Phorpiex Botnet Evolves with Twizt for Peer-to-Peer Operations

Phorpiex, an old threat known since 2016, was initially recognized as a botnet that operated using the IRC protocol (also known as Trik).

In 2018-2019, Phorpiex transitioned to a modular architecture, replacing the IRC bot with Tldr—a loader controlled through HTTP, which became a key part of the Phorpiex botnet infrastructure.

According to Check Point’s 2019 Phorpiex Breakdown research report, over 1,000,000 computers were estimated to be infected with Tldr.

Notorious Activities of Phorpiex

Phorpiex is infamous for its involvement in:

• Massive sextortion spam campaigns
• Crypto-jacking (cryptocurrency mining on infected machines)
• Spreading ransomware
• Cryptocurrency clipping (stealing cryptocurrency transactions by modifying clipboard data)

Decline and Shutdown in 2021

During the summer of 2021, the activity of Phorpiex command and control servers (C&C) declined sharply.

• July 2021: The C&C servers were shut down, and no activity was observed for about two months.
• August 27, 2021: An announcement was spotted on an underground forum, allegedly from the botnet owners, stating that they were going out of business and selling the source code.

Ownership and Possible Sale of Phorpiex

The forum announcement implied that the botnet was developed and controlled by two individuals.

• Check Point could not confirm whether the botnet was actually sold.
• However, less than two weeks later, the C&C servers reappeared at another IP address (185.215.113[.]66) within the same sub-network.
• Later, the botnet switched to 185.215.113[.]84.

Emergence of Twizt: A New Evolution

Simultaneously, the C&C servers began distributing a previously unknown bot, dubbed “Twizt”.

Key Features of Twizt

• Peer-to-peer operation: Unlike its predecessor, Twizt does not require active C&C servers.
• Decentralized control: Each infected computer can act as a server, sending commands to other bots in a chain.
• Router reconfiguration:
  • Many infected computers are connected to the Internet through NAT routers without an external IP address.
  • Twizt reconfigures home routers that support UPnP, setting up port mapping to receive incoming connections.

Advanced Encryption and Security Measures

Twizt introduces a new binary protocol over TCP or UDP with:

• Two layers of RC4 encryption
• RSA and RC6-256 hash function for data integrity verification

Implications of Twizt’s Capabilities

The emergence of these advanced peer-to-peer features suggests that:

It poses an increased threat, as traditional C&C takedown efforts may be ineffective.

The Phorpiex botnet may become even more stable.