{
	"id": "afb687f2-3d51-4362-9dce-0c01d7843123",
	"created_at": "2026-04-06T00:17:28.029385Z",
	"updated_at": "2026-04-10T03:21:36.951881Z",
	"deleted_at": null,
	"sha1_hash": "d320aa2e23de6169cfdba57f4d5e92df96f0feb3",
	"title": "Purple Fox malware is actively distributed via Telegram Installers - The",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256882,
	"plain_text": "Purple Fox malware is actively distributed via Telegram Installers\r\n- The\r\nBy John Greenwood\r\nPublished: 2022-01-04 · Archived: 2026-04-05 21:06:47 UTC\r\nJohn Greenwood Posted On January 4, 2022\r\nPurple Fox malware is distributed via malicious Telegram Desktop Installer, this malware installs further payloads\r\non the affected devices.\r\nThe file “Telegram Desktop.exe” comes with two files, an original installer file and a malicious downloader.The\r\nlegitimate installer isn’t executed as the AutoIT program runs the TextInputh.exe file.\r\nUnderstanding the Purple Fox Malware campaign\r\nThis TextInputh.exe when executed will create a new folder called “1640618495” under the\r\nC:\\Users\\Public\\Videos\\ location and then communicate with C2 to download a RAR and 7z utility. The RAR file\r\nhttps://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/\r\nPage 1 of 5\n\ncontains the configuration and payload file, when the 7z program unzips everything to the ProgramData folder.\r\nAs per Minerva Labs, TextInputh.exe does the following actions onto the compