Forcepoint X-Labs researchers have identified a large Phorpiex botnet-aided phishing campaign that uses weaponized Windows shortcut files to deploy Global Group ransomware across victim systems.
The campaign, observed in late 2024 and continuing into 2026, leverages a common email lure, with the subject “Your Document”, to trick recipients into opening a malicious LNK attachment.
“By combining social engineering, stealthy execution, and Living-off-the-Land (LotL) techniques, the (.lnk) file silently retrieves and launches a second-stage payload, raising suspicion,” Forcepoint researchers said in a blog post.
Unlike many modern ransomware operations that rely on external command-and-control (C2) infrastructure, the Global Group payload executes locally once delivered, complicating detection and response efforts by traditional network-centric security controls, the researchers noted.
Weaponized LNK files
The infection chain begins with a user opening a shortcut file with a double extension, such as “Document.doc.lnk”. Because Windows hides file extensions by default, the file appears to the user as a legitimate document. The shortcut icon is also customized to resemble a Microsoft Word file to further reduce suspicion.
When executed, the .lnk file launches built-in Windows utilities, including cms.exe and PowerShell, to retrieve and execute the next-stage payload. Because no exploit is involved, this approach allows attackers to bypass security controls that focus on malicious documents or executable attachments.
Forcepoint noted that the commands embedded in the shortcut are heavily obfuscated and ultimately resolve to download the Global Group ransomware payload from attacker-controlled infrastructure. Once retrieved, the ransomware executes immediately.
Phorpiex as the distribution layer
Forcepoint attributed the email distribution in this campaign to the Phorpiex botnet, also known as Trik. Phorpiex has been operating for more than a decade and is known for maintaining a large global footprint capable of delivering spam at scale. In this campaign, infected systems within the botnet are used to send phishing emails directly, rather than relying on newly registered infrastructure.
The botnet’s role looks limited to delivery. Once a victim executes the malicious attachment, Phorpiex itself does not participate further in the intrusion chain.
“This campaign demonstrates how long-standing malware families like Phorpiex remain highly effective when paired with simple but reliable phishing techniques,” the researchers said. “By exploiting familiar file types such as Windows shortcut files, attackers can gain initial access with minimal friction, enabling a smooth transition to high-impact payloads like Global Group Ransomware.”
Global Group operates offline
Global Group ransomware, the final payload in the chain, was identified by Forcepoint as a successor to the Mamona ransomware family. The ransomware operates entirely offline. It generates its encryption keys locally and does not require communication with a remote server to complete file encryption.
According to the researchers, this design significantly limits network-based detection opportunities. “Despite the claims made in its ransom note, GLOBAL GROUP conducts no data exfiltration and is fully capable of executing in offline or air‑gapped environments,” they said. “This offline‑only design also increases its likelihood of evading detection in networks where monitoring efforts rely primarily on observing suspicious or anomalous traffic.”
During execution, Global Group encrypts user files using the “ChaCha20-Poly1305” algorithm and appends a new file extension. It also drops a ransom note instructing victims to contact the attackers through anonymized channels to obtain payment instructions. The researchers shared a list of indicators to support detection efforts. “This trend toward quiet, self-contained ransomware underscores the importance of prioritising endpoint behaviour monitoring over network activity alone,” they said.