Phorpiex/Twizt: A 91KB Worm Clipping 30+ Blockchains Behind a Ukrainian Charity False Flag
Date: 2026-03-08 Severity: High Category: Phishing / Worm / Crypto Clipper / Botnet TLP: CLEAR
TL;DR
A fresh Phorpiex/Twizt build (compiled 2026-03-05) was caught actively distributing from two OMEGATECH bulletproof hosting IPs. The 91.5 KB unpacked binary combines a clipboard hijacker targeting 100+ wallet addresses across 30+ blockchain families, a P2P botnet with UPnP NAT traversal, a USB worm, and a loader -- all behind C2 servers displaying a "DONATE TO UKRAINE" false flag page using a real Ukrainian charity's Bitcoin address. Infrastructure analysis uncovered reserve C2 slots, a co-hosted Crypto.com phishing page, and a 5-node Linux ELF reconnaissance cluster on the same ASN.
Sample Overview
| Property | Value |
|---|---|
| SHA-256 | 98e5fdce85ab8e17472f95eecb4c22f08a28933828e0afd0b5db831fe222e373 |
| MD5 | 087be025580edb09a6c65b2bd4a8ee93 |
| File Type | PE32 executable (GUI) Intel 80386, MSVC |
| Size | 93,696 bytes (91.5 KB) |
| Compiled | 2026-03-05 17:35:39 UTC |
| Variant | Phorpiex/Twizt (self-identified, 4 occurrences of "Twizt" string) |
| Packing | None. All sections normal entropy. |
| ASLR | Disabled |
Three sections, no packing, no resources, no exports. The binary is lean native C/C++ compiled with MSVC (Rich Header present, _chkstk, MSVC SEH frames confirmed). The compilation timestamp matches the __DATE__/__TIME__ strings embedded in the binary -- this is a same-day build pushed directly to the botnet.
Execution Flow
The entry point at 0x407BB0 allocates a 4088-byte stack frame and follows a deterministic installation sequence:
1. Sleep(2000) // Anti-sandbox delay
2. CreateMutexA("h7g6f5d6h") // Single-instance enforcement
3. GetLastError() == 0xB7? -> ExitProcess(0)
4. GetModuleFileNameW() + PathFindFileNameW()
5. Compare filename vs "DrvSvcsrMgr.exe"
|
+-- NO MATCH (first run):
| a. Check locale (CIS exclusion -> ExitProcess if match)
| b. Delete Zone.Identifier ADS
| c. CopyFileW to %APPDATA%\<dir>\sysdvrnshost.exe
| d. SetFileAttributesW(HIDDEN | SYSTEM)
| e. RegSetValueExW("Windows Settings") in HKLM + HKCU Run keys
| f. CreateProcessW -> launch installed copy
| g. ExitProcess
|
+-- MATCH (installed copy):
a. Spawn clipboard monitoring thread
b. Spawn P2P botnet thread
c. Spawn USB worm thread
d. Spawn C2 check-in thread
The auto-start command launched via %comspec% is:
/c start %s & start %s\DrvSvcsrMgr.exe
This executes both the original file and the installed copy, ensuring at least one instance survives.
Persistence Mechanisms
The malware implements six distinct persistence mechanisms:
- Dual Registry Run keys --
HKLMandHKCUunderSoftware\Microsoft\Windows\CurrentVersion\Run, value nameWindows Settings - Self-copy -- Drops as
sysdvrnshost.exewithHIDDEN|SYSTEMattributes - Zone.Identifier deletion -- Strips Mark-of-the-Web ADS to bypass SmartScreen
- Explorer policy modification -- Sets
NoDrivesunderPolicies\Explorerto hide drives from Explorer, concealing USB worm artifacts - Mutex --
h7g6f5d6hviaCreateMutexAfor single-instance enforcement - Filename check -- Compares running filename against
DrvSvcsrMgr.exeto differentiate first-run vs. installed execution
Clipboard Hijacking: 30+ Chains, 100+ Wallets
The clipper is the most extensively configured component. It registers as a Windows clipboard viewer via SetClipboardViewer on a hidden window, intercepts WM_DRAWCLIPBOARD messages, and processes clipboard content in three format priorities:
CF_UNICODETEXT (0x0D) -> Wide string copy (0x405A40)
CF_TEXT (0x01) -> ANSI to wide (codepage 0x4E3)
CF_OEMTEXT (0x07) -> OEM to wide conversion
The wallet matching function at 0x404B30 dispatches on the first character of the clipboard content, checking 34 starting characters that map to cryptocurrency address formats:
| First Char | Chains |
|---|---|
1 | Bitcoin P2PKH |
3 | Bitcoin P2SH |
b | bc1 (Bech32), btg1, bnb, bitcoincash |
T | Tron (TRC-20) |
0 | Ethereum/EVM (0x prefix) |
D | Dogecoin, Dash |
L | Litecoin, Lisk |
4 | Monero |
r | Ronin, Ripple (XRP) |
c/C | Cosmos, Cronos |
t | terra, thor, tz (Tezos) |
s | stars, stride, sei, sys |
n | Nano, Neutron, Nillion |
X | Avalanche X-chain |
After first-character matching, the function validates address length and format before replacing the clipboard with the attacker's corresponding wallet from a dispatch table at 0x415310 in the .data section (52 pointers to wallet strings in .rdata).
