{ "id": "0a44ebd6-cd29-4cf2-a910-5cc3ace8b422", "created_at": "2026-04-06T00:19:44.93514Z", "updated_at": "2026-04-10T03:36:48.12991Z", "deleted_at": null, "sha1_hash": "c463ed5a69d214096cf2b0cd5a1fd1fc70edea8e", "title": "PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2221433, "plain_text": "PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform\r\nResources\r\nBy William Gamazo, Nathaniel Quist\r\nPublished: 2023-01-05 · Archived: 2026-04-05 18:39:32 UTC\r\nExecutive Summary\r\nUnit 42 researchers perform a deep dive into Automated Libra, the cloud threat actor group behind the freejacking\r\ncampaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud\r\nplatforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.\r\nFreejacking is the process of using free (or limited-time) cloud resources to perform cryptomining operations.\r\nKey Points:\r\nIn order to take advantage of the limited resources offered by free trials, the actors heavily leveraged\r\nDevOps automation techniques such as continuous integration and continuous delivery (CI/CD). They\r\naccomplished this by containerizing user account creations on cloud platforms and through automating\r\ntheir cryptomining operations.\r\nWe collected more than 250 GB of container data created for the PurpleUrchin operation and discovered\r\nthat the threat actors behind this campaign were creating three to five GitHub accounts every minute during\r\nthe peak of their operations in November 2022.\r\nWe also found that some of the automated account creation cases bypassed CAPTCHA images using\r\nsimple image analysis techniques. We also identified the creation of more than 130,000 user accounts\r\ncreated on various cloud platform services like Heroku, Togglebox and GitHub.\r\nWe found evidence of unpaid balances on some of these cloud service platforms from several of the created\r\naccounts. This finding suggests that the actors created fake accounts with stolen or fake credit cards.\r\nWith this finding, we assess that the actors behind PurpleUrchin operations stole cloud resources from\r\nseveral cloud service platforms through a tactic Unit 42 researchers call “Play and Run.” This tactic\r\ninvolves malicious actors using cloud resources and refusing to pay for those resources once the bill\r\narrives.\r\nPalo Alto Networks customers receive protection from the events listed within the blog through the Prisma Cloud\r\ncontainer vulnerability scanning and runtime protection policies.\r\nA New Play and Run Tactic\r\nThe PurpleUrchin cryptomining campaign, first uncovered in October 2022, is characterized as a freejacking\r\noperation. While doing our own investigation of this threat actor, Unit 42 researchers found evidence that\r\nPurpleUrchin threat actors employed Play and Run tactics, using cloud resources and not paying the cloud\r\nplatform vendor’s resource bill.\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 1 of 13\n\nPurpleUrchin actors performed these Play and Run operations through the creation and use of fake accounts, with\r\nfalsified or potentially stolen credit cards. These fake accounts held a pending unpaid balance. Although one of the\r\nlargest unpaid balances we found was $190 USD, we suspect the unpaid balances in other fake accounts and cloud\r\nservices used by the actors could have been much larger due to the scale and breadth of the mining operation.\r\nBackground\r\nUnit 42 researchers analyzed more than 250 GB of data that included container data as well as system access logs\r\nby the actor (with geolocation information), and hundreds of indicators of compromise (IoCs). The IoCs collected\r\nduring this research are published in the Unit 42 ATOM for Automated Libra.\r\nThe infrastructure architecture employed by the actors uses CI/CD techniques, in which each individual software\r\ncomponent of an operation is placed within a container. This container operates within a modular architecture\r\nwithin the larger mining operation.\r\nCI/CD architectures provide highly modular operational environments, allowing some components of an operation\r\nto fail, be updated, or even be terminated and replaced, without affecting the larger environment.\r\nBy analyzing the collected container data, we traced the actor’s activity back to August 2019. Their activity was\r\nspread across several cloud providers and crypto exchanges.\r\nWe also found that the actors have a preference for using cloud services via traditional virtual service providers\r\n(VSPs). Many traditional VSPs extend their service portfolio to include cloud-related services, such as Cloud\r\nApplication Platform (CAP) and Application Hosting Platform (AHP). Some of the cloud service providers that\r\noffer CAP and AHP services that were targeted by the PurpleUrchin actors include Heroku and Togglebox, among\r\nothers.