{
	"id": "407ddaee-0c2b-4bef-8bb2-95be3c81c887",
	"created_at": "2026-04-06T00:14:03.902248Z",
	"updated_at": "2026-04-10T03:20:31.012219Z",
	"deleted_at": null,
	"sha1_hash": "8fa36fcc66ab55540f8c88e82bdf20387d155824",
	"title": "Purple Fox Uses New Arrival Vector and Improves Malware Arsenal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1392791,
	"plain_text": "Purple Fox Uses New Arrival Vector and Improves Malware\r\nArsenal\r\nPublished: 2022-03-25 · Archived: 2026-04-05 13:15:18 UTC\r\nMalware\r\nPurple Fox is an old threat that has been making waves since 2018. This most recent investigation covers Purple\r\nFox’s new arrival vector and early access loaders. Users’ machines seem to be targeted with malicious payloads\r\nmasquerading as legitimate application installers.\r\nBy: Sherif Magdy, Abdelrhman Sharshar, Jay Yaneza Mar 25, 2022 Read time: 7 min (1835 words)\r\nWe have been continuously tracking the Purple Fox threat since it first made waves in 2018, when it reportedly\r\ninfected over 30,000 users worldwideopen on a new tab. In 2021 we covered how it downloaded and executed\r\ncryptocurrency miners, and how it continued to improve its infrastructureopen on a new tab while also adding new\r\nbackdoorsopen on a new tab.\r\nThis most recent investigation covers Purple Fox’s new arrival vector and the early access loaders we believe are\r\nassociated with the intrusion set behind this botnet. Our data shows that users’ machines are targeted via trojanized\r\nsoftware packages masquerading as legitimate application installers. The installers are actively distributed online\r\nto trick users and increase the overall botnet infrastructure. Other security companies have also reported on Purple\r\nFox’s recent activitiesopen on a new tab and their latest payloads. \r\nThe operators are updating their arsenal with new malware, including a variant of the remote access trojan\r\nFatalRATopen on a new tab that they seem to be continuously upgrading. They are also trying to improve their\r\nsigned rootkit arsenal for antivirus (AV) evasion to be able to bypass security detection mechanisms. These\r\nnotable changes are covered in the sections below and further explained in our technical brief. \r\nPurple Fox infection chain and payload updates\r\nThe attackers distribute their malware using disguised software packages that encapsulate the first stage loader.\r\nThey use popular legitimate application names like Telegram, WhatsApp, Adobe, and Chrome to hide their\r\nmalicious package installers. \r\nThe installers include a specific single character (highlighted in Figure 1 as “A”) that corresponds to a specific\r\npayload. The second stage payload is added as the single character in the request sent by the execution parent to\r\nthe first stage command and control (C\u0026C) server (illustrated in detail in Figure 2 as “r”). It is retrieved through\r\nthe module filename’s last character, then the first stage C\u0026C server will log the execution timestamp sent in the\r\nrequest alongside the character. The single character will then determine what payloads will be sent back for the\r\nmalicious installer to drop on the infected machine.\r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 1 of 9\n\nFigure 1. Purple Fox infection chain\r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 2 of 9\n\nFigure 2. Malicious installer requests the second stage payloads\r\nIn previous campaigns in 2019, HTTP file servers (HFS) were used by Purple Fox to run the C\u0026C servers that\r\nhost files on the infected bots. In this most recent investigation, we found an exposed HFS that the Purple Fox\r\ngroup uses to host all the second stage samples with their update timestamps. We were able to track the frequency\r\nof the second stage updated packages pushed to this exposed server using the timestamp data. Figure 3 shows the\r\nnumber of different second stage malicious packages that received updates. They are still actively updating their\r\ncomponents at the time of writing. \r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 3 of 9\n\nFigure 3. Second stage payloads update count\r\nNotable Purple Fox tools and techniques\r\nDisguised packages and malicious components in svchost.txt\r\nWe noted that some of the software they were impersonating were commonly used by Chinese users. The\r\nfollowing list shows the recently used software and the corresponding malicious payload for the second stage of\r\nthe infection. As mentioned above, the different payloads will be served by the C\u0026C upon execution based on the\r\nlast character in the module filename.