Wallet Breakdown
17 Ethereum/EVM addresses -- covering ETH, ERC-20, BSC, Polygon, Arbitrum. All 16 standard addresses show zero ETH mainnet activity; likely active on L2s/alt-EVMs.
23 Bitcoin addresses -- spanning Legacy (P2PKH), P2SH, and Bech32/Taproot formats. On-chain confirms 0.017 BTC ($1,020) stolen across 10 active wallets, with activity from 2024-08-16 to 2025-06-20.
16 Tron addresses -- 4 active, with TDMysBGndMtr36Zpu1x6ozjJjAMqxccmWX holding 13.57 TRX + 10.69 USDT (TRC-20), created 2026-01-19.
16 Cosmos ecosystem addresses -- Multiple addresses share the same bech32 data portion (125f3mw4xd9htpsq4zj5w5ezm5gags37y...) with different HRP prefixes (cosmos, osmo, juno, akash, stars, stride, sei, neutron, bbn). Same underlying key, different chains.
Additional chains -- Dogecoin, Litecoin, Monero, XRP, Cardano, Nano, Ronin, Stellar, MultiversX, Avalanche, Zilliqa, Filecoin, Bitcoin Gold, DigiByte, Polkadot, Injective, dYdX, Dymension, Syscoin, NEAR, and more.
Total confirmed stolen across all checked chains: ~$1,038. Low relative to Check Point's 2021 estimate of $500K+ from earlier variants -- these wallets appear to be recently rotated.
P2P Botnet Protocol
Twizt implements a decentralized peer-to-peer overlay for resilient C2 communication:
- Peer storage:
%USERPROFILE%\tbtnds.dat - Command storage:
%USERPROFILE%\tbtcmds.dat - Debug string:
TCP: P2P_SendGETLPacket(0,%s) failed! - Networking: IOCP (
CreateIoCompletionPort+GetQueuedCompletionStatus) for high-performance async I/O - Encryption: 2-layer RC4 + RSA integrity verification (documented by Check Point, 2021)
- Crypto primitives: BigNum arithmetic (
_aulldiv,_allshl,_aullshr), small-prime sieve at0x415050, large pseudo-prime blocks in.datafor modular arithmetic
UPnP NAT Traversal
The binary contains a full SOAP implementation for UPnP:
SSDP Discovery: M-SEARCH * HTTP/1.1 -> 239.255.255.250:1900
Service Type: InternetGatewayDevice:1
Operations: GetExternalIPAddress
AddPortMapping (open inbound P2P ports)
DeletePortMapping (cleanup)
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
This enables infected hosts behind consumer routers to accept inbound P2P connections, expanding the botnet mesh.
USB Worm Propagation
The worm enumerates all drives via GetLogicalDrives + GetDriveTypeW, targeting removable media:
- Recursively traverses directories (skipping
System Volume Information,$RECYCLE.BIN,.Spotlight-V100,.DS_Store, macOS metadata directories) - Deletes files matching 17 executable extensions:
.lnk,.vbs,.js,.scr,.com,.jse,.cmd,.pif,.jar,.dll,.vbe,.bat,.inf,.ps1,.wsf,.msp,.hta - Replaces them with copies of itself using the original filename
- Creates shortcut:
/c start %s & start %s\DrvSvcsrMgr.exe-- opens the original file AND executes the worm - Sets
HIDDEN|SYSTEMattributes on original files - Sets
NoDrivesregistry value to hide drives from Explorer
CIS Exclusion
Classic Phorpiex operational security -- the malware refuses to execute on CIS-region systems:
Locale check (function at 0x40F010): Calls GetLocaleInfoA(LOCALE_USER_DEFAULT, LOCALE_SENGCOUNTRY) and exits if the system locale matches Russian/CIS identifiers.
