They're finding new ways to deliver ransomware and other threats, and sometimes, by moving in the other direction and going decidedly Old School. Recently, this has included the use of worm-like functionality to replicate itself far and wide.
Of interest, Phorpiex itself came under attack back in the early part of 2020, when an unknown attacker hijacked it on the back end and started uninstalling the modules that allowed the botnet to spam copies of its malicious payload.
According to the security firm Check Point, one of the more common payloads associated with Phorpiex is the Avaddon ransomware, which is widely used because it's a "ransomware as a service," which means it gets rented out to other hackers, allowing it to infect an even wider range of targets.
As Check Point analysts note:
"Phorpiex is one of the oldest and most persistent botnets, and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams."
In recent months, the botnet has found its way onto Microsoft's radar. Its controllers have tweaked it so that it modifies Windows registry keys in order to disable antivirus and firewall popups and override browser settings, which makes it more difficult to detect and stop.
Enterprise clients have the ability to circumvent these shenanigans by enabling Tamper Protection in Microsoft Defender for Endpoint, but home users aren't so lucky.
Based on Check Point's statistics, Phorpiex is currently the largest botnet in existence. Since law enforcement recently defanged the dreaded Emotet botnet, and researchers have tracked its activities across more than 160 different countries, giving it a truly global reach. Stay alert for this one. It's a legitimate threat that can hit you no matter where you are, or where you do business.