\r\nTable 1. Disguised package names with highlighted single characters that correspond to the\r\npayloads\r\nWe tracked a server hosting the second stage payloads and saw a compressed RAR archive holding the second\r\nstage loaders along with the file svchost.txt, which contains all the malicious portable executable (PE) module\r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 4 of 9\n\ncomponents that will be dropped in the second stage.    \r\nThe order of the PE modules inside svchost.txt is dependent on the package requested by the malicious installers.\r\nAs previously mentioned, the last character in the installer filename will determine the final set of the auxiliary\r\nmodules that will be stuffed inside svchost.txt.\r\nShellcode user-mode loader and anti-forensics methods\r\nA specific set of portable executable (PE) modules found in one of the most distributed clusters from the malware\r\nhad a wide range of capabilities in terms of AV evasion. This cluster is noteworthy for various reasons as well —\r\nit has links to older families, it loaded a previously documented Purple Fox MSI installer, and it had different\r\nrootkit capabilities in the auxiliary PE modules. More details about this cluster can be found in our technical\r\nbrief. \r\nAfter analyzing all the observed malicious execution parents delivering different clusters, we found that the\r\nshellcode component at the prologue of the dropped svchost.txt was similar across all the different variants,\r\nregardless of the actual payloads embedded after the shellcode. It has two different implementations across all the\r\nclusters. \r\nThe first shellcode implements four main functions for the intended functionality, as shown in Figure 4.\r\nFigure 4. Shellcode main functions for loading a PE module in memory\r\nMeanwhile, the new shellcode is more minimalistic because it implements only important functionalities to load a\r\nPE in memory and parse several system APIs addresses. It resolves different system APIs from the first one we\r\nmentioned. \r\nOne more thing to note: the Purple Fox group implements a customized user-mode shellcode loader that leaves\r\nlittle traces for cybersecurity forensics. It minimizes both the quantity and quality of the forensic evidence as the\r\nexecution doesn’t rely on the native loader and doesn't respect the PE format for a successful execution.\r\nThe use of FatalRAT and incremental updates\r\nAfter the shellcode loads and allocates memory for the PE modules inside svchost.txt, the execution flow will call\r\ninto the first PE module found after the shellcode. This is a remote access trojan (RAT) that inherits its\r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 5 of 9\n\nfunctionality from a malware known as FatalRAT, a sophisticated C++ RAT that implements a wide set of remote\r\ncapabilities for the attackers.  \r\nThe executed FatalRAT variants shown in Figures 5 and 6 differ across each cluster, illustrating that the attackers\r\nare incrementally updating it.\r\nFigure 5. Updated FatalRAT variant from cluster-1\r\nFigure 6. Updated FatalRAT variant from a more recent cluster with more added functionality\r\nThe RAT is responsible for loading and executing the auxiliary modules based on checks performed on the victim\r\nsystems. Changes can happen if specific AV agents are running or if registry keys are found. The auxiliary\r\nmodules are intended as support for the group’s specific objectives. \r\nNew capabilities to evade cybersecurity mechanisms \r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 6 of 9\n\nOne of the analyzed executables embedded in svchost.txt is a user-mode client used to interface with the\r\naccompanying rootkit module. This client supports five different commands, each command implements a specific\r\nfunctionality to be executed from the kernel driver with the appropriate input/output control (IOCTL) interface\r\nexposed. Table 2 shows the details of each command: \r\nTable 2. IOCTL interface implemented by Purple Fox AV killer rootkit\r\nThe functionality to “kill a mini-filter” is notable in terms of AV evasion. File systems are targets for input-output\r\n(I/O) operations to access files, and file system filtering is the mechanism by which the drivers can intercept calls\r\nsent to the file system — this specifically is useful for AV agents. The model called ‘file system mini-filters’ was\r\ndeveloped to replace the legacy filter mechanism. Mini-filters are easier to write and are the preferred way to\r\ndevelop file system filtering drivers in almost all AV engines.\r\nWe looked deeper into the mini-filter driver killer and how the attackers implemented this functionality. The driver\r\nfirst enumerates all the registered mini filter drivers on the system using the system API FltEnumerateFilters,\r\nthen it gets the targeted mini-filter object information it is searching for by calling FltGetFilterInformation.