IP range filtering during scanning:
Excluded: 90.156.x (Russian ISP)
213.206.x (CIS ISP)
213.230.x (Uzbekistan ISP)
127.x, 192.x, 10.x, 100.x (RFC1918/loopback)
This pattern, combined with the false flag, strongly indicates a Russian-speaking operator.
C2 Infrastructure
Active Servers
Both C2s sit on OMEGATECH LTD (AS202412), a Seychelles-registered entity created 2026-01-12 -- less than two months before this sample was compiled.
| Server | IP | Role | OS |
|---|---|---|---|
| Primary | 178.16.54.109 | Full C2 (PHP + nginx, payloads, check-in) | Ubuntu, nginx/1.18.0, OpenSSH 8.2p1 |
| Secondary | 158.94.211.162 | Backup (static nginx, encrypted blob only) | Ubuntu, nginx/1.18.0, OpenSSH 8.9p1 |
Primary C2 Endpoint Map
| Path | Status | Size | Function |
|---|---|---|---|
/ | 200 | 73 B | "DONATE TO UKRAINE" false flag |
/newtpp.exe | 200 | 93,696 B | Current Twizt build (our sample) |
/32.exe | 200 | 10,240 B | First-stage downloader (compiled 2025-08-28) |
/64.exe | 200 | 10,240 B | Alias of 32.exe (identical hash) |
/1 | 200 | 22,784 B | RC4-encrypted P2P peer list |
/2 | 200 | 9,984 B | RC4-encrypted P2P commands |
/new.php | 200 | 0 B | Bot check-in (GET/POST, silent logging) |
/peinstall.php | 200 | 0 B | Install confirmation endpoint |
Previously hosted (now 404): /spl.exe, /lfuck.exe (GLOBAL GROUP ransomware, ChaCha20-Poly1305, .Reco extension).
User-Agent Gating
The C2 implements UA-based request filtering:
No UA / curl default -> 404 (162 bytes, standard nginx)
Browser-like UA -> 404 (564 bytes, padded with MSIE/Chrome error-page disablers)
Valid path + UA -> 200 (payload served)
The 564-byte custom 404 includes six <!-- a padding to disable MSIE and Chrome friendly error page --> comments. This distinguishes scanner traffic from bot traffic.
The False Flag
Both C2 landing pages display:
DONATE TO UKRAINE - BITCOIN: bc1qkd5az2ml7dk5j5h672yhxmhmxe9tuf97j39fm6
That address belongs to Come Back Alive (Povernys Zhyvym), a legitimate Ukrainian military charity that has received 853+ BTC ($50M+) since February 2022. A Russian-speaking operator using a Ukrainian charity as C2 camouflage -- the irony is not lost.
Bulletproof Hosting Chain
Phorpiex C2 (178.16.54.109 / 158.94.211.162)
ββ> OMEGATECH LTD (AS202412, Seychelles shell, est. 2026-01-12)
ββ> Pfcloud UG (AS51396, German LIR, Daniel Mishayev)
ββ> aurologic GmbH (AS30823, German transit)
ββ> Internet
aurologic GmbH has been identified by Recorded Future (2025) as a "central nexus for hosting malicious infrastructure" providing upstream transit to 18+ downstream networks including sanctioned entities. Documented malware families transiting aurologic: Phorpiex, Stealc, Amadey, SmokeLoader, Lumma, Vidar, RedLine, Cobalt Strike, Sliver, SystemBC, LockBit.
Infrastructure Topology
Subnet scanning of both /24s revealed additional operator infrastructure:
OMEGATECH LTD (AS202412)
βββ 178.16.54.0/24 (NL)
β βββ .109 PRIMARY Phorpiex C2
β βββ .68 RESERVE C2 slot (nginx ready, no payloads)
β βββ .24 Crypto.com phishing page (credential harvester)
β
βββ 158.94.211.0/24 (US)
β βββ .162 SECONDARY Phorpiex C2
β βββ .94 RESERVE C2 slot (nginx ready, no payloads)
β βββ .100-.104 Linux ELF distribution cluster (5 IPs, same binary)
β
βββ 91.92.240.0/22
β βββ .242.214 Linux ELF recon agent C2 (POST /info, currently down)
β
βββ 94.154.35.0/24
βββ .227 BrowserWare ClickFix C2 (buck-cdns-server.sbs)
The reserve C2 slots at .68 and .94 implement the identical UA gating pattern as the active C2s -- same nginx version, same 162/564-byte 404 behavior -- confirming they were provisioned by the same operator and are ready for activation.
