A mysterious entity appears to have hijacked the back-end infrastructure of the Phorpiex (Trik) botnet and removed spam-bot malware from infected hosts, while also displaying a pop-up telling users to install an antivirus and their computers ZDNet has learned to update.

The pop-ups appear on user screens today, early in the morning, US Eastern time, and have been spotted by the research team at antivirus vendor Check Point.

Initially, ZDNet and others thought this was a joke that the Phorpiex team encoded into the malware for the purpose of analyzing security researchers analyzing the malware.

However, as the hours passed, it became clear that this actually took place on customer systems, in the real world, and was not just a pop-up that appeared on virtual machines used as sandboxes for malware analysis.

“This is really happening,” Yaniv Balmas, head of Cyber ​​Research at Check Point, told ZDNet. “We are keeping a close eye on this malware family and have noticed that this behavior started a few hours ago.”

Balmas summed up various theories about what could have happened – such as the malware operators who decide to end and close the botnet on their own terms, a law enforcement action, a civil guard investigator who takes matters into their own hands, or a rival gang of malware on the Phorpiex crew sabotage by destroying their botnet.

Most likely a hijacking

“Hijack seems likely based on the Phorpiex developer track record,” said a second malware analyst who refused to use his name in this article because he was not authorized to speak in the name of his company – another antivirus vendor.

“The Phorpiex developer has pretty nasty rivals in the botnet game, so it wouldn’t surprise me if this is an attack caused by jealousy or something,” he added.

“The developer of the Phorpiex botnet is extremely lazy and careless,” said the malware analyst, who claimed he could have hijacked the botnet in the past because of the simplistic IRC-based command and control mechanism.

The same botnet had a data breach in 2018

The Phorpiex malware, which has been active for more than ten years, has experienced security breaches in the past, partly due to the carelessness of the malware developer.

In 2018, the Phorpiex developer left one of the botnet’s command and control backend servers online and security researchers were able to retrieve a list of 43.5 million e-mail addresses that the Phorpiex crew focused on spam campaigns.

Phorpiex is one of the most active spam botnets. The Phorpiex team works by infecting Windows computers and using these systems as spambots to send massive spam campaigns.

These spam campaigns keep the spam botnet alive by infecting new PCs with Phorpiex, but they also send out custom spam campaigns on behalf of other cyber crime groups – the method by which the Phorpiex crew makes money.

The person who hijacked the botnet today and instructed bots to remove himself has seriously injured the future profits and activities of the Phorpiex gang. To give an idea of ​​the amount of profit the Phorpiex crew lost, Check Point previously reported that the same botnet earned $ 115,000 in five months just by massive spamming of sextortion emails.