{ "id": "3441c917-9d5c-45cc-8c64-d363dde69686", "created_at": "2026-04-06T00:16:30.298764Z", "updated_at": "2026-04-10T03:22:07.151363Z", "deleted_at": null, "sha1_hash": "9c416a2a5096fa859c1929f4762fe05e441cb17e", "title": "'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 263106, "plain_text": "'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in\r\nRecent Malware Attacks\r\nBy The Hacker News\r\nPublished: 2022-03-28 · Archived: 2026-04-05 21:25:07 UTC\r\nThe operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote\r\naccess trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security\r\nsoftware.\r\n\"Users' machines are targeted via trojanized software packages masquerading as legitimate application installers,\"\r\nTrend Micro researchers said in a report published on March 25, 2022. \"The installers are actively distributed\r\nonline to trick users and increase the overall botnet infrastructure.\"\r\nThe findings follow prior research from Minerva Labs that shed light on a similar modus operandi of leveraging\r\nfraudulent Telegram applications to distribute the backdoor. Other disguised software installers include\r\nWhatsApp, Adobe Flash Player, and Google Chrome.\r\nThese packages act as a first-stage loader, triggering an infection sequence that leads to the deployment of a\r\nsecond-stage payload from a remote server and culminating in the execution of a binary that inherits its features\r\nhttps://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html\r\nPage 1 of 3\n\nfrom FatalRAT.\r\nFatalRAT is a C++-based implant designed to run commands and exfiltrate sensitive information back to a remote\r\nserver, with the malware authors incrementally updating the backdoor with new functionality.\r\n\"The RAT is responsible for loading and executing the auxiliary modules based on checks performed on the victim\r\nsystems,\" the researchers said. \"Changes can happen if specific [antivirus] agents are running or if registry keys\r\nare found. The auxiliary modules are intended as support for the group’s specific objectives.\"\r\nhttps://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html\r\nPage 2 of 3\n\nFurthermore, Purple Fox, which comes with a rootkit module, comes with support for five different commands,\r\nincluding copying and deleting files from the kernel as well as evading antivirus engines by intercepting calls sent\r\nto the file system.\r\nThe findings also follow recent disclosures from cybersecurity firm Avast, which detailed a new campaign that\r\ninvolved the Purple Fox exploitation framework acting as a deployment channel for another botnet\r\ncalled DirtyMoe.\r\n\"Operators of the Purple Fox botnet are still active and consistently updating their arsenal with new malware,\r\nwhile also upgrading the malware variants they have,\" the researchers said. \"They are also trying to improve their\r\nsigned rootkit arsenal for [antivirus] evasion and trying to bypass detection mechanisms by targeting them with\r\ncustomized signed kernel drivers.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html\r\nhttps://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html" ], "report_names": [ "purple-fox-hackers-spotted-using-new.html" ], "threat_actors": [], "ts_created_at": 1775434590, "ts_updated_at": 1775791327, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c416a2a5096fa859c1929f4762fe05e441cb17e.pdf", "text": "https://archive.orkl.eu/9c416a2a5096fa859c1929f4762fe05e441cb17e.txt", "img": "https://archive.orkl.eu/9c416a2a5096fa859c1929f4762fe05e441cb17e.jpg" } }