Linux ELF Recon Agent (Bonus Discovery)
Five IPs (158.94.211.100-104) serve an identical statically-linked Linux ELF (67,176 bytes, GCC 14.2.0-19 Debian):
SHA-256: 8e61276d32ad1a040db17ae2e3b1565b29b63a2080d4b5c4a2aacb0f7847c28a
It profiles target systems and beacons to 91.92.242.214/info via POST:
{
"hostname": "%s",
"cpu_model": "%s",
"cpu_cores": %d,
"memory_mb": %ld,
"uid": %u,
"gid": %u,
"uptime_days": %ld,
"board_name": "%s",
"sys_vendor": "%s",
"product_version": "%s",
"bios_version": "%s"
}
The DMI data collection (sys_vendor, board_name, bios_version from /sys/devices/virtual/dmi/id/) is designed to filter out VMs/sandboxes before deploying a second stage -- likely a cryptominer given the CPU profiling emphasis.
Campaign History on This Infrastructure
| Period | Payload | Description |
|---|---|---|
| Oct 2025 | Landing page | "DONATE TO UKRAINE" false flag deployed |
| Late 2025 | spl.exe, lfuck.exe | LockBit Black ransomware distribution |
| Feb 2026 | spl.exe -> windrv.exe | GLOBAL GROUP ransomware (ChaCha20-Poly1305, .Reco ext, mutex Global\Fxo16jmdgujs437) |
| Mar 2026 | newtpp.exe | Current Twizt clipper/worm campaign |
OTX shows 10 different malware hashes associated with 178.16.54.109 in just two days (March 5-6), confirming daily build rotation. The operator compiles fresh binaries and pushes them to the botnet infrastructure on a 24-hour cycle.
Historical Phorpiex Hosting Migration
2021: twizt.net (domain-based, initial Twizt variant)
2024: 185.215.113.66 (1337TEAM LIMITED, Seychelles)
2025-2026: 178.16.54.109 + 158.94.211.162 (OMEGATECH LTD, Seychelles)
The operator consistently uses Seychelles-registered shell companies for bulletproof hosting, migrating between providers while maintaining the same operational playbook.
Intelligence Coverage Gaps
| Platform | 178.16.54.109 | 158.94.211.162 |
|---|---|---|
| OTX | 38 pulses | 1 pulse |
| URLhaus | Not indexed | Not indexed |
| ThreatFox | Not indexed | Not indexed |
| AbuseIPDB | Flagged (WHOIS level) | Flagged (WHOIS level) |
| Passive DNS | None (IP-only C2) | None (IP-only C2) |
| TLS certs | None | None |
Despite 38 OTX pulses from automated feeds, the C2 IPs are absent from URLhaus and ThreatFox. The win.phorpiex and win.twizt family searches return zero IOCs on ThreatFox. This infrastructure has moderate automated feed coverage but zero presence in curated threat intelligence databases.
