{ "id": "8beb9786-2e66-4069-bf33-16e74bb0c733", "created_at": "2026-04-06T00:16:56.309097Z", "updated_at": "2026-04-10T13:13:01.361299Z", "deleted_at": null, "sha1_hash": "a2a82144707931237cf9a93183b92995017698ca", "title": "PurpleWave—A New Infostealer from Russia | blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2562673, "plain_text": "PurpleWave—A New Infostealer from Russia | blog\r\nBy Mohd Sadique\r\nPublished: 2020-08-14 · Archived: 2026-04-05 16:51:05 UTC\r\nInfostealer is one of the most profitable tools for cybercriminals, as information gathered from systems infected\r\nwith this malware could be sold in the cybercrime underground or used for credential stuffing attacks. The Zscaler\r\nThreatLabZ team came across a new Infostealer called PurpleWave, which is written in C++ and silently installs\r\nitself onto a user’s system. It connects to a command and control (C\u0026C) server to send system information and\r\ninstalls new malware onto the infected system.\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000\r\nRUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.\r\nFigure 1: A PurpleWave selling post on a Russian forum.\r\nThe author selling PurpleWave claims that this stealer is capable of stealing passwords, cookies, cards, and autofill\r\nforms of Chromium and Mozilla browsers. This stealer also collects files from the specified path, takes\r\nscreenshots, and installs additional modules.\r\nThe capabilities of the PurpleWave stealer include:\r\nStealing passwords, cookies, cards, autofill(s) data, browser history from Chromium and Mozilla.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 1 of 15\n\nCollecting files from the specified path\r\nCapturing the screen\r\nStealing system information\r\nStealing Telegram session files\r\nStealing Steam application data\r\nStealing Electrum wallet data\r\nLoading and executing additional module/malware\r\nFigure 2: The PurpleWave login panel.\r\nThe author also built a dashboard where the attacker can keep an eye on the infection counts according to dates,\r\naccess the stolen logs of infected machines, and change the malware configuration settings.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 2 of 15\n\nFigure 3: The PurpleWave infection dashboard.\r\nThe dashboard also provides the attacker with the ability to customize the configuration of the PurpleWave stealer.\r\nFigure 4: The dashboard for customizing the PurpleWave configuration.\r\nTechnical analysis\r\nUpon execution of the PurpleWave binary, it gives a fake error message in the Russian language that can be\r\ncustomized by the attacker in their panel. But in the background, it performs all of its malicious activities.\r\nFigure 5: The fake error message in Russian. (It translates to: Memory control blocks damaged.)\r\nThe name of the stealer (PurpleWave) and the version (1.0) are hardcoded and encrypted in the binary. Most of the\r\nstrings in the binary are encrypted, but they get decrypted on runtime with the help of the decryption loop present\r\nin the binary (shown in Figure 6).\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 3 of 15\n\nFigure 6: The common decryption function for the encrypted strings in the binary.\r\nThe PurpleWave binary creates a mutex with the name “MutexCantRepeatThis” to avoid multiple executions of\r\nmalware instances. After that, it sends the HTTP POST request with the custom header and body to the C\u0026C URL\r\nto get the configuration data.\r\nFigure 7: Sending request to the C\u0026C server to get the config data.\r\nIt creates an HTTP request header with content type as “form-data”. The boundary is assigned with\r\n“boundaryaswell” to act as a marker and user agent is set with “app”. It creates a request body with a form name\r\nas “id” and the value assigned to it is 1.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 4 of 15\n\nFigure 8: The configuration request with the custom header and body.