{
	"id": "d94c06dc-3993-472e-b089-6d705b2460c1",
	"created_at": "2026-04-06T00:18:50.211435Z",
	"updated_at": "2026-04-10T13:12:50.817471Z",
	"deleted_at": null,
	"sha1_hash": "c185d3347f7d41d1192b06d8b8dc45abe8df2f20",
	"title": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46812,
	"plain_text": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/pu\r\nfox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt\r\nArchived: 2026-04-05 18:46:33 UTC\r\nDetections\r\n• Trojan.Win64.PURPLEFOX.YACAM\r\n• Trojan.Win64.PFSHELLOADER.SM\r\n• Possible_SMPFSHELLOADER\r\n• Trojan.Win64.KILLAV.YCCAF\r\n---------------------------------------------\r\nSHA-256\r\nShellcode Samples\r\n• 25da2ebdbe2136f07bd414795082364cafda79d8271d099e78891b079158ed1b\r\n• 492fdcbdf81ed196b35cdbb7fac85e3a8ee1edebe0803034df900f5e1a5049b6\r\nSvchost.txt Samples\r\nSHA 256 Detection\r\n143be3d067188ae89a2c003ef2671bbdd790d6026664078098117cc7fc3373ed Trojan.Win64.PFSHELLOADER.SM\r\n21330417621547aa33b421a6d0834436453dd901dce75b9986ef3be743d1bdfa Trojan.Win64.PFSHELLOADER.SM\r\n7837ce02c57dd9fadd95882af162d46db5ae5718a59f0102478f62143a46cf71 Trojan.Win64.PFSHELLOADER.SM\r\n88dd42dedc77e8ad117cc54d7b37083bbacaa6ecb84553bda31905b0a29e0e4d Trojan.Win64.PFSHELLOADER.SM\r\n1c8b01a100c0281153fe93168df3b79adc32bfb677c3a36c1d0d5d598cbe7cf3 Trojan.Win64.PFSHELLOADER.SM\r\n0486df34e606d421e0f65aee68b5356ff1941f97c12f894f8b71318f607a54cc Trojan.Win64.PFSHELLOADER.SM\r\n9fb0a0dd309df7cbb7386f4de34be6ccc98ae64dde4773de99804871f49a4260 Trojan.Win64.PFSHELLOADER.SM\r\n82490fa7297344ca9c37f901cbc5c43c5db51bba4b4a390589db0973d70475e4 Trojan.Win64.PFSHELLOADER.SM\r\nef979beb55c51ca22265c34a26154e916cd8f3f160d8b0ae1a2b393f13962a0c Trojan.Win64.PFSHELLOADER.SM\r\nec6ea5da57991f343d28db611c076cb2bfd1100e69c6e5311d5295a05373801d Trojan.Win64.PFSHELLOADER.SM\r\nojbkcg loader\r\nSHA 256 Detection\r\n4d0238834821461963c558e9ceb975b4e9c2a347ea447f9e044966eaf85f5281 TROJ_FRS.VSNTC922\r\n53132712a773da3c3f15cc9879b8bc89b1a757a041fcfefbb8d75e3238d471d6 TROJ_FRS.VSNTC922\r\n07719f8de2fe07722f1fa464fa7091830b835b58d9c5f99763b9a49ee0d0491e TROJ_FRS.VSNTC922\r\n8577bcbd02d38bce9601eb43511017b0bbc5176ebc3c48c08c81f755fcf216f4 TROJ_FRS.VSNTC922\r\n360.tct DLLs\r\nSHA 256 Detection\r\n87d3ea42604943d2230cc0b5aea499da41fc7db46d141abf96875692040e4699 TROJ_FRS.VSNTC922\r\n83ae0c568d6866c19960f1c2e2f2e28ee855c72d662eabc3acf50a09f1092730 TROJ_FRS.VSNTC922\r\n799aa9612f9fffa5eab505ef3b9eabe78ac22f8f4bbe6b8f8cc2e8fca454667b TROJ_FRS.VSNTC922\r\nMalicious Archive Clusters\r\nSHA 256 Detection\r\n0926a30d0658671bf6dbb29a8cb33118930bb8211c90b170c2abfdc6a0e95b70 TROJ_GEN.R04CC0PAU22\r\n1fd53c5ca08065fa72da9b529719166e08948204bea862681f2a04eda8c0a64b TROJ_GEN.R04CC0PAU22\r\n3f08a6f1998968b10bfbb19ffcb2904b96296a8c378aaa30e974cadfcd059e7f TROJ_GEN.R04CC0PAU22\r\n601a488c0c9804823866f1c4647fa60a90572edbb101e3247f75cfc2611999a9 