{
	"id": "88b17acc-79d8-40fe-b7c3-7740ea8fc983",
	"created_at": "2026-04-06T01:31:11.554932Z",
	"updated_at": "2026-04-10T13:12:59.457336Z",
	"deleted_at": null,
	"sha1_hash": "303d06804fd51deb7744b1b13831163be0a67998",
	"title": "PurpleFox Using WPAD to Target Indonesian Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1215100,
	"plain_text": "PurpleFox Using WPAD to Target Indonesian Users\r\nBy Trend Micro ( words)\r\nPublished: 2021-07-01 · Archived: 2026-04-06 00:57:12 UTC\r\nIn September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an\r\ninfrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at\r\nsame time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.\r\nRecently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is\r\nmaking use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has been around for\r\napproximately 14 years, it still works. Initiatives to prevent this attack help, but they are not sufficient.\r\nOur systems started detecting victims accessing the “wpad.id” domain, which makes use of the Indonesian top level domain\r\n(*.id). We did not find any other country top level domain affected. Using this technique, a zero-click attack can be\r\nimplemented, as the WPAD URL is accessed whenever the system starts, without any user input.\r\nPurpleFox WPAD landing page\r\nTo abuse WPAD, the PurpleFox authors registered the domain “wpad.id” with Cloudflare. They then load the URL for\r\nWPAD services, which is located at http://wpad[.]id/wpad[.]dat. At the time of analysis, this would return a standalone\r\nJavaScript version of the CVE-2019-1367 with custom shellcode to follow the attack chain setup for the WPAD attack.\r\nFigure 1 shows the WPAD resolution and malicious sample delivery.\r\nFigure 1. CVE-2019-1367 exploit delivery using WPAD\r\nhttps://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html\r\nPage 1 of 4\n\nFigure 2. The CVE-2019-1367 JavaScript standalone exploit\r\nThe custom shellcode downloads the next stage from the URL http://9kf[.]me/in[.]php?id=1. The domain “9kf.me” was no\r\nlonger accessible by the time we analyzed the samples, but we were be able to find two more active domains, “2kf.me” and\r\n“6kf.me,” that contained the same payload.\r\nFollowing the request logic, we retrieved the full chain used in this deployment. The PurpleFox chain is designed with\r\nmultiple complicated stages abusing PowerShell and MSI files as previously described by Trend Micro and other\r\nresearchers. This post will not go into the details; we will limit ourselves to showing how the two domains are chained to\r\ndeliver the full attack chain.\r\nFigure 3. The 2kf.me domain redirecting to 6kf.me\r\nThe domain resolution and access to the attack chain artifacts are all being proxied through Cloudflare servers, as shown in\r\nthe Figure 4.\r\nhttps://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html\r\nPage 2 of 4\n\nFigure 4. The attack chain\r\nAnalysis of the full chain revealed that the following CVEs were being exploited: CVE-2020-1054, CVE-2018-8120, as\r\nwell as an exploit for MS15-051. The binary exploiting the MS15-051 leak the symbols path\r\nC:\\Users\\K8team\\Desktop\\ms15-051\\ms15-051\\ms15-051\\Win32\\ms15-05, suggesting that PurpleFox is reusing tools from\r\nK8team, which is responsible for maintaining public repositories of CVE exploits POCs and hack tools.\r\nDefending against PurpleFox\r\nThe PurpleFox Exploit Kit continues to be very active and appear to be looking for new infection tactics. Our feedback\r\nshows that this specific attempt is not only affecting Indonesian victims, as users in other countries who are using the\r\nIndonesian TLD are being affected as well. At same time, PurpleFox is trying to reach servers where the user interaction is\r\nminimal but are potentially affected by the WPAD technique, such as unattended machines.\r\nContinuous vigilance against threat groups is an important aspect of keeping up with — if not staying one step ahead of —\r\nthreats. To protect systems from this type of threat, users can use multilayered security solutions like Trend Micro Protection\r\nSuites that help detect and block attacks. Trend Micro Vision One™️ also provides visibility, correlated detection, and\r\nbehavior monitoring across multiple layers, such as emails, endpoints, servers, and cloud workloads. This ensures that no\r\nsignificant incidents go unnoticed and allows faster response to threats before they can do any real damage to the system. \r\nIndicators of Compromise\r\nFiles\r\nSHA256 Filename Trend Micro Detection N\r\n1aa1df57f786224f4997f1d6284a123176291f3f3d43bc4b942ae423c58cc356 winupdate64.log Trojan.Win64.FUPORPL\r\n3039208b2a34bb2e71bc6a77ae3be2fa588abd359fdb0068253739f3839f3425\r\n2020-09-09_16-25-\r\n29_764_raw.githack.store_P1-\r\n1-2_PurpleFox.exe.bak\r\nTrojan.Win32.CVE20188\r\n36725374d7ec66c9876eb1d5edc2a5889643e01dbd0ac7a6705babbc3c3ea6a9 M0011.cab Trojan.Win32.FUPORPL\r\n61113a0acd6469ce0d860db55c2afa3cdcbac2f5411fe8259cca43c10c042239 1505132.jpg TROJ_CVE20151701.B\r\n905cc7b3027cad361ae7a29969dfd7e63f8f1189d7e0abdf5b2efe0f1ec13e5c pe_1 Trojan.Win32.CVE20190\r\ndb7c4a360b460a13148d6e5fff530afaa0fa161959166cdab342d0aa9760ba68 sysupdate.log Backdoor.Win32.FUPOR\r\nhttps://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html\r\nPage 3 of 4\n\nf09c502f4b5862641b3c3eff19ae96d949fab465b3fddd1888fe945817c9e2fd N/A Trojan.Win32.FUPORPL\r\nURLs\r\nhttp://2kf[.]me/in[.]php\r\nhttp://6kf[.]me/in[.]php\r\nhttp://9kf[.]me/in[.]php\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html\r\nhttps://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html"
	],
	"report_names": [
		"purplefox-using-wpad-to-targent-indonesian-users.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439071,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/303d06804fd51deb7744b1b13831163be0a67998.pdf",
		"text": "https://archive.orkl.eu/303d06804fd51deb7744b1b13831163be0a67998.txt",
		"img": "https://archive.orkl.eu/303d06804fd51deb7744b1b13831163be0a67998.jpg"
	}
}