\r\nThe received data contains the customized configuration, which may change per the binary. We have observed\r\nthree different configurations and different hosts of the PurpleWave binaries.\r\nConfiguration from different PurpleWave binaries\r\nFigure 9: The configuration from different PurpleWave binaries.\r\ndirs - It consists of directory information from which files to be collected.\r\nfake - It has the fake alert message to be shown to the user on execution.\r\nloaders - It consists of an additional module name to be installed on the infected system.\r\nFor Config-2, PurpleWave will traverse path “%userprofile%/Desktop” and collect the files having extensions txt,\r\ndoc and docx. In Config-3, it will not collect any files but it has a module named “Kv2TDW4O” in the loaders,\r\nwhich will get downloaded and executed on the system.\r\n \r\nInstalling additional modules\r\nFor installing additional modules mentioned in the received configuration (Config-3), PurpleWave again creates\r\nan HTTP POST request with the same headers mentioned in the previous request to the C\u0026C host followed by\r\n“/loader/module_name”.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 5 of 15\n\nFigure 10: The request to download an additional module.\r\nPurpleWave enumerates the loaders list from a JSON configuration, downloads the module name from the C\u0026C\r\nserver and stores it in %appdata% directory, then executes it.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 6 of 15\n\nFigure 11: Downloading and executing additional modules.\r\nThe downloaded module that we observed in some PurpleWave binary is the Electrum wallet stealer, which is\r\nwritten in .NET and capable of stealing Electrum wallet data from the infected system.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 7 of 15\n\nFigure 12: Collecting Electrum wallet data.\r\nData stealing\r\nPurpleWave is capable of stealing credentials, autofills data, card data, cookies, and browser history from\r\nChromium and Mozilla.\r\nFor Chromium browsers, it fetches the login credentials from “\\%AppData%\\Local\\{Browser}\\User\r\nData\\Default\\Login Data”, cookies from “\\%AppData%\\Local\\{Browser}\\User Data\\Default\\Cookies”, and other\r\ninformation, such as autofills data, card data, and browser history, from “\\%AppData%\\Local\\{Browser}\\User\r\nData\\Default\\Web Data”.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 8 of 15\n\nFigure 13: Stealing browser data.\r\nThe stolen browser info is collected in the form of a form-data field with the names shown below followed by\r\ntheir value.\r\nUsername - browser[BrowserName][passwords][index][login]\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 9 of 15\n\nPassword - browser[BrowserName][passwords][index][password]\r\nFigure 14: Stolen browser information.\r\nAlong with the browser’s data, the stealer captures the current screen and appends it to the browser's stolen data in\r\nthe form-data with the filename as “screenshot.png”.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 10 of 15\n\nFigure 15: A captured screenshot.\r\nAfter that, it collects all the information about infected systems, such as operating system, CPU info, GPU info,\r\nmachine GUID, username, machine name, and more.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 11 of 15\n\nFigure 16: The system information collected by PurpleWave.\r\nThe stealer also collects the SSFN files from the Steam application. The Steam application is used for playing,\r\ndiscussing, and creating games. The SSFN file exists to verify the users each time they login to their Steam\r\naccount. It fetches the Steam path from the registry “Software\\\\Valve\\\\Steam” and reads all the SSFN files stored\r\ninto the config directory.\r\nPurpleWave also steals session-related files from the Telegram application. It reads the value of the default key in\r\nthe system registry branch “HKCU\\Software\\Classes\\tdesktop.tg\\DefaultIcon” to obtain a path of Telegram and\r\ncollects all the files starts with “map” in the “D877F783D5D3EF8C” directory.