TROJ_GEN.R04CC0PAU22\r\n7bbe1fe9dc3346f40b3d6895dc9417b1c2cc5a940a41aaff39194588fc6efa20 TROJ_GEN.R04CC0PAU22\r\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt\r\nPage 1 of 4\n\n8d776597d31016863a00cee4da6a58db5c181337d7dfcacb4e239389af3cb2d8 TROJ_GEN.R04CC0PAU22\r\n8df5b3d1e564397e838adf593714c97ade863b8caf81f666b93b4b0509062633 TROJ_GEN.R04CC0PAU22\r\n8f7decbfc2c576c3b1401b9dd11183ea355b12a1ccfcf15d6a36d5470338bfd4 TROJ_GEN.R04CC0PAU22\r\n937158fb5f7e2ddd0ca26e9d481be5e26efb85dee3bf77f06293ca5288973b92 TROJ_GEN.R04CC0PAU22\r\n93d35724293f8582757fbb9f139645bb79f3ddb92c8c64c78ded31a021097ecb TROJ_GEN.R04CC0PAU22\r\n9a1aed2a2addafe001e8655cc869ba939f9a9b32ff55eb04282be435e12078cd TROJ_GEN.R04CC0PAU22\r\n9d8f53dcf25223d42c818e9f644b332064e43b9e3a26cfbdbc73b68af5580dd3 TROJ_GEN.R04CC0PAU22\r\n9e20db31a624b1a255b2f7650efd9a1f20d6b077bc41edcfae88410198978941 TROJ_GEN.R04CC0PAU22\r\na24469103e727ece260bee7623387a2b339df206779bfb364388712606a1904d TROJ_GEN.R04CC0PAU22\r\nb061de89d542cd0a10558f6006e9a808ba32ac4d7ea54d2ba40f531d46919548 TROJ_GEN.R04CC0PAU22\r\nb07b090547cb65dffb865dc9ef258a5e67e88555e798e6aaf3d0834bf2c742e3 TROJ_GEN.R04CC0PAU22\r\nb2e0bd930dae20b4516b35d169b0583592050058d31ae84bcecefd2c15f13ddc TROJ_GEN.R04CC0PAU22\r\nc5245249c4f3d8851f6ce58d31b8406059e2a8530cfdbd4335f73110a1040f3e TROJ_GEN.R04CC0PAU22\r\nd152a38aa36cbdf9d384092fe81e3ddc93798999eb769e0e78bbcba4065f6b8c TROJ_GEN.R04CC0PAU22\r\nd239365a5e07cea9f7e56b9e1063f1fccfa883f654c68dc5f609d10a612262c8 TROJ_GEN.R04CC0PAU22\r\ne9f7db12761d414a58aa2f4d1bda32698979e4e08bf42d03ae5fb1ebf11abb77 TROJ_GEN.R04CC0PAU22\r\nMalicious Kernel Drivers\r\nSHA 256 Detection\r\n638fa26aea7fe6ebefe398818b09277d01c4521a966ff39b77035b04c058df60 (x64 Driver) Trojan.Win64.PURPLEFOX\r\n0ed3bb6be804402d10ee575d466cfaad59a0be42230a3aa47cf1e952f64970e8 (x86 Driver) Trojan.Win64.PURPLEFOX\r\n8cb47e54d1514bc4e6b4577d2a57117f1fbf9d89ecc6622c7a2515097b2e9b17 (x64 user-mode client) Trojan.Win64.PURPLEFOX\r\ne2c463ac2d147e52b5a53c9c4dea35060783c85260eaac98d0aaeed2d5f5c838 (x86 user-mode client) Trojan.Win64.PURPLEFOX\r\nWeaponized Execution Parents\r\nSHA 256\r\n• bae1270981c0a2d595677a7a1fefe8087b07ffea061571d97b5cd4c0e3edb6e0\r\n• d25542837c28619603fce465a6876b2984a3c191a908fa57ca7f5b8f8d803180\r\n• 4c2ce3ed2ad22a531500046c0a9d790979b7885682aec6160a73ad259eb08cbe\r\n• 5f4d31e77dd5b36943212dd55a0747923a69ca1e0f5efea607fc063d86b35995\r\n• 111760bb8191b37f89e27f474d29faf77b0db1ae4758d6d08a152e36a9167cae\r\n• 71ea052cf6919ed6da26e5fc27df0236bbc0cd36509852c74144b0ba76ee1264\r\n• 2d288f2cd6752a01360f2669959e2c61f676f8156d5cc40d4b415245ae04cf6d\r\n• cd38695e4760df90b049f3faa19a826814b60632f74402cd0feddc93d116848e\r\n• a5d478171338ab83634f39d6663ba8db328b24ddffe32dbbddb0da8784ef644b\r\n• 608b3486309d15bed054e22e20d87c44e43a6cde3dad6942ef592c9d3c4f3cff\r\n• 