{ "id": "11c238ce-fb14-4562-a988-02efb880c539", "created_at": "2026-04-06T00:18:11.567764Z", "updated_at": "2026-04-10T13:11:53.263598Z", "deleted_at": null, "sha1_hash": "0e48e9825441185e40534b234c0deaa825ad4976", "title": "PurpleBravo’s Targeting of the IT Software Supply Chain", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5373565, "plain_text": "PurpleBravo’s Targeting of the IT Software Supply Chain\r\nBy Insikt Group®\r\nArchived: 2026-04-05 17:59:53 UTC\r\nThreat Analysis\r\nThe Contagious Interview campaign, a North Korean state-sponsored operation, was first documented in\r\nNovember 2023 targeting software developers primarily in the cryptocurrency industry. Insikt Group tracks\r\nPurpleBravo as a cluster of activity overlapping with the campaign (other names for the group include CL-STA-0240, Famous Chollima, and Tenacious Pungsan). While some organizations track the Contagious Interview\r\ncluster and North Korean IT workers as the same set of activity, Insikt Group tracks North Korean IT workers\r\nseparately as PurpleDelta. Insikt Group has observed points of intersection between the two groups and is\r\ninvestigating the exact extent of the overlap.\r\nFraudulent Personas\r\nIn March 2025, Insikt Group identified four personas (Figure 1) that were highly likely associated with\r\nPurpleBravo threat activity. This high-confidence assessment was made following an investigation of malicious\r\nGitHub repositories, cryptocurrency scam reports on social media, and Recorded Future Network Intelligence on\r\nknown PurpleBravo infrastructure. These personas, and their associated behaviors, align with previous Insikt\r\nGroup reporting and open-source reporting (1, 2, 3) on the Contagious Interview campaign.\r\nThe personas claim to be developers and recruiters representing cryptocurrency companies, among other types of\r\norganizations. These organizations appear in the PurpleBravo lures and malicious GitHub repositories detailed\r\nbelow. They all purport to be from Odessa, Ukraine, and target prospective victims located in South Asia. At the\r\ntime of writing, Insikt Group was unable to determine the motivation behind PurpleBravo's use of Ukrainian\r\npersonas in their operations.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 1 of 31\n\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 2 of 31\n\nFigure 1: LinkedIn personas highly likely linked to PurpleBravo threat activity (Source: LinkedIn)\r\nInfrastructure\r\nMalicious GitHub Repositories\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 3 of 31\n\nInsikt Group identified several malicious GitHub repositories linked to PurpleBravo activity, via publicly available\r\ninformation on potential victim servers outlined in Recorded Future’s Network Intelligence data.\r\nFood Manufacturing Industry Scam\r\nInsikt Group identified a GitHub repository linked to Web3 security researcher Luthiano Trarbach, who reported\r\nan unattributed scam impersonating a food manufacturing brand with the goal of cryptocurrency theft. Insikt\r\nGroup identified a website advertising a token the repository is likely imitating. It is assessed with low confidence\r\nthat the token is likely a scam, based on an evaluation of the social media and messaging platform activity\r\nassociated with its operators and users. At the time of writing, the project's legitimacy could not be determined,\r\nnor could any links between the token and the food manufacturing brand identified. The “official” Telegram group\r\nassociated with the project is populated with scammers, bots, malicious links, and likely malicious downloads\r\nmasquerading as job opportunities, cryptocurrency airdrops, and other lures generally indicative of this behavior.\r\nThe repository contains a JavaScript file named index[.]js . This file is encoded in Base64 with an XOR cipher,\r\nwhich, when deobfuscated, reveals malicious capabilities intended to exfiltrate sensitive keychain and login\r\ninformation from Windows OS and macOS devices. This data is packaged into a ZIP file and sent to a hardcoded\r\ncommand-and-control (C2) server with an encoded HTTP POST request (Figure 2). When the string\r\nMTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ is decoded from Base64, it reveals a previously identified BeaverTail\r\nC2 IP address 147[.]124[.]214[.]129.\r\nFigure 2: HTTP POST instructions identified in the GitHub repository (Source: GitHub)\r\nIndian Software Development Company\r\nESET’s February 2025 report on threat activity aligned with PurpleBravo (which ESET tracks as\r\nDeceptiveDevelopment) described PurpleBravo threat actors posing as recruiters using a Lumanagi-themed lure in\r\nfake job interviews for a decentralized exchange (DEX) to deliver BeaverTail via malicious GitHub repositories.\r\nInsikt Group searched for additional GitHub repositories containing the same malicious JavaScript strings\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 4 of 31\n\nidentified in the ESET report, revealing a repository affecting an Indian software development company. This\r\nrepository contains a malicious JavaScript file titled routes.js, which is heavily obfuscated and different from\r\nthe food manufacturing token’s instance. The JavaScript in the software development company’s repository had\r\ntwo further BeaverTail C2 servers hard-coded IP addresses, 216[.]173[.]115[.]200 and 95[.]179[.]135[.]133.\r\nLumanagi\r\nWhile investigating the Indian software development company’s repository and the “Lumanagi” lure previously\r\nobserved in the ESET report, Insikt Group identified a scam report on social media on or around March 28, 2025.\r\nThis scam report claimed that a recruiter (“Karyna Isakova”; Figure 1) representing Lumanagi approached a\r\nSouth Asian developer for a job opportunity. The PurpleBravo operator posing as the recruiter sent a document via\r\nGoogle Docs purportedly from lumanagi[.]online that contained information about their project, the job vacancy,\r\nand the next steps for a practical interview. This document contained a Figma design for a Hungarian-language\r\nDEX named Lumanagi. This behavior aligns with previous reports on PurpleBravo’s interview lures, which\r\nincorporate Google Docs and Figma into their activities.