A new ransomware campaign featuring an automated deployment of LockBit ransomware via the Phorpiex botnet has been uncovered.
According to Cybereason Security Services, this marks a shift in how threat actors are leveraging botnets to bypass traditional human-operated ransomware attacks.
What’s New in the Attack Chain
Unlike previous LockBit incidents, this campaign used Phorpiex, also known as Trik, to deliver and execute the ransomware automatically.
Typically, LockBit attacks involve manual control to expand reach within networks. This latest method skipped lateral movement and deployed LockBit directly to infected machines.
Cybereason found that the attackers used phishing emails with ZIP attachments to initiate infections. Depending on the variant, these ZIP files contained either SCR files for the LockBit downloader or LNK files for the Phorpiex TWIZT variant.
The cybersecurity team also observed the LockBit downloader attempting to contact a known command-and-control (C2) server, which previously hosted the ransomware binary. While no successful connection was seen at the time of analysis, the binary’s behavior aligned with LockBit’s known methods.
How Phorpiex Variants Operate
Phorpiex has maintained much of its original structure since its source code was sold in 2021. Across its variants – including TWIZT and a GandCrab downloader – it follows a consistent pattern:
- Infection begins via phishing emails with malicious ZIP attachments
- Files are dropped and executed under standard Windows directories
- LockBit or other payloads are downloaded and executed
- Evidence, such as Zone.Identifier metadata, is deleted
- Persistence is maintained via Windows registry keys
In particular, the TWIZT variant checks for a JPEG marker file to avoid reinfection and creates a mutex to prevent multiple infections on the same host.
The GandCrab variant adds anti-analysis features by terminating itself if sandbox-related modules are detected and disables Windows Defender protections.
Implications for the Threat Landscape
This campaign illustrates how ransomware groups like LockBit are adapting their strategies post-crackdown.
Despite global law enforcement efforts in early 2024 to dismantle LockBit through Operation Cronos, the group remains operational and continues to innovate.
By adopting automated, botnet-driven distribution tactics, LockBit affiliates reduce the time and risk associated with manual intrusions.
This approach also complicates detection efforts, as it blurs the lines between commodity malware and targeted ransomware operations.
Security researchers recommend heightened email security measures and vigilant monitoring of registry changes and unusual file downloads to defend against such attacks.
