The previously shutdown Phorpiex botnet has re-emerged with new peer-to-peer command and control infrastructure, making the malware more difficult to disrupt.
The botnet first launched in 2016 and quickly accumulated a massive army of over 1 million devices over the years.
The malware generates revenue for its developers by swapping cryptocurrency addresses copied to the Windows clipboard with addresses under their control or by spamming sextortion emails to scare people into paying an extortion demand.
However, after over five years of development, the Phorpiex operators shut down their infrastructure and tried to sell the botnet’s source code on a hacking forum.
While it is unknown if the threat actors could sell their malware, researchers from Check Point saw that the infrastructure had turned back on in September, less than two weeks after their “for sale” post.
This time, though, the command and control servers distributed a new botnet variant that included some new tricks to make it harder to find the operators or take down infrastructure.