\r\nBlockchain Development Company\r\nInsikt Group identified a third malicious GitHub repository linked to one of the abovementioned personas. This\r\nrepository contained a similar malicious file to routes[.]js , which was observed in the Indian software\r\ndevelopment company’s repository. When the JavaScript in this file is deobfuscated, it reveals the BeaverTail C2\r\nIP addresses, 216[.]173[.]115[.]200 and 95[.]179[.]135[.]133. Revisiting the persona on LinkedIn revealed that\r\nthe persona previously claimed to work for Lumanagi, linking this persona back to the PurpleBravo network.\r\nCommand-and-Control Servers\r\nRecorded Future tracks two distinct sets of PurpleBravo C2 servers, BeaverTail and GolangGhost. BeaverTail is a\r\nJavaScript infostealer and loader that gathers sensitive information from victim systems, and GolangGhost is an\r\ninterpreted Go backdoor based on the HackBrowserData open-source tool. Recorded Future identified 62\r\nBeaverTail C2 servers and fourteen GolangGhost C2 servers between August 2024 and September 2025. The\r\nhosting providers detailed in Figure 3 have been used by PurpleBravo to host C2 infrastructure.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 5 of 31\n\nFigure 3: Hosting providers used by PurpleBravo (Source: Recorded Future)\r\nMalware Intelligence\r\nPylangGhost and GolangGhost\r\nPylangGhost (Python) and GolangGhost (Go) are related, multi-platform remote access trojans (RATs) that share\r\nan identical command structure and automate Chrome credential and cookie theft. The only functional difference\r\nbetween the two variants relates to the implementation of the Chrome password stealer. GolangGhost emphasizes\r\nbroad OS coverage, whereas PylangGhost is Windows-focused and can address Chrome’s hardened app-bound\r\ncredential protection, released in Chrome 127 and above. The RATs’ primary capabilities include host\r\nreconnaissance, file upload and download, arbitrary command execution, sleep/jitter, and automated theft of\r\nChromium-based browser secrets (Windows/macOS/Linux), with specific handling for Chrome’s v10 (data\r\nprotection API [DPAPI]) and v20 (app-bound) credential formats on Windows.\r\nBoth families are organized into parallel components:\r\nCore/Control loop: Implements the persistent request–response cycle, serializes messages for C2, and\r\ndispatches received commands\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 6 of 31\n\nCommand layer: Encodes/decodes the line‑based Base64 message format and contains the code to\r\nexecute the commands\r\nTransport/Protocol: Performs RC4 wrapping with a per-packet random key, followed by an MD5\r\nchecksum; the HTTP POST body uses the application/octet-stream MIME type; and its observed\r\nUser‑Agent strings include python-requests and Go-http-client\r\nPassword stealer (“Auto”) modules: Chrome artifact gathering and credential/cookie decryption across\r\nOperating Systems\r\nUtilities: TAR/GZIP pack/unpack for staging exfiltration\r\nConfiguration: Fixed message/command identifiers and AUTO mode tokens; jitter and PID/machine‑id\r\nfilenames; Windows persistence keys and parameterization\r\nTable 1 details the commands that PylangGhost and GolangGhost support.\r\nName Description\r\nInformation\r\nCollects system information such as username, hostname, operating system, architecture, and\r\nversion number\r\nFile Upload Decompresses attacker‑provided TAR.GZ into a path on the host\r\nFile\r\nDownload\r\nExfiltrates a file or directory (directory is TAR.GZ) to the C2\r\nOS Shell Runs commands in wait-and-capture or detached mode\r\nWait/Sleep\r\nThe server sends a sleep duration in nanoseconds, which gets capped at 40 seconds and then\r\nused as the upper bound for a random sleep between twenty seconds and that value.\r\nAuto Invokes Chrome stealing/gathering workflows described below\r\nExit Terminates the main loop\r\nTable 1: PylangGhost and GolangGhost commands and descriptions (Source: Recorded Future)\r\nChromium-Based Stealer Module\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 7 of 31\n\nGolangGhost and PylangGhost both have a Chromium Stealer module that is invoked with the “AUTO”\r\ncommand; however, the implementation differs across versions. PylangGhost focuses exclusively on Windows\r\nChromium but implements far more sophisticated credential theft, supporting both v10 and v20 app-bound\r\nencryption. The latter requires LSASS impersonation to achieve SYSTEM privileges, dual-layer DPAPI\r\nunwrapping, and custom key derivation via Windows CNG APIs to bypass Chrome's hardened encryption\r\nintroduced in version 127 and later.\r\nGolangGhost, on the other hand, only implements Chrome v10 decryption using standard AES-GCM after\r\nobtaining master keys from native credential stores. It compensates for this simpler decryption by automating the\r\nenumeration of extensions to catalog cryptocurrency wallets at scale. GolangGhost's design suggests optimization\r\nfor broader victim coverage across multiple platforms, such as macOS and Linux, while PylangGhost represents a\r\nspecialized Windows-focused variant engineered specifically to defeat Google's latest credential protection\r\nmechanisms, making it more effective against hardened Chrome installations but limited to a single OS.\r\nAUTO Chrome\r\nStealer\r\nCommands\r\nDescription\r\nChrome Gather\r\nThis function steals Chrome browser extension data by searching for \"Local Extension\r\nSettings\" directories in the Chrome user data folder, compressing them into a tar.gz\r\narchive named gather.tar.gz , and preparing it for exfiltration to a C2 server. It targets\r\nextension storage, which can contain cryptocurrency wallets, password manager data,\r\nsession tokens, and API keys.\r\nChrome\r\nProfile/Prefs\r\nChange\r\nThis function injects a malicious MetaMask cryptocurrency wallet extension into\r\nChrome by forcefully killing the browser and modifying its secure preference files. It\r\nsearches for Chrome's Secure Preferences files, terminates all Chrome processes, then\r\noverwrites the extension settings with a fake MetaMask configuration (targeting *.eth ,\r\n*.infura.io , and Trezor hardware wallets) installed from C:\\ProgramData\\11.16.0_0\r\ninstead of the legitimate Chrome Web Store, allowing the attackers to steal\r\ncryptocurrency transactions and private keys.