\r\nUnit 42 researchers identified more than 40 individual crypto wallets and seven different cryptocurrencies or\r\ntokens being used within the PurpleUrchin operation. We also identified that specific containerized components of\r\nthe infrastructure the actors created were not only designed to perform mining functionality, but they also\r\nautomated the process of trading the collected cryptocurrencies across several crypto trading platforms such as\r\nCRATEX ExchangeMarket, crex24 and Luno.\r\nMining With GitHub Workflows\r\nThe actor operations on GitHub used a combination of Play and Run and freejacking tactics. The likely reason the\r\nactors used GitHub is due to its decreased resistance in account creation. The actors were able to leverage a\r\nweakness within the CAPTCHA check on GitHub, which we discuss in more detail in the following section.\r\nThe actors automatically created GitHub accounts at an average rate of three to five accounts per minute. Once the\r\nactors had established their account base, they began their freejacking activity.\r\nEach of the GitHub accounts was subsequently involved in a Play and Run strategy, where each account would\r\nuse computational resources, but threat actors ultimately left their tabs unpaid. This appears to be a standard\r\noperational procedure for PurpleUrchin, as there is evidence that they created more than 130,000 accounts across\r\nvarious virtual private server (VPS) providers and cloud service providers (CSPs).\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 2 of 13\n\nThe actor also appeared to reserve a full server or cloud instances and they sometimes used CSP services such as\r\nAHPs. They did so in order to facilitate hosting web servers that were required to monitor and track their large-scale mining operations.\r\nWe have high confidence that some of the accounts created by this threat group were created using fake profiles\r\nand credit card information. This tactic allowed them to leave unpaid tabs with CSPs after their mining operations\r\nwere completed.\r\nUnit 42 researchers have found the actors behind PurpleUrchin appear to continuously evolve their operations\r\nsuch as refining their Play and Run and freejacking tactics.\r\nLet’s look further into how the actors have refined the automation of account creations within GitHub.\r\nAutomating GitHub Account Creations\r\nOne of the threat actor’s latest deployments involved running Togglebox using AHP services. Togglebox is a fully\r\nmanaged solid-state drive (SSD) Cloud VPS and Application Hosting platform.\r\nThe actors used this platform to run a series of containers using the naming convention format\r\nrepo_name/vgenerated_name:latest. Each container was capable of automatically creating GitHub accounts.\r\nResearchers found a switch called “named” based accounts (meaning they were based on dictionary words) within\r\nthe user account creation Python process, which was contained within the aforementioned container. This process\r\nuses randomly generated named accounts based on MD5 hashes.\r\nThe tools needed for the automatic account creation process were shipped as a container. In the latest version of\r\nthe container, the actor combined several publicly available and legitimate tools to perform their operations, such\r\nas the following:\r\nIron Browser, a chromium-based web browser\r\nxdotool, a tool used to generate keyboard and mouse inputs\r\nImageMagick tool kit, used to convert, edit and compose digital photos\r\nOnce the necessary tools were in place, threat actors could begin creating accounts. The first step to creating a\r\nGitHub account is to populate the email address, password and username fields (as shown in Figure 1).\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 3 of 13\n\nFigure 1. GitHub form completion process.\r\nThe container ran a virtual network computing (VNC) server on display:1 where the Iron Browser was launched\r\nwith the following command, as shown in Figure 2.\r\nFigure 2. Iron Browser display on VNC server.\r\nThen using xdotool, the main script completed the GitHub form. After the form was completed, GitHub presented\r\na CAPTCHA challenge as shown in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 4 of 13\n\nFigure 3. GitHub CAPTCHA challenge.\r\nThe actor implemented a very simple mechanism for solving this CAPTCHA. While we did not evaluate the\r\neffectiveness of this CAPTCHA solving process, in the following section, we will show statistics about how many\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 5 of 13\n\nGitHub accounts the actor was able to create in the span of three months. Based on this information, we think that\r\nthis process (in combination with other tactics) was very effective.\r\nLeveraging a CAPTCHA Weakness\r\nTo solve this particular CAPTCHA, which consists of identifying the spiral galaxies, the actor used two tools from\r\nthe ImageMagick tools kit: convert and identify.\r\nFirst, the images were converted into a red, green and blue (RGB) complemented image using the convert tool.\r\nFigure 4 shows an example of this conversion.\r\nFigure 4. Converting image to an RBG complement.\r\nOnce the images were converted, the identify command was executed over each image to extract the “skewness”\r\nfeature of the Red channel, as shown in Figure 5.\r\nFigure 5. Command to extract the skewness feature of the Red channel.\r\nThe final result, shown in Figure 6, was arranged in order from largest to smallest, and the image with the\r\nsmallest value was selected as the spiral image. For example, using the values for the previous images:\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 6 of 13\n\nFigure 6. Example of Red channel outputs for each image.\r\nIn this case, Image 2 (from Figure 4) is identified as the spiral galaxy. Once the CAPTCHA is solved, GitHub\r\nrequires a “launch code,” as shown in Figure 7.\r\nFigure 7. GitHub requesting a launch code.\r\nThe actor used a Gmail account to automate the process of getting the launch code. They enabled this using\r\nInternet Message Access Protocol (IMAP) as well as a PHP script to read incoming IMAP messages.\r\nOnce the access code was entered, the automation generated a personal access token (PAT) with workflow\r\npermissions. The final result of the GitHub registering process was a username and PAT used for deploying\r\nworkflows on GitHub. With the username and token, another container was invoked, as shown in Figure 8.\r\nFigure 8. Invoking a running container.\r\nThis container subsequently performed the following actions:\r\nSetting up SSH keys\r\nCreating a GitHub repo using the GitHub API\r\nConfiguring the permissions for the created repo\r\nAs part of a naming convention change within more recent operations, the actor started to use random names for\r\nthe repos, which were based on MD5 hashes. This followed the same convention as prior username creations. The\r\ncommand shown in Figure 9 demonstrates the naming convention process.\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 7 of 13\n\nFigure 9. Random naming convention command.\r\nOnce the repo was created within GitHub, a Bash script was invoked to update the repo with the desired\r\nworkflow. The workflow was generated using a PHP script that worked as a template for randomizing the\r\ndifferently named attributes of the workflow configuration. Figure 10 provides an example of how the workflow\r\nPHP template was coded.\r\nFigure 10. PHP template for randomizing script attributes.\r\nIn one version we observed, the workflow (generated from a template shown in Figure 10) had 64 jobs. The\r\ngenerated workflows were configured to run as a repository_dispatch under the event\r\ngithub.event.client_payload.app.\r\nThis workflow mechanism allowed the actors to execute external applications. In this case, the actor was running\r\nexternal Bash scripts and containers, as shown in Figure 11.\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 8 of 13\n\nFigure 11. Workflow mechanism to execute external applications.\r\nThe workflow runs the Bash script that is accessed from an external domain. During the last design change we\r\nobserved, the actor built and ran containers that were used to install and initiate the cryptomining functionalities,\r\nas shown in Figure 12.\r\nFigure 12. Remote establishment of mining containers.\r\nThe generated workflow ran 64 jobs, and each job randomly selected one out of five available, unique\r\nconfigurations.\r\nWe did not evaluate how effectively the complete design performed. However, as part of the research, we were\r\nable to retrieve many GitHub accounts the actor was able to create during a three month period of time.\r\nThe following chart in Figure 13 illustrates statistics about the GitHub-created accounts performed by the system.\r\nIt’s important to note that we don’t know if all accounts were created with the same design mechanism for all\r\nGitHub accounts. However, the statistics show actual accounts created by the actor’s infrastructure.\r\nThis chart is an estimate of confirmed GitHub-created accounts. It is not meant to be fully comprehensive because\r\nof the limited visibility we had during the investigation.\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 9 of 13\n\nFigure 13. The number of GitHub accounts created by the PurpleUrchin actors.\r\nEarlier Campaign, Pandemic Time\r\nOne of the preferred cloud services used by the actor during 2021 was Heroku. Heroku is a CAP that allows users\r\nto create and deploy applications without the need for maintaining the hosting cloud infrastructure. PurpleUrchin\r\nactors made use of this capability throughout their operations.\r\nAfter analyzing the data within the collected containers, we identified a total of 100,723 unique accounts created\r\non the Heroku platform. The chart in Figure 14 shows the Heroku account creation stats by year and month.\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 10 of 13\n\nFigure 14. Unique accounts created on the Heroku CAP.\r\nAs the above chart shows, this actor was active and using Heroku since at least November 2021.\r\nWe have a medium level of confidence that the operations started early in 2020, given that the actor created\r\nmultiple certificates with the Let’s Encrypt service, which was used with the generated domains. One of the\r\ndomains, linux84[.]distro[.]cloudns.cl, had an SSL certificate with a valid date starting on Nov. 17, 2020 (shown\r\nin Figure 15).\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 11 of 13\n\nFigure 15. SSL certificate for linux84.distro.cloudns.cl.\r\nConclusion\r\nAutomated Libra, the cloud threat actor behind the freejacking campaign PurpleUrchin, has created more than\r\n130,000 accounts on free or limited-use cloud platforms such as Heroku and GitHub. They have also engaged in\r\nthe illegal theft of cloud resources from these platforms.\r\nAutomated Libra constantly improve their CI/CD operation and infrastructure architecture to perform the\r\nfollowing actions:\r\nBypass or resolve the CAPTCHA presented by GitHub during account creation\r\nIncrease the number of accounts that can be created per minute\r\nUtilize as much CPU time as possible before losing access to resources\r\nIt is important to note that Automated Libra designs their infrastructure to make the most use out of CD/CI tools.\r\nThis is getting easier to achieve over time, as the traditional VSPs are diversifying their service portfolios to\r\ninclude cloud-related services. The availability of these cloud-related services makes it easier for threat actors,\r\nbecause they don’t have to maintain infrastructure to deploy their applications. In the majority of cases, all they’ll\r\nneed to do is to deploy a container.\r\nWhile PurpleUrchin is a freejacking crypto mining operation, Automated Libra also employs Play and Run tactics\r\nto gain access to computational resources. The threat actors use these limited-use cloud resources until the allotted\r\ntime or dollar balance is reached, at which time Automated Libra ceases using those resources. This often results\r\nin an outstanding balance due, which actors do not pay.\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 12 of 13\n\nPalo Alto Networks Prisma Cloud is capable of monitoring the usage of cloud resources, specifically those\r\ninitiated within a containerized environment. Prisma Cloud’s ability to scan all containers for vulnerabilities and\r\nmisuse prior to deployment, as well as monitoring the runtime status of these containers, would prevent the\r\nactivities of Automated Libra from persisting within a cloud environment.\r\nUpdated January 5, 2023, at 10:05 a.m. PT.\r\nSource: https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nhttps://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/\r\nPage 13 of 13\n\n https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/ \nFigure 3. GitHub CAPTCHA challenge. \nThe actor implemented a very simple mechanism for solving this CAPTCHA. While we did not evaluate the\neffectiveness of this CAPTCHA solving process, in the following section, we will show statistics about how many\n Page 5 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/" ], "report_names": [ "purpleurchin-steals-cloud-resources" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434784, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c463ed5a69d214096cf2b0cd5a1fd1fc70edea8e.pdf", "text": "https://archive.orkl.eu/c463ed5a69d214096cf2b0cd5a1fd1fc70edea8e.txt", "img": "https://archive.orkl.eu/c463ed5a69d214096cf2b0cd5a1fd1fc70edea8e.jpg" } }