\r\nLastly, it creates a new system thread to unregister the mini-filter driver and terminate the created system thread\r\n(PsCreateSystemThread, FltUnregisterFilter).\r\nFigure 7 shows the specific call graph for the system APIs used for this functionality.\r\nFigure 7. System APIs call for unregistering mini-filter drivers\r\nThe uses of revoked code signing certificates\r\nTo control the quality of the code that runs in the address space of the kernel-land, Microsoft only allows signed\r\ndrivers to run in kernel mode. They do this by enforcing kernel-mode code signing (KMCS) mechanisms.\r\nDue to performance issues and backward compatibility, Windows actually allows the loading of a kernel driver\r\nsigned by a revoked code signing certificate. So, by testing a previous kernel driver and allowing it to be revoked,\r\nit can be loaded successfully. This design choice allows mature threat actors to chase and pursue any stolen code\r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 7 of 9\n\nsigning certificate and add it to their malware arsenal. If the malware authors acquire any certificate that has been\r\nverified by a trusted certificate authority and by Microsoft, even if it was revoked, attackers can use it for\r\nmalicious purposes.\r\nLinks to previous Purple Fox activities and artifacts \r\nAnalyzing the artifacts dropped by this new infection chain, we first looked at the stolen code signing certificates\r\nused to sign the kernel drivers’ modules. This led us to analyze other signed malicious samples in our malware\r\nrepository, which revealed links to previously known intrusion sets.\r\nThere were three different stolen code signing certificates confirmed to be related to this campaign with links to\r\nPurple Fox:\r\nHangzhou Hootian Network Technology Co., Ltd. - We found a strong connection to early activity of the\r\nPurple Fox botnet that started in 2019open on a new tab.\r\nShanghai Oceanlink Software Technology Co. Ltd. - Analysis revealed several clusters of malicious kernel\r\nmodules previously used in Purple Fox activities.\r\nShanghai easy kradar Information Consulting Co. Ltd. – This certificate overlaps with “Hangzhou Hootian\r\nNetwork” in signing a common cluster of kernel drivers that was also previously seen in Purple Fox\r\nactivities.\r\nThis campaign is similar with earlier Purple Fox activities in other ways as well, namely, how the attack\r\ninfrastructure is run and the malware hosted on their servers:\r\nThe first stage C\u0026C server 202[.]8.123[.]98 links FatalRAT operators with the Purple Fox. The server was\r\nhosting the malicious compressed archives in this campaign and was used before by FatalRAT as their\r\nmain C\u0026C server.\r\nOne of the first stage servers (194.146.84.245) hosted an old module for the MSI installer for Purple Fox\r\n(e1f3ac7f.moe) that will eventually load the crypto miner discussed in the previous blogs. \r\nThe dropped FatalRAT from the malicious archive found on the first stage C\u0026C server revealed many code\r\nsimilarities with a previously documented info stealer known as Zegostopen on a new tab. We go into\r\ncommonalities found between these Purple Fox campaign modules and the old Zegost samples in our\r\ntechnical brief.\r\nConclusion\r\nOperators of the Purple Fox botnet are still active and consistently updating their arsenal with new malware, while\r\nalso upgrading the malware variants they have. They are also trying to improve their signed rootkit arsenal for AV\r\nevasion and trying to bypass detection mechanisms by targeting them with customized signed kernel drivers.\r\nAbusing stolen code signing certificates and unprotected drivers are becoming more common with malicious\r\nactors. Software driver vendors should secure their code signing certificates and follow secure practices in the\r\nWindows kernel driver development process. \r\nFor more details on this topic download our technical briefopen on a new tab and for the full list of the Indicators\r\nof Compromise download this documentopen on a new tab. \r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 8 of 9\n\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nhttps://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html"
	],
	"report_names": [
		"purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434443,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fa36fcc66ab55540f8c88e82bdf20387d155824.pdf",
		"text": "https://archive.orkl.eu/8fa36fcc66ab55540f8c88e82bdf20387d155824.txt",
		"img": "https://archive.orkl.eu/8fa36fcc66ab55540f8c88e82bdf20387d155824.jpg"
	}
}