MITRE ATT&CK Mapping
| ID | Technique | Implementation |
|---|---|---|
| T1547.001 | Registry Run Keys / Startup Folder | Windows Settings value in HKLM + HKCU Run |
| T1091 | Replication Through Removable Media | USB worm replacing executables on removable drives |
| T1115 | Clipboard Data | Clipboard viewer chain for crypto address replacement |
| T1571 | Non-Standard Port | P2P botnet protocol (default port 40500) |
| T1016 | System Network Configuration Discovery | UPnP SSDP discovery + GetExternalIPAddress |
| T1614 | System Location Discovery | GetLocaleInfoA for CIS exclusion |
| T1036 | Masquerading | DrvSvcsrMgr.exe / sysdvrnshost.exe (system-like names) |
| T1564.001 | Hidden Files and Directories | HIDDEN|SYSTEM attributes, NoDrives policy |
| T1105 | Ingress Tool Transfer | URLDownloadToFileW for secondary payloads |
| T1497.001 | System Checks (Sandbox Evasion) | Sleep(2000) at entry, NtQueryVirtualMemory |
| T1095 | Non-Application Layer Protocol | Binary P2P protocol with RC4+RSA |
| T1090.003 | Multi-hop Proxy | P2P mesh with UPnP port forwarding |
Indicators of Compromise
File Hashes
# Twizt main agent
98e5fdce85ab8e17472f95eecb4c22f08a28933828e0afd0b5db831fe222e373 newtpp.exe
# First-stage downloader
586a29bab56e5d7be8b7a783256b0458a4eca167c7d519fdbc8467ba2331e7e8 32.exe / 64.exe
# Encrypted P2P peer list
d64c196d74b7ee5b4b210d491885ab6f8ded8593ef29d085ae71adecf4e0c905 /1
# Encrypted P2P commands
36cb118926ad880a6f83ad5c8469ac6bbfb782a473587bb659ac04bb74a76a46 /2
# Encrypted Twizt blob (secondary C2)
4d8e2513e9fca34ac443c0bc94d222414205a6bcf33d55088cd2dfec33da20d5 blof
# Linux ELF recon agent (co-hosted)
8e61276d32ad1a040db17ae2e3b1565b29b63a2080d4b5c4a2aacb0f7847c28a (unnamed)
# OTX-linked daily builds (2026-03-05/06)
2a2c30a838a188d63b27707d43c5cfbd015bc490fd41b7058597c8817fbd4c1b
ca952016eee8c1cc56241eab5d7db7e86ec71730d7a0e9190f40643a7ba76f3f
4c0f030fc1d3e0ee2fd610657df1de577af5e52e56e684d3824d843606491a69
389e6d00e241fc472c3cb5c8613f866ee028855063746a017ac159962afe3c4c
c592f7273f96f0d720781f9c8d591b8cf0a634bd4abd6fff0e98cdb29aa9e2b1
0fb68fe83ed0f2748bd4221b1de422711a15f73f30f48b509d85b4fd80998994
6b6987e38d73a2608facc10b2ead0c5cc05973bc5880b296cf92f44104f38867
e47783570262e8cebf5edab6cd655fb313b8d432996e83bc0a3abadf116bc226
62bce51b8cb2f2f6b89af4b04ab96bf1cccd2c2d62c097c1fa35b227d00646bb
Network Indicators
# Active C2
http://178.16.54.109/
http://178.16.54.109/new.php
http://178.16.54.109/newtpp.exe
http://178.16.54.109/32.exe
http://178.16.54.109/64.exe
http://178.16.54.109/peinstall.php
http://178.16.54.109/1
http://178.16.54.109/2
http://158.94.211.162/
http://158.94.211.162/blof
# Reserve C2 slots
178.16.54.68
158.94.211.94
# Linux ELF C2
91.92.242.214
# ELF distribution cluster
158.94.211.100
158.94.211.101
158.94.211.102
158.94.211.103
158.94.211.104
# Related (same AS202412)
94.154.35.227 # BrowserWare ClickFix C2
178.16.54.24 # Crypto.com phishing
# Historical (now 404)
http://178.16.54.109/spl.exe
http://178.16.54.109/lfuck.exe
Host Indicators
Mutex: h7g6f5d6h
Files: sysdvrnshost.exe
DrvSvcsrMgr.exe
%USERPROFILE%\tbtnds.dat
%USERPROFILE%\tbtcmds.dat
%TEMP%\%d%d.exe (random staged payloads)
Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
User-Agent Strings
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
Infrastructure
ASN: AS202412 (OMEGATECH-AS, Omegatech LTD, Seychelles)
LIR: Pfcloud UG (AS51396, Germany)
Transit: aurologic GmbH (AS30823, Germany)
Server: nginx/1.18.0 (Ubuntu)
SSH: OpenSSH_8.2p1 Ubuntu-4ubuntu0.13 (primary)
OpenSSH_8.9p1 Ubuntu-3ubuntu0.13 (secondary + reserves)
Attacker Wallet Addresses (Selected -- Full List: 100+)
# Bitcoin
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
3LbBmVU8zNUrscxnwfWhBjSAYwZkF9tsNk
# Ethereum/EVM
0xE9bD31C9452E1942Bf1E473067F7e3cd524983CB
0x12eF1d224f72CF0ed28A0dc41c8676A5D4bbDab5
# Tron
TDMysBGndMtr36Zpu1x6ozjJjAMqxccmWX
THJoBRFbenoEatwEnLX1eTuaLAHJhaFdgP
# Cosmos (shared key across chains)
cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr
# Monero
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
# Dogecoin
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
# XRP
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
Analysis by breakglass.intelligence. If you have additional samples or infrastructure overlaps, reach out.