Cybercriminals sell source code for Phorpiex malware known for “sex extortion”

Cyber ​​criminals behind the Phorpiex malware they turned off the botnet and put its source code up for sale on a hacker forum on the Dark Web.

The ad was published by a person who was previously associated with the work of the botnet. She claims that neither of the two authors of the malware is involved in the work of the botnet, so that is the reason why they decided to sell its source code.

“Since I am no longer working and my friend has left his job, I am here to offer the source code of Trick (name of developer) / Phorpiex (name of AV company) for sale,” the seller wrote on the forum in an ad noticed by a British company. Cyjax.

Researcher Alexei Bukhteev from Check Point confirmed the validity of the ad for The Record. He analyzed the malware in 2019, and now says that the malware management and control (C&C) servers have been inactive for almost two months.

Bukhteyev, who had a fake Phorpiex bot to spy on his activity, said the last command the bot received from the server was on July 6, 2021, and the command was a “SelfDeletion” instruction.

He said that malware had not been sold before.

Bukhteyev warned that despite the fact that Phorpiex’s servers do not work, after someone buys the code, it can install new and hijack all previously infected systems. He says that there are still many infected systems (active bots).

Phorpiex has a history of making a profit, primarily thanks to a spam module and a feature that allows it to steal cryptocurrencies. For example, the spam module helped malware authors earn more than 115,000 dollars in 2019 from the classic “sex extortion” scheme.

Cyber ​​criminals are too ransomware gangs sold access to infected bots. Such tactics of attacking corporate networks last year were used by the ransomware group Avaddon recently allegedly voluntarily retired from work.

Whether there will be buyers for Phorpiex can only be speculated. Phorpiex also has one drawback that can deter customers from buying. Namely, the botnet is not so secure, so it was often hijacked by other cyber criminals to set up their own payload or issued fake “uninstall” commands.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!