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 12 of 15\n\nFigure 17: Collecting Steam and Telegram data.\r\nPurpleWave merges all the collected file data, browser data, screenshots, Steam data, Telegram data, and system\r\ninfo, then sends it to a C\u0026C server using an HTTP POST request.\r\nFigure 18: Sending stolen data to C\u0026C server\r\nCoverage\r\nThe observed indicators in this attack were successfully blocked by the Zscaler Cloud Sandbox.\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 13 of 15\n\nFigure 19: The Zscaler Cloud Sandbox report for PurpleWave.\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various\r\nlevels. The following advanced threat protection signatures have been released for detecting the malware:\r\nWin32.PWS.PurpleWave\r\nConclusion\r\nZscaler believes that PurpleWave represents an active and ongoing threat, as the C\u0026C servers are still alive and\r\nresponding as of this writing. The malware also still appears to be available for purchase on the black market.\r\nPurpleWave has incredible potential to steal sensitive information. The malware is in the early stages of\r\ndevelopment, with the author likely to enhance its stealing capabilities and add more features. We will continue to\r\nkeep track of this threat to ensure coverage.\r\nMITRE ATT\u0026CK™ tactic and technique mapping\r\nTactic                    Technique\r\nT1083                    File and directory discovery\r\nT1082                    System information discovery\r\nT1033                    System user discovery\r\nT1124                    System time discovery\r\nT1016                    System network configuration discovery\r\nT1020                    Automated exfiltration\r\nT1041                    Exfiltration over C\u0026C channel\r\nT1071                    Uses web protocols\r\nT1105                    Downloads additional files\r\nT1555                    Credentials from web browsers\r\nT1539                    Steal web session cookies\r\nT1005                    Data from local system\r\nT1113                    Screen capture\r\nIndicators of Compromise (IOCs)\r\nHashes\r\nB18BCB300AE480B16A0E0B9110E1C06C\r\nD8A36DCE73E91780B52B6F387C5CFD78\r\n9E4D3F4439ED39C01F3346FBDB7488AE\r\n657C3DDAFF433067C7F74F3453C7EB37\r\nE770544551F94296B9A867E42435206F\r\nE23DED17CDF532790F708E8A550969EB\r\nBC693652D5F57E792551C3A62049BA0B\r\nB5FB35BE12C66F16F55AF2C2ABC77E55\r\nAD24A6614C528DE81283FE4A618682C7\r\nAC17A56355914E231B2AD52E45D6F779\r\n7A728F42940F5BCB50AC9A5C57C1D361\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 14 of 15\n\n53BC8E68A9028C58941B78E4AD867B83\r\n394298EED78D455416E1E4CF0DEB4802\r\n30898909FD4BF93FE23C62E6962BED11\r\n02350FFA6B82CD2079797ED4BA1DD240\r\n0212EB9562992DA05AB28EFFB9D64D8A\r\n01C8D886BD213F983D0FD5AD35D78A9A\r\nURLs\r\nsh1213709[.]a[.]had[.]su/config\r\nsh1213709[.]a[.]had[.]su/gate\r\nsh1213709[.]a[.]had[.]su/loader/Kv2TDW4O\r\nsh1213709[.]a[.]had[.]su/loader/9ZNzBRpT\r\nsh1213709[.]a[.]had[.]su/loader/Ds5UabYT\r\nsh1213709[.]a[.]had[.]su/loader/MTIQK8lV\r\nmanget6z[.]beget[.]tech/config\r\nmanget6z[.]beget[.]tech/gate\r\nec2-3-134-252-78[.]us-east-2[.]compute[.]amazonaws[.]com/config\r\nec2-3-134-252-78[.]us-east-2[.]compute[.]amazonaws[.]com/gate\r\nbibaiboba[.]beget[.]tech/config\r\nbibaiboba[.]beget[.]tech/gate\r\nsumakokl[.]beget[.]tech/config\r\nsumakokl[.]beget[.]tech/gate\r\nikaschyn[.]beget[.]tech/config\r\nikaschyn[.]beget[.]tech/gate\r\nh98801x4[.]beget[.]tech/config\r\nh98801x4[.]beget[.]tech/gate\r\n \r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nhttps://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia" ], "report_names": [ "purplewave-new-infostealer-russia" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434616, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2a82144707931237cf9a93183b92995017698ca.pdf", "text": "https://archive.orkl.eu/a2a82144707931237cf9a93183b92995017698ca.txt", "img": "https://archive.orkl.eu/a2a82144707931237cf9a93183b92995017698ca.jpg" } }