Researchers revealed a Phorpiex-distributed phishing campaign using malicious LNK files to deploy Global Group ransomware designed to operate entirely offline.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Forcepoint X-Labs discovered a phishing campaign using the Phorpiex botnet to distribute malicious Windows shortcut (.lnk) files disguised as documents. When opened, these files use built-in Windows utilities to download and execute Global Group ransomware, which operates entirely offline without requiring command-and-control infrastructure. The ransomware encrypts files locally using ChaCha20-Poly1305 algorithm, making it harder to detect through traditional network monitoring. The campaign exploits Windows' default behavior of hiding file extensions and uses Living-off-the-Land techniques to evade security controls.

Windows shortcut weaponized in Phorpiex-linked ransomware campaign