\r\nChrome\r\nCookie/Logins\r\nThere are separate modules for Windows/MacOS and Linux, all three steal the same data\r\n(passwords and extension information), but they differ in how they decrypt Chrome's\r\nmaster encryption key based on each OS's credential storage mechanism (Windows\r\nDPAPI, macOS Keychain, Linux simple/keyring).\r\nTable 2: PylangGhost and GolangGhost Chrome stealer commands (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 8 of 31\n\nConfiguration\r\nThe configuration for PylangGhost ( config.py ) and GolangGhost ( constans.go ) serves as the central\r\nconfiguration and command vocabulary file for the C2. It contains tokens that are obfuscated command identifiers\r\nused to obscure the communication protocol between the infected client and the command-and-control server.\r\nInstead of sending readable commands like \"download\" or \"execute\", it uses random-looking strings, such as\r\n\" qwer \" or \" asdf \".\r\nPID0623NAME = \".store\"\r\nMACHINEID0623HOSTFILE = \".host\"\r\nDURATION0623ERRORWAIT = 5\r\nDAEMON0623VERSION = \"1.0.0\"\r\nMSG0623INFO = \"fwe9\"\r\nMSG0623LOG = \"1q2w\"\r\nLOG0623SUCCESS = \"true\"\r\nLOG0623FAIL = \"false\"\r\nMSG0623PING = \"poiu\"\r\nMSG0623FILE = \"qpwoe\"\r\nCOMMAND0623INFORMATION = \"qwer\"\r\nCOMMAND0623FILEUPLOAD = \"asdf\"\r\nCOMMAND0623FILEDOWNLOAD = \"zxcv\"\r\nCOMMAND0623TERMINAL = \"vbcx\"\r\nSHELLMODE0623WAITGETOUT = \"qmwn\"\r\nSHELLMODE0623DETACH = \"qalp\"\r\nCOMMAND0623WAIT = \"ghdj\"\r\nCOMMAND0623AUTO = \"r4ys\"\r\nAUTO0623CHROMEGATHER = \"89io\"\r\nAUTO0623CHROMEPREFRST = \"7ujm\"\r\nAUTO0623CHROMECOOKIE = \"gi%#\"\r\nAUTO0623CHROMEKEYCHAIN = \"kyci\"\r\nCOMMAND0623EXIT = \"dghh\"\r\nFigure 4: PylangGhost configuration snippet (Source: Recorded Future)\r\nThe malware manages its runtime state and host identity using two files defined in the configuration module,\r\nPID0187NAME and MACHINEID0187HOSTFILE, as shown in Figure 4. These files are created in the system’s\r\ntemporary directory (for example, %TEMP% on Windows). The .store ( PID0187NAME ) file records the process\r\nidentifier (PID) of the active instance and is checked during startup to prevent multiple concurrent executions. The\r\nfile .host ( MACHINEID0187HOSTFILE ) contains a randomly generated, persistent client identifier.\r\nThe configuration also contains C2 endpoints, persistence registry keys, collection scope, and instance control\r\nacross both variants. It supplies the C2 URL and a list of Chromium wallet-extension IDs targeted by the Chrome\r\n“auto” modes.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 9 of 31\n\nUPLOAD0623URL = \"hxxp://154[.]58[.]204[.]15:8080\" # Change to your server\r\nMAX0623SLEEP = 40\r\nMIN0623SLEEP = 20\r\nEXTENSION0623NAMES = [\r\n \"nkbihfbeogaeaoehlefnkodbefgpgknn\",\r\n \"bfnaelmomeimhlpmgjnjophhpkkoljpa\",\r\n \"ibnejdfjmmkpcnlpebklmnkoeoihofec\",\r\n \"egjidjbpglichdcondbcbdnbeeppgdph\",\r\n \"acmacodkjbdgmoleebolmdjonilkdbch\",\r\n \"aholpfdialjgjfhomihkjbmgjidlcdno\",\r\n \"bhhhlbepdkbapadjdnnojkbgioiodbic\",\r\n \"dlcobpjiigpikoobohmabehhmhfoodbb\",\r\n \"dmkamcknogkgcdfhhbddcghachkejeap\",\r\n \"fnjhmkhhmkbjkkabndcnnogagogbneec\",\r\n \"hcjhpkgbmechpabifbggldplacolbkoh\",\r\n \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\",\r\n \"hnfanknocfeofbddgcijnmhnfnkdnaad\",\r\n \"idnnbdplmphpflfnlkomgpfbpcgelopg\",\r\n \"ldinpeekobnhjjdofggfgjlcehhmanlj\",\r\n \"mcohilncbfahbmgdjkbpemcciiolgcge\",\r\n \"mkpegjkblkkefacfnmkajcjmabijhclg\",\r\n \"mopnmbcafieddcagagdcbnhejhlodfdd\",\r\n \"nhnkbkgjikgcigadomkphalanndcapjk\",\r\n \"ojggmchlghnjlapmfbnjholfjkiidbch\",\r\n \"onhogfjeacnfoofkfgppdlbmlmnplgbn\",\r\n \"pdliaogehgdbhbnmkklieghmmjkpigpa\",\r\n \"phkbamefinggmakgklpkljjmgibohnba\",\r\n \"ppbibelpcjmhbdihakflkdcoccbgbkpo\"\r\n ]\r\nREG0623PATH = r\"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\nREG0623KEY = \"csshost\"\r\nPARAM0623 = \"lOKJS0103JEBV53NkuanloiHB872Nhe12m8vd2FpdC5qcGc=\"\r\nFigure 5: PylangGhost configuration snippet (Source: Recorded Future)\r\nOn Windows systems, the malware achieves persistence by creating a registry Run key that launches a Visual\r\nBasic Script (VBS) loader via wscript.exe . Both the registry path and key name are hardcoded in the malware’s\r\nconfiguration module. For example, using the configuration in Figure 5, the persistence key would be\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\csshost = \"wscript.exe\" \"\u003cVBS file path\u003e\" .\r\nKey names may change from configuration to configuration, and some constants carry variant-specific suffixes\r\n(for example, _0187 , _0501 ); however, their semantics and use in persistence, collection, and protocol\r\nhandling remain the same.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 10 of 31\n\nC2 Protocol and Network Traffic\r\nPylangGhost and GolangGhost both send an RC4-encrypted payload via an HTTP POST request with headers\r\nsuch as application/octet-stream and typical User Agents of python-requests (Py) and Go-http-client\r\n(Go).\r\nFigure 6: PylangGhost and GolangGhost HTTP POST request (Source: Recorded Future)\r\nThe HTTP payloads are RC4-encrypted. The start of the payload is a 16-byte MD5 value calculated over\r\neverything that follows: first, a randomly generated RC4 key (sent in the clear) and then the RC4‑encrypted\r\nmessage body. Because the key is included up front, anyone with the packet capture can decrypt the body; the\r\nMD5 can be used to confirm that the packet was split correctly and that the contents were not corrupted. The\r\nlength of the RC4 key is chosen at build time and is not recorded in the packet itself. Insikt Group has observed\r\nthat this is consistently 128 bytes.\r\nFigure 7: PylangGhost and GolangGhost custom RC4 Transmission Control Protocol (TCP) (Source: Recorded\r\nFuture)\r\nAfter RC4 decryption, the payload is just a single text line made of “tokens” separated by spaces. Each token is\r\nBase64 encoded. For messages going from the victim to the command-and-control server, the first token is a plain\r\nmachine ID (not Base64 encoded), followed by a Base64‑encoded message type (for example, the four‑character\r\ncode fwe9 for “system info”) and several Base64‑encoded fields such as user name, computer name, operating\r\nsystem, architecture, and an internal version string.