-10T12:00:53","guid":{"rendered":"https:\/\/newestek.com\/?p=15768"},"modified":"2026-02-10T12:00:53","modified_gmt":"2026-02-10T12:00:53","slug":"windows-shortcut-weaponized-in-phorpiex-linked-ransomware-campaign","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15768","title":{"rendered":"Windows shortcut weaponized in Phorpiex-linked ransomware campaign"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Forcepoint X-Labs researchers have identified a large Phorpiex botnet-aided phishing campaign that uses weaponized Windows shortcut files to deploy Global Group ransomware across victim systems.<\/p>\n<p>The campaign, observed in late 2024 and continuing into 2026, leverages a common email lure, with the subject \u201cYour Document\u201d, to trick recipients into opening a malicious <a href=\"https:\/\/www.csoonline.com\/article\/574425\/attackers-move-away-from-office-macros-to-lnk-files-for-malware-delivery.html\" target=\"_blank\">LNK<\/a> attachment.<\/p>\n<p>\u201cBy combining social engineering, stealthy execution, and Living-off-the-Land (LotL) techniques, the (.lnk) file silently retrieves and launches a second-stage payload, raising suspicion,\u201d Forcepoint researchers said in a blog post.<\/p>\n<p>Unlike many modern ransomware operations that rely on external command-and-control (C2) infrastructure, the Global Group payload executes locally once delivered, complicating detection and response efforts by traditional network-centric security controls, the researchers noted.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Weaponized LNK files<\/h2>\n<p>The infection chain begins with a user opening a shortcut file with a double extension, such as \u201cDocument.doc.lnk\u201d. Because Windows hides file extensions by default, the file appears to the user as a legitimate document. The shortcut icon is also customized to resemble a Microsoft Word file to further reduce suspicion.<\/p>\n<p>When executed, the .lnk file launches built-in Windows utilities, including cms.exe and PowerShell, to retrieve and execute the next-stage payload. Because no exploit is involved, this approach allows attackers to bypass security controls that focus on malicious documents or executable attachments.<\/p>\n<p>Forcepoint noted that the commands embedded in the shortcut are heavily obfuscated and ultimately resolve to download the Global Group ransomware payload from attacker-controlled infrastructure. Once retrieved, the ransomware executes immediately.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Phorpiex as the distribution layer<\/h2>\n<p>Forcepoint attributed the email distribution in this campaign to the Phorpiex botnet, also known as Trik. Phorpiex has<a href=\"https:\/\/digital.nhs.uk\/cyber-alerts\/2018\/cc-2484\" target=\"_blank\" rel=\"noreferrer noopener\"> been operating<\/a> for more than a decade and is known for maintaining a large global footprint capable of delivering spam at scale. In this campaign, infected systems within the botnet are used to send phishing emails directly, rather than relying on newly registered infrastructure.<\/p>\n<p>The botnet\u2019s role looks limited to delivery. Once a victim executes the malicious attachment, Phorpiex itself does not participate further in the intrusion chain.<\/p>\n<p>\u201cThis campaign demonstrates how long-standing malware families like Phorpiex remain highly effective when paired with simple but reliable phishing techniques,\u201d the researchers said. \u201cBy exploiting familiar file types such as <a href=\"https:\/\/www.csoonline.com\/article\/4101085\/windows-shortcuts-use-as-a-vector-for-malware-may-be-cut-short.html\">Windows shortcut<\/a> files, attackers can gain initial access with minimal friction, enabling a smooth transition to high-impact payloads like Global Group Ransomware.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Global Group operates offline<\/h2>\n<p><a href=\"https:\/\/blog.eclecticiq.com\/global-group-emerging-ransomware-as-a-service\" target=\"_blank\" rel=\"noreferrer noopener\">Global Group<\/a> ransomware, the final payload in the chain, was identified by Forcepoint as a successor to the <a href=\"https:\/\/medium.com\/@anyrun\/mamona-technical-analysis-of-a-new-ransomware-strain-d14ec6600b09\" target=\"_blank\" rel=\"noreferrer noopener\">Mamona<\/a> ransomware family. The ransomware operates entirely offline. It generates its encryption keys locally and does not require communication with a remote server to complete file encryption.<\/p>\n<p>According to the researchers, this design significantly limits network-based detection opportunities. \u201cDespite the claims made in its ransom note, GLOBAL GROUP conducts no data exfiltration and is fully capable of executing in offline or air\u2011gapped environments,\u201d they said. \u201cThis offline\u2011only design also increases its likelihood of evading detection in networks where monitoring efforts rely primarily on observing suspicious or anomalous traffic.\u201d<\/p>\n<p>During execution, Global Group encrypts user files using the \u201cChaCha20-Poly1305\u201d algorithm and appends a new file extension. It also drops a ransom note instructing victims to contact the attackers through anonymized channels to obtain payment instructions. The researchers shared a list of indicators to support detection efforts. \u201cThis trend toward quiet, self-contained ransomware underscores the importance of prioritising endpoint behaviour monitoring over network activity alone,\u201d they said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Forcepoint X-Labs researchers have identified a large Phorpiex botnet-aided phishing campaign that uses weaponized Windows shortcut files to deploy Global Group ransomware across victim systems. The campaign, observed in late 2024 and continuing into 2026, leverages a common email lure, with the subject \u201cYour Document\u201d, to trick recipients into opening a malicious LNK attachment. \u201cBy combining social engineering, stealthy execution, and Living-off-the-Land (LotL) techniques, the&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15768\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15768","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15768","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15768"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15768\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}