Phorpiex Botnet Extortion: DNS Facts and Findings

The Phorpiex botnet has been operating for years now. It first focused on distributing old-school worms that spread via infected USB drives or through chats that relied on the Internet Relay Chat (IRC) protocol. Over the years, it has evolved to include a host of malicious activities that ranged from extortion and spamming to data exfiltration, ransomware attacks, and most recently, sextortion.


For those unfamiliar with sextortion, it’s an attack where the bad guys threaten victims of distributing their private and sensitive materials if they don’t give the extortionists images of a sexual nature, sexual favors, or money.


To help study and possibly avoid this threat, we expanded a publicly available list of indicators of compromise (IoCs) so they can avoid accessing as many related web properties as possible.


What Is Known So Far


At the time of the analysis, a total of 1,279 IP addresses connected to Phorpiex bots had been publicized by IBM X-Force Exchange, though the list continues to grow. Here are other interesting facts:


  • Phorpiex botnet activity spiked on 29 July 2021.

  • Almost 85% of Phorpiex botnet spam are sent on weekdays at around 12 a.m.

  • The actors behind the Phorpiex botnet extorted payments in the form of Bitcoins.

  • The Phorpiex operators estimatedly earn between US$50,000—160,000 a day.

  • New Phorpiex Botnet Findings


    While the botnet’s operators likely shut it down when its source code
    Support the originator by clicking the read the rest link below.