\r\nFigure 8: PylangGhost and GolangGhost request Base64 encode and decode (Source: Recorded Future)\r\nFor messages sent from the server to the victim, every token is Base64-encoded; the first one decodes to a\r\nfour‑character command (for example, r4ys for the “auto” task), and the remaining tokens provide that\r\ncommand’s arguments.\r\nFigure 9: PylangGhost and GolangGhost response Base64 encode and decode (Source: Recorded Future)\r\nInvisibleFerret\r\nInvisibleFerret is a Python-based, multi-platform RAT incorporating modular functionality for system control,\r\ncredential theft, and data exfiltration. The malware operates through two C2 channels: a persistent, custom TCP\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 11 of 31\n\ncommand channel and an HTTP service leveraged for initial host fingerprinting, payload staging, and file\r\nexfiltration. Newer builds appear protected by the use of PyObfuscate or OSRipper tooling.\r\nInvisibleFerret consists of three primary components:\r\n1. The core RAT, built for cross-platform operation, conducts system reconnaissance and maintains a\r\npersistent C2 session using length-prefixed JSON messages. It supports capabilities such as remote shell\r\nexecution, file search and download, collection of environment configuration files, browser-process\r\ntermination, and on-demand staging of additional payloads.\r\n2. The Windows keylogger uses Python libraries, including pyWinhook, pyperclip, psutil, and pywin32, to\r\ncapture keystrokes, mouse activity, active window information, and clipboard content. This information is\r\naggregated in a global buffer for exfiltration to the C2 server. Collected data is not saved to disk.\r\n3. The browser credential stealer operates as a standalone Python program capable of enumerating up to 120\r\nprofiles across Chromium-family browsers. It retrieves and derives local decryption keys using Windows\r\nDPAPI, Linux secret storage, or macOS Keychain/PBKDF2 to decrypt stored credentials and payment\r\ndata. The decrypted information is transmitted in plaintext via HTTP POST requests to the /keys\r\nendpoint of the C2 server. This stealer does not work against Chrome's app-bound encryption and therefore\r\ndoes not extract passwords for versions of Chrome higher than 127.\r\nCapabilities and Commands\r\nInvisibleFerret conducts system fingerprinting immediately after execution, collecting OS details, hostname,\r\nusername, and a unique host identifier derived from the SHA-256 hash of the system’s MAC address and\r\nusername. It also gathers internal and external IP addresses, ISP information, geolocation coordinates, region, and\r\ntimezone using external queries to ip-api[.]com . This data is promptly transmitted to its C2 infrastructure via\r\nthe /keys endpoint, enabling operators to profile infected hosts for subsequent tasking.\r\n{\r\n \"sys_info\": {\r\n \"uuid\": \"1ddb90ee672c86e09168792871f6d6d00919b57d24da98d91764e292e765cd29\",\r\n \"system\": \"Windows\",\r\n \"release\": \"10\",\r\n \"version\": \"10.0.19041\",\r\n \"hostname\": \"xxxxx\",\r\n \"username\": \"xxxxx\"\r\n },\r\n \"net_info\": {\r\n \"lat\": 36.1539,\r\n \"lon\": -95.9927,\r\n \"zip\": \"\",\r\n \"isp\": \"Google LLC\",\r\n \"city\": \"Tulsa\",\r\n \"query\": \"107.167.165.11\",\r\n \"country\": \"United States\",\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 12 of 31\n\n\"timezone\": \"America Chicago\",\r\n \"regionName\": \"Oklahoma\",\r\n \"internalIp\": \"\"\r\n }\r\n}\r\nFigure 10: InvisibleFerret system information data sent to C2 (Source: Recorded Future)\r\nWhen traversing the directory of the infected machine, InvisibleFerret uses exclusion lists to enumerate files\r\nsuitable for data exfiltration, while minimizing bandwidth consumption. The enumeration process applies two\r\nprimary filtering criteria: file extensions must not be present in the ex_files exclusion list, and file sizes must\r\nnot exceed 104,857,600 bytes (100 MB). Directory traversal is similarly filtered against the ex_dirs list.\r\nInvisibleFerret prioritizes document files, configuration files, and source code, while systematically excluding\r\nlow-value artifacts that would unnecessarily consume network bandwidth and C2 storage resources.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 13 of 31\n\nFigure 11: InvisibleFerret file and directory exclusion lists (Source: Recorded Future)\r\nOn Windows systems, InvisibleFerret deploys an auxiliary keylogging component that hooks keyboard and mouse\r\ninputs, records the active process and window title, and captures clipboard contents during copy or paste\r\noperations. These logs are stored in a global buffer ( e_buf ) for on-demand exfiltration through a designated C2\r\ncommand.\r\nThe InvisibleFerret commands are detailed in Table 3.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 14 of 31\n\nCode:\r\nCommand\r\nName\r\nDescription\r\nssh_obj Executes an arbitrary shell command\r\nssh_cmd\r\nKill Python interpreters ( taskkill /IM /F python.exe on Windows; killall python on\r\nUnix)\r\nssh_clip\r\nExfiltrate keylogger buffer e_buf (keys, mouse clicks, clipboard, window context) to C2,\r\nthen clear the buffer\r\nssh_run Download and execute browser‑stealer\r\nssh_upload\r\nExfiltrate files via an HTTP POST to the endpoint /uploads ; there are three upload\r\nmodes: directory ( sdir ), single file ( sfile ), or pattern matching ( sfind )\r\nssh_kill\r\nTerminate browsers (Chrome/Brave) to release locks prior to theft\r\nWindows\r\n' taskkill /IM chrome.exe /F '\r\n' taskkill /IM brave.exe /F '\r\nLinux\r\n‘ killall Google\\ Chrome '\r\n' killall Brave\\ Browser '\r\nssh_any Stage and execute the AnyDesk helper\r\nssh_env Enumerate and exfiltrate .env files across drives\r\nWindows\r\n' dir /b /s ' + key + ':\\*.env | findstr /v /i \"node_modules .css\r\n.svg readme license robots vendor Pods .git .github .node-gyp .nvm\r\ndebug .local .cache .pyp .pyenv next.config .qt .dex __pycache__\r\ntsconfig.json tailwind.config svelte.config vite.config\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 15 of 31\n\nCode:\r\nCommand\r\nName\r\nDescription\r\nwebpack.config postcss.config prettier.config angular-config.json\r\nyarn .gradle .idea .htm .html .cpp .h .xml .java .lock .bin .dll\r\n.pyi\" ’\r\nLinux\r\n' find ~/ -type d -name \"node_modules .css .svg readme license robots\r\nvendor Pods .git .github .node-gyp .nvm debug .local .cache .pyp\r\n.pyenv next.config .qt .dex __pycache__ tsconfig.json tailwind.config\r\nsvelte.config vite.config webpack.config postcss.config\r\nprettier.config angular-config.json yarn .gradle .idea .htm .html\r\n.cpp .h .xml .java .lock .bin .dll .pyi\" -prune -o -name *.env -\r\nprint '\r\nTable 3: InvisibleFerret RAT commands and descriptions (Source: Recorded Future)\r\nChromium-Based Stealer Module\r\nOne of the modules InvisibleFerret downloads is a browser stealer targeting Chromium-based browsers, including\r\nChrome, Brave, Opera, Yandex, and Edge on Windows, Linux, and macOS systems. The malware focuses on\r\nharvesting browser-stored credentials and payment card information, which it exfiltrates in plaintext via HTTP\r\nPOST requests to the /keys path of the C2 server. The stealer performs an enumeration of up to 120 browser\r\nprofiles per browser to ensure maximum coverage of stored credentials across multi-profile configurations.\r\nThe module mirrors common open-source Chromium credential stealers.\r\nOn Windows, it reads the Local State file to Base64-decode the os_crypt.encrypted_key , strips the\r\nDPAPI prefix, unwraps the master key with CryptUnprotectData , then decrypts the Login Data\r\n(password manager) files using Chrome’s v80+ AES-GCM layout as documented in a public proof-of-concept.\r\nOn Linux, it uses secretstorage to read the browser’s “Safe Storage” item (historically defaulting to\r\n“peanuts”) and derives a 16-byte key using PBKDF2 and the salt “saltysalt” for AES-CBC decryption,\r\nmatching widely shared examples and code.\r\nOn macOS, the command, security 2\u003e\u00261 \u003e /dev/null find-generic-password -ga , is run to obtain the\r\nSafe Storage secret and derive the decryption key with PBKDF2-HMAC-SHA1 (1003 iterations) before\r\nAES-CBC decryption, which aligns with long-standing reports.\r\nSimilar multi-browser, multi-profile enumeration and decryption logic is present in LaZagne and other\r\ncross-platform extractors, indicating the code is very likely derived from such sources.\r\nCommand‑and‑Control Protocol\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 16 of 31\n\nInvisibleFerret splits control and collection across two services:\r\n1. A persistent, RAW TCP interactive channel using a simple 4‑byte big‑endian length header followed by\r\nUTF‑8 JSON.\r\n2. An HTTP service with various endpoints, initial beaconing, sending system information, exfiltration, and\r\npayload delivery. All transmissions observed are in plaintext.\r\nFigure 12 illustrates the dual-channel C2 structure described above. The malware maintains two active C2\r\nchannels that operate concurrently to manage the infection lifecycle and data exfiltration.\r\nThe HTTP channel handles initial system beacons, payload delivery, and data exfiltration through endpoints\r\n/keys , /uploads , /brow , and /adc . In parallel, the persistent TCP channel sustains a long-lived session for\r\ninteractive tasking via a structured command loop.\r\nFrom the persistent connection, the C2 server can issue operational commands, such as ssh_obj (remote shell\r\nexecution), ssh_upload (file exfiltration), or ssh_env (environment file theft), which direct the client to\r\nperform additional actions or interact with the HTTP endpoints for staged downloads and uploads.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 17 of 31\n\nFigure 12: InvisibleFerret C2 HTTP and TCP communication channels (Source: Recorded Future)\r\nPersistent Channel\r\nData transmitted on the persistent channel adheres to a custom protocol, which includes a 4-byte big-endian length\r\nheader followed by UTF-8 JSON. While the fields of the JSON object vary depending on the command, they all\r\ninclude a “code” field that indicates the command to be run and its output, as well as an “Admin” field for\r\nID/Session tracking. Figure 13 shows the command 1 ( ssh_obj ), which executes a command. In this case, the\r\ncommand whoami is run, and the output is returned.\r\nC2 Sends command to victim\r\n{\"code\": 1, \"args\": {\"admin\": \"c2_admin\", \"cmd\":\" whoami\"}}\r\nVictim response to C2\r\n{\"code\": 1, \"args\": {\"admin\": \"c2_admin\", \"output\": \"desktop-oe4499i\\\\admin\\r\\n\"}}\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 18 of 31\n\nFigure 13: InvisibleFerret Whoami command sent to infected host (Source: Recorded Future)\r\nHTTP Channel\r\nThe HTTP C2 channel uses multiple endpoints to conduct initial beaconing, transmit system information, facilitate\r\ndata exfiltration, and deliver payloads. All observed communications occur in plaintext.\r\nInitial beacon ( /keys ): Executes an HTTP POST request to the /keys endpoint containing a timestamp\r\n( ts ), along with hard-coded parameters ( type and hid ). The request also includes the output of the\r\nsys_info function, which gathers details such as the OS version, system hostname, username, and UUID.\r\nAdditionally, the beacon transmits geolocation data, including the public IP address, internet service\r\nprovider, approximate physical location, and timezone.\r\nFigure 14: InvisibleFerret HTTP POST initialization to C2 (Source: Recorded Future)\r\nDownload Browser Module ( /brow ): Downloads the browser stealer to ~/.n2/bow\r\nDownloads the AnyDesk Module ( /adc ): Downloads the AnyDesk software to ~/.n2/adc ;\r\nPurpleBravo has previously been observed installing AnyDesk on victim machines post-compromise\r\nFile Exfiltration (/ uploads ): Exfiltrates files or directories using an HTTP POST request to the\r\n/uploads endpoint using multipart form data with the tag uts ; file names are prefixed with an epoch\r\ntimestamp\r\nFigure 15: InvisibleFerret HTTP POST uploads to C2 (Source: Recorded Future)\r\nNetwork Intelligence\r\nUsing Recorded Future Network Intelligence, Insikt Group identified 3,136 individual IP addresses linked to\r\nlikely targets of PurpleBravo activity from August 2024 to September 2025, with a significant concentration in\r\nSouth Asia and North America. PurpleBravo has consistently targeted individuals working for entities in South\r\nAsia throughout 2025. Insikt Group notes this is based on Recorded Future’s visibility, and a complete picture of\r\nPurpleBravo activity could look different. While PurpleBravo targets software developers with fictitious job\r\noffers, Insikt Group has observed evidence of candidates taking malicious coding challenges on corporate devices,\r\nthereby compromising their employers. Many of these organizations are in the IT services space, including IT staff\r\naugmentation services. While organizations around the world are focused on the PurpleDelta threat, identifying\r\nand preventing fraudulent IT workers from gaining employment, Insikt Group assesses that the IT software supply\r\nchain is just as vulnerable to infiltration from North Korean state-sponsored threats.