8ade56bd356d12804d384ca24fe876346498a25870f6caf08e16d0c73e5abe59\r\n• b8950b21a65f9699f0965dda2d61d61ceb1ac8b888b84adde8040b3cf25d09c4\r\n---------------------------------------------\r\nURLs Distributing Malicious Installers\r\n• hxxp://58585[.]xyz/tsetup20473[.]exe\r\n• hxxp://xiaotaiyang[.]xyz/tsetup20473[.]exe\r\n• hxxp://1077cp111[.]com/x[.]exe\r\n• hxxp://whats[.]jsnsgjy[.]cn/whatsappsetupr.exe\r\n• hxxp://kkiiz[.]com/safety3[.]exe\r\n• hxxp://zhiyingzhifu8[.]com/flashc[.]exe\r\n• hxxp://whats[.]hswlkjh[.]cn/whatsappsetupr[.]exe\r\n---------------------------------------------\r\nFirst Stage C\u0026C\r\nIP Port\r\n194.146.84.244 4397\r\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt\r\nPage 2 of 4\n\n194.146.84.243 4397\r\n194.146.84.245 4397\r\n194.146.84.242 4397\r\n194.146.84.246 4397\r\n107.151.64.102 4397/7788\r\n107.151.64.101 4397\r\n107.151.94.68 4397\r\n107.151.94.69 4397\r\n107.151.94.70 4397\r\n107.151.94.66 4397\r\n107.151.94.67 4397\r\n107.151.64.100 4397\r\n107.151.64.99 4398\r\n107.151.64.98 4398\r\n23.225.132.246 4398\r\n23.225.132.245 4398\r\n23.225.132.243 7456\r\n23.225.132.242 7456\r\n193.164.223.77 7456\r\n107.151.113.219 7456\r\n107.151.113.222 7456\r\n107.151.113.221 7456\r\n193.164.223.78 7456\r\n107.151.113.220 7456\r\n107.151.113.218 7456\r\n193.164.223.76 7456\r\n193.164.223.75 7456\r\n193.164.223.74 7456\r\n193.36.112.189 7456\r\n193.36.112.190 7456\r\n193.36.112.188 7456\r\n193.164.222.130 7456\r\n193.36.112.187 7456\r\n193.164.222.132 4567\r\n156.234.65.84 4567\r\n193.164.222.131 4567\r\n156.234.65.86 4567\r\n156.234.65.83 4567\r\n156.234.65.82 6688\r\n156.234.65.83 6688\r\n43.240.238.252 6688\r\n43.240.238.254 6688\r\n43.240.238.253 6688\r\n154.39.248.37 6688\r\n202.8.123.68 6547\r\n43.240.238.251 6688\r\n160.202.170.62 6688\r\n202.8.123.124 6547\r\n202.8.123.122 6547\r\n202.8.123.117 6547\r\n202.8.123.99 6547\r\n202.8.123.232 6547\r\n202.8.123.81 6547\r\n202.8.123.233 6547\r\n202.8.123.36 6547\r\n202.8.123.35 6547\r\n202.8.123.190 6547\r\n202.8.123.153 6547\r\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt\r\nPage 3 of 4\n\n202.8.123.160 6547\r\n202.8.123.159 6547\r\n202.8.123.98 6547\r\n202.8.123.97 6547\r\n202.8.123.97 6547\r\n144.48.222.252 6547\r\n144.48.222.220 7777\r\nSecond Stage C\u0026C\r\n216.83.35.130:10022\r\n43.129.210.43:10022\r\n103.145.86.160:10022\r\n156.226.173.202\r\n144.48.243.79\r\nSource: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/I\r\nOCs-Purple-Fox.txt\r\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt"
	],
	"report_names": [
		"IOCs-Purple-Fox.txt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434730,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c185d3347f7d41d1192b06d8b8dc45abe8df2f20.pdf",
		"text": "https://archive.orkl.eu/c185d3347f7d41d1192b06d8b8dc45abe8df2f20.txt",
		"img": "https://archive.orkl.eu/c185d3347f7d41d1192b06d8b8dc45abe8df2f20.jpg"
	}
}