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 19 of 31\n\nFigure 16: Map of likely PurpleBravo targets by number (Source: Recorded Future)\r\nAmong the likely targets of PurpleBravo activity, Insikt Group identified twenty potential victim organizations\r\nbased on network communications. The organizations are in the AI, cryptocurrency, financial services, IT services,\r\nmarketing, and software development industries in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands,\r\nPakistan, Romania, the United Arab Emirates (UAE), and Vietnam. Many of these organizations advertise large\r\ncustomer bases, presenting an acute supply-chain risk to companies outsourcing work in these regions.\r\nAdministration Communications\r\nRecorded Future observed administrative communications to PurpleBravo C2 servers from multiple IP addresses,\r\nincluding 151 Astrill VPN nodes (See Appendix C). In some cases, administrative communications were\r\nobserved from a single Astrill VPN node to up to six different C2 servers. Insikt Group and other cybersecurity\r\nvendors have previously observed PurpleBravo operators and PurpleDelta operators use Astrill VPN in their\r\noperations. Recorded Future also observed IP addresses from autonomous systems in China communicating with\r\nBeaverTail C2 administration ports in July and August 2025, including some geolocated to Changchun and Siping\r\nin Jilin province in China, near the North Korean border, and where North Korean threat groups are known to\r\noperate (see Appendix D).\r\nPurpleBravo and PurpleDelta Overlap\r\nAs mentioned previously, some organizations track both PurpleBravo and PurpleDelta as the same campaign,\r\nwhile other reporting keeps these groups separate. Insikt Group has also chosen to keep these groups separate but\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 20 of 31\n\nhas observed several points of overlap For example, in September 2025, researchers at SentinelOne identified the\r\nemail address hundredup2023[@]gmail[.]com that was unintentionally exposed in a script on a PurpleBravo\r\n(Contagious Interview) malware distribution server. Using Recorded Future Identity Intelligence, Insikt Group\r\nwas able to determine that the individual behind the address is also highly likely to be a PurpleDelta operator.\r\nWe determined that the owner of the email address hundredup2023[@]gmail[.]com was observed using AnyDesk\r\nremote desktop software and Astrill VPN, two applications commonly used by PurpleDelta. We also observed the\r\nprocess CallRI[.]exe , which is very likely an internal chat tool used between PurpleDelta operators, running on\r\nthe system. Moreover, while the system time, pattern of life, and virtual private server (VPS) suggest the operator\r\nwas using personas located in Eastern Europe, the operator consistently used the Hong Kong version of Google\r\nwith simplified Chinese, suggesting they were physically located in East Asia.\r\nThe infostealer log showed the operator was consistently interested in remote Golang software development jobs\r\nin the United States. Insikt Group observed the operator attempting to use the SSN24 service, an automated dark\r\nweb shop that specializes in the sale of compromised personally identifiable information (PII), along with multiple\r\nTelegram channels that sell LinkedIn and Upwork accounts. Insikt Group also observed evidence that the operator\r\nused the cryptocurrency exchange MEXC Exchange. The operator was also seen using proxy-seller[.]com ,\r\npowervps[.]net , residentialvps[.]com , lunaproxy[.]com , and sms-activate[.]io , likely to purchase infrastructure.\r\nAt least two AI tools, Perplexity and ChatGPT, assisted the operator in crafting job-related emails and providing\r\nguidance for job applications on Upwork, a freelance jobs website. The operator also installed the LazyApply\r\nextension on their web browser, a tool that automates job applications on multiple job websites.\r\nInsikt Group observed the following additional email addresses being used on the same system:\r\naaron19101301[@]gmail[.]com\r\ncryptofan1013[@]gmail[.]com\r\ntechsavvy001013[@]outlook[.]com\r\ndomin61013[@]outlook[.]com\r\nrico.gonzalez1013[@]gmail[.]com\r\nInsikt Group also observed an email address on the operator's system that appears to be for a legitimate software\r\ndevelopment company in Romania. It is unclear whether the operator was employed by the organization or was\r\nmerely imitating it; however, the overlap in names between the personal Gmail address above and the Breakpoint\r\nIT email suggests a connection.\r\nThe names Aaron Porchia, Aaron Taylor, and Aaron Ham were frequently seen, along with what appears to be a\r\nKorean name, Ham Gon Il (함건일). Insikt Group was unable to definitively determine whether the Korean name\r\nis also being used as a persona. The operator uses a GitHub account with the username “domin191013” that is\r\nactive at the time of this writing. Among the GitHub users “domin191013” follows is the profile “adonistoday”, an\r\naccount that displays many common characteristics of a PurpleDelta operator. Pivoting on the profile\r\n“adonistoday”, the user follows a known PurpleDelta GitHub persona, “smartdev022”. These links highlight\r\nadditional overlap with known PurpleDelta operations.\r\nData from Recorded Future Identity Intelligence shows the PurpleBravo operator potentially connected to a\r\nremote desktop session hosted on the IP address 135[.]181[.]7[.]162 with the GitHub profile “domin191013”\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 21 of 31\n\nopen in the web browser. At the time of access, the GitHub profile used the alias “Aaron”, which is consistent with\r\nthe email address and names seen above; however, the profile currently uses the alias “Boris”, as shown in Figure\r\n17.\r\nFigure 17: Screenshot of GitHub profile “domin191013” used by PurpleBravo operator (Source: GitHub)\r\nThe PurpleBravo operator was also observed using an online meeting application open called “CoolEx”, which\r\nhas been flagged as a malicious scam in open sources. In their web browsing history, they navigated to a Telegram\r\nchat with a user who had previously been observed spreading malware via the CoolEx scam and then to a likely\r\nfake CoolEx meeting link. It is unclear whether the PurpleBravo operator was compromised by this scam;\r\nhowever, given that the individual has a CoolEx application on their system, Insikt Group assesses it is likely that\r\nthey installed the malicious application.\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 22 of 31\n\nFigure 18: PurpleBravo operator’s remote desktop from the Recorded Future Identity data showing the GitHub\r\nprofile “domin191013” and the likely malicious online meeting application “CoolEx” (Source: Recorded Future)\r\nNetwork Intelligence\r\nInsikt Group observed the IP address 188[.]43[.]33[.]252 communicating with three PurpleBravo C2 servers\r\n(Table 4). While Insikt Group was unable to determine the exact nature of the communications, we assess that it is\r\nlikely PurpleBravo operators were testing their C2 infrastructure from this IP address. The IP address\r\n188[.]43[.]33[.]252 is assigned to Joint Stock Company Transtelecom and geolocated to Russia. The same\r\nTranstelecom IP address is also associated with PurpleDelta activity.\r\nTranstelecom IP address PurpleBravo C2 Servers\r\n188[.]43[.]33[.]252\r\n66[.]235[.]175[.]117\r\n67[.]203[.]7[.]205\r\n66[.]235[.]175[.]109\r\nTable 4: Observed PurpleBravo C2 servers communicating with Transtelecom IP address (Source: Recorded\r\nFuture)\r\nPrevious Insikt Group reporting has also revealed occasional overlaps between PurpleBravo and PurpleDelta\r\nactivity, with at least one PurpleBravo-linked individual operating a PurpleDelta-linked GitHub persona. Given\r\nthe extensive evidence above indicating that the operator in control of the email hundredup2023[@]gmail[.]com\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 23 of 31\n\nis a member of PurpleDelta, along with the commonalities in network traffic, it strongly suggests an overlap\r\nbetween the groups.\r\nMitigations\r\n1. Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate this\r\nthreat by operationalizing Recorded Future Intelligence Operations Platform data, specifically by\r\nleveraging continuously updated Risk Lists and by blocklisting IP addresses associated with PurpleBravo\r\nC2 servers to block communication with malicious infrastructure.\r\n2. Use Recorded Future Network Intelligence: Leverage Recorded Future’s Malicious Traffic Analysis\r\nevents to proactively identify servers involved in PurpleBravo activity, along with targeted infrastructure\r\nand attack techniques, powered by Network Intelligence and other proprietary methodologies.\r\n3. Use Recorded Future Reporting: Configure alerts in the Recorded Future Intelligence Operations\r\nPlatform to track Insikt Group reporting on PurpleBravo activity.\r\n4. Maintain a dedicated watchlist for PurpleBravo campaign indicators of compromise (IoCs), hosting\r\nproviders, Astrill VPN nodes, and lure brands.\r\n5. Block direct-to-IP HTTP/S traffic to non-standard ports, such as ports 1224 and 1244, which are commonly\r\nabused for C2 in PurpleBravo operations.\r\n6. Restrict npm install and go get to allowlisted registries and mirror caches with malware scanning;\r\nrequire SLSA provenance attestations, which are documents that capture metadata about a software artifact,\r\ndetailing the location, time, and process used to produce it for third-party code in critical repositories.\r\n7. Hunt for Base64 decode and XOR loops in JS files touched within developer profiles; flag repositories that\r\nintroduce those differences.\r\n8. Build detection for Go binaries with embedded HackBrowserData artifacts or accessing multiple browser\r\nprofiles in less than 60 seconds.\r\n9. Require contractors to use company-managed, endpoint detection and response (EDR)-enrolled devices or\r\nsecure virtual desktop infrastructure (VDI); forbid bring your own device (BYOD) policies for developer\r\nroles.\r\n10. Provide security awareness training to employees related to common PurpleBravo approaches, social\r\nengineering themes, and tactics, techniques, and procedures (TTPs); establish and communicate clear\r\nroutes for employees to safely report suspicious external outreach or potential malware infections to\r\ninternal security teams.\r\nOutlook\r\nPurpleBravo has maintained a high operational tempo since the group was first publicly uncovered in November\r\n2023. The amount of PurpleBravo infrastructure evident as of the time of this report suggests that the group has\r\nachieved success in its operations and will likely continue at a similar pace in the near term. While the group’s\r\nwidespread targeting of software developers is global in scope, as seen in this report, the group has also\r\nsignificantly targeted the South Asia region. Similarly, although cryptocurrency theft may be the group’s primary\r\nfocus, many of the compromised organizations operate in other areas, namely software development and IT\r\nservices. This presents an acute supply-chain risk to organizations that rely on individual contractors or outsource\r\ntheir IT services work. While the North Korean IT worker employment threat has been widely publicized, the\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 24 of 31\n\nPurpleBravo supply-chain risk deserves equal attention so organizations can prepare, defend, and prevent sensitive\r\ndata leakage to North Korean threat actors.\r\nAppendix A: Diamond Model\r\nAppendix B: C2 Servers\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 25 of 31\n\nBeaverTail C2 Servers:\r\n14[.]37[.]47[.]13\r\n23[.]106[.]70[.]154\r\n23[.]227[.]202[.]244\r\n38[.]92[.]47[.]85\r\n38[.]92[.]47[.]91\r\n38[.]92[.]47[.]118\r\n38[.]92[.]47[.]151\r\n38[.]92[.]47[.]152\r\n38[.]92[.]47[.]155\r\n45[.]43[.]11[.]201\r\n45[.]59[.]163[.]23\r\n45[.]59[.]163[.]56\r\n45[.]61[.]128[.]61\r\n45[.]61[.]133[.]110\r\n45[.]61[.]135[.]4\r\n45[.]61[.]150[.]30\r\n45[.]61[.]160[.]28\r\n45[.]61[.]165[.]45\r\n66[.]235[.]168[.]17\r\n66[.]235[.]168[.]232\r\n66[.]235[.]168[.]238\r\n66[.]235[.]175[.]109\r\n66[.]235[.]175[.]117\r\n67[.]203[.]7[.]163\r\n67[.]203[.]7[.]200\r\n67[.]203[.]7[.]205\r\n88[.]218[.]0[.]78\r\n107[.]189[.]24[.]80\r\n144[.]172[.]95[.]226\r\n144[.]172[.]100[.]124\r\n144[.]172[.]100[.]142\r\n144[.]172[.]102[.]21\r\n144[.]172[.]102[.]148\r\n144[.]172[.]103[.]97\r\n144[.]172[.]104[.]113\r\n144[.]172[.]105[.]189\r\n144[.]172[.]105[.]235\r\n144[.]172[.]106[.]7\r\n144[.]172[.]106[.]133\r\n144[.]172[.]109[.]98\r\n144[.]172[.]109[.]155\r\n144[.]172[.]112[.]106\r\n146[.]70[.]253[.]107\r\n147[.]124[.]197[.]138\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 26 of 31\n\n147[.]124[.]212[.]125\r\n147[.]124[.]213[.]19\r\n147[.]124[.]213[.]232\r\n147[.]124[.]214[.]129\r\n147[.]124[.]214[.]131\r\n147[.]124[.]214[.]237\r\n165[.]140[.]85[.]105\r\n165[.]140[.]86[.]154\r\n165[.]140[.]86[.]160\r\n165[.]140[.]86[.]181\r\n165[.]140[.]86[.]227\r\n172[.]86[.]73[.]198\r\n172[.]86[.]109[.]49\r\n172[.]86[.]113[.]115\r\n172[.]86[.]116[.]90\r\n172[.]86[.]123[.]55\r\n176[.]222[.]52[.]77\r\n216[.]126[.]229[.]166\r\nGolangGhost C2 Servers:\r\n31[.]57[.]243[.]29\r\n31[.]57[.]243[.]55\r\n31[.]57[.]243[.]190\r\n38[.]134[.]148[.]218\r\n38[.]146[.]28[.]177\r\n63[.]176[.]219[.]134\r\n151[.]243[.]101[.]229\r\n154[.]58[.]204[.]15\r\n154[.]62[.]226[.]22\r\n158[.]62[.]198[.]177\r\n173[.]211[.]70[.]246\r\n206[.]206[.]127[.]80\r\n206[.]206[.]127[.]135\r\n212[.]81[.]47[.]217\r\nAppendix C: Astrill VPN Nodes\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 27 of 31\n\nAstrill VPN Nodes:\r\n5[.]42[.]206[.]34\r\n23[.]104[.]209[.]6\r\n23[.]106[.]161[.]1\r\n23[.]106[.]169[.]120\r\n23[.]160[.]56[.]155\r\n23[.]228[.]120[.]12\r\n23[.]237[.]33[.]110\r\n23[.]237[.]102[.]130\r\n31[.]7[.]63[.]94\r\n37[.]120[.]151[.]162\r\n37[.]120[.]154[.]98\r\n37[.]120[.]210[.]2\r\n38[.]170[.]181[.]10\r\n38[.]246[.]149[.]2\r\n38[.]32[.]68[.]195\r\n38[.]75[.]136[.]211\r\n38[.]75[.]137[.]97\r\n38[.]75[.]137[.]213\r\n43[.]230[.]201[.]57\r\n43[.]230[.]201[.]68\r\n45[.]126[.]210[.]144\r\n45[.]145[.]68[.]10\r\n45[.]250[.]255[.]59\r\n45[.]250[.]255[.]140\r\n45[.]86[.]208[.]162\r\n50[.]2[.]184[.]50\r\n50[.]7[.]159[.]34\r\n50[.]7[.]251[.]66\r\n50[.]118[.]211[.]10\r\n51[.]195[.]140[.]214\r\n60[.]234[.]42[.]250\r\n60[.]249[.]92[.]67\r\n61[.]218[.]132[.]193\r\n61[.]218[.]138[.]181\r\n61[.]219[.]114[.]7\r\n61[.]221[.]116[.]19\r\n61[.]221[.]116[.]28\r\n61[.]221[.]116[.]109\r\n63[.]143[.]61[.]57\r\n64[.]32[.]17[.]130\r\n66[.]115[.]157[.]242\r\n66[.]150[.]196[.]58\r\n66[.]187[.]75[.]186\r\n67[.]43[.]48[.]10\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 28 of 31\n\n67[.]43[.]49[.]10\r\n67[.]43[.]54[.]10\r\n70[.]36[.]99[.]82\r\n74[.]63[.]233[.]50\r\n74[.]222[.]14[.]74\r\n74[.]222[.]14[.]83\r\n77[.]247[.]126[.]189\r\n80[.]90[.]48[.]191\r\n82[.]103[.]129[.]80\r\n82[.]223[.]120[.]180\r\n84[.]17[.]38[.]140\r\n84[.]17[.]41[.]94\r\n85[.]195[.]72[.]66\r\n85[.]195[.]119[.]90\r\n89[.]163[.]154[.]155\r\n89[.]187[.]161[.]180\r\n89[.]187[.]161[.]220\r\n89[.]187[.]185[.]11\r\n91[.]207[.]174[.]99\r\n91[.]207[.]206[.]10\r\n91[.]221[.]66[.]87\r\n91[.]239[.]130[.]102\r\n94[.]46[.]23[.]20\r\n95[.]143[.]193[.]150\r\n95[.]216[.]14[.]148\r\n103[.]6[.]219[.]221\r\n103[.]16[.]228[.]16\r\n103[.]50[.]33[.]16\r\n103[.]111[.]113[.]26\r\n103[.]125[.]234[.]62\r\n103[.]125[.]234[.]107\r\n103[.]125[.]234[.]161\r\n103[.]125[.]234[.]210\r\n103[.]130[.]145[.]210\r\n103[.]157[.]217[.]145\r\n103[.]172[.]26[.]58\r\n103[.]214[.]44[.]138\r\n104[.]168[.]14[.]206\r\n104[.]223[.]63[.]2\r\n104[.]223[.]87[.]12\r\n104[.]250[.]131[.]79\r\n104[.]250[.]148[.]58\r\n107[.]150[.]38[.]250\r\n107[.]167[.]25[.]130\r\n107[.]167[.]244[.]42\r\n107[.]172[.]97[.]67\r\n108[.]181[.]41[.]234\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 29 of 31\n\n118[.]107[.]244[.]171\r\n125[.]227[.]75[.]208\r\n125[.]227[.]80[.]190\r\n125[.]227[.]82[.]145\r\n125[.]227[.]90[.]115\r\n129[.]232[.]193[.]253\r\n134[.]195[.]197[.]175\r\n142[.]214[.]202[.]2\r\n155[.]94[.]199[.]59\r\n158[.]255[.]76[.]195\r\n162[.]251[.]62[.]70\r\n162[.]251[.]70[.]66\r\n166[.]0[.]190[.]170\r\n167[.]160[.]181[.]2\r\n167[.]88[.]61[.]117\r\n167[.]88[.]61[.]148\r\n169[.]38[.]75[.]87\r\n169[.]38[.]98[.]22\r\n170[.]178[.]177[.]178\r\n172[.]96[.]141[.]172\r\n173[.]232[.]230[.]137\r\n173[.]254[.]200[.]134\r\n178[.]159[.]7[.]34\r\n178[.]175[.]128[.]98\r\n185[.]65[.]205[.]130\r\n185[.]135[.]76[.]89\r\n185[.]135[.]76[.]115\r\n185[.]152[.]67[.]39\r\n185[.]183[.]104[.]67\r\n185[.]245[.]80[.]217\r\n192[.]74[.]247[.]161\r\n192[.]119[.]10[.]67\r\n192[.]161[.]60[.]132\r\n193[.]19[.]205[.]26\r\n194[.]33[.]45[.]162\r\n195[.]146[.]5[.]31\r\n198[.]2[.]228[.]23\r\n198[.]23[.]148[.]18\r\n199[.]168[.]112[.]175\r\n199[.]168[.]113[.]31\r\n202[.]87[.]221[.]237\r\n204[.]44[.]96[.]131\r\n204[.]152[.]202[.]111\r\n205[.]234[.]203[.]122\r\n206[.]206[.]127[.]135\r\n208[.]98[.]44[.]2\r\n208[.]115[.]228[.]234\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 30 of 31\n\n209[.]127[.]228[.]186\r\n211[.]21[.]6[.]136\r\n211[.]21[.]6[.]181\r\n211[.]22[.]147[.]226\r\n211[.]22[.]184[.]184\r\n211[.]72[.]35[.]109\r\n211[.]72[.]35[.]118\r\n211[.]72[.]116[.]247\r\n211[.]75[.]42[.]136\r\n211[.]75[.]74[.]223\r\n212[.]129[.]10[.]242\r\n216[.]45[.]56[.]2\r\n216[.]227[.]145[.]218\r\n217[.]138[.]212[.]194\r\nAppendix D: IP Ranges in China Observed Administering PurpleBravo\r\nInfrastructure\r\nIP Address Ranges in China:\r\n36[.]35[.]56[.]0/24\r\n36[.]49[.]207[.]0/24\r\n36[.]49[.]222[.]0/24\r\n36[.]49[.]223[.]0/24\r\n36[.]104[.]22[.]0/24\r\n36[.]104[.]38[.]0/24\r\n36[.]104[.]182[.]0/24\r\n39[.]144[.]101[.]0/24\r\n42[.]97[.]230[.]0/24\r\n106[.]41[.]253[.]0/24\r\n106[.]41[.]254[.]0/24\r\n116[.]142[.]9[.]0/24\r\n116[.]142[.]10[.]0/24\r\n123[.]173[.]202[.]0/24\r\n223[.]104[.]143[.]0/24\r\n223[.]104[.]144[.]0/24\r\nSource: https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nhttps://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain" ], "report_names": [ "purplebravos-targeting-it-software-supply-chain" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434691, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e48e9825441185e40534b234c0deaa825ad4976.pdf", "text": "https://archive.orkl.eu/0e48e9825441185e40534b234c0deaa825ad4976.txt", "img": "https://archive.orkl.eu/0e48e9825441185e40534b234c0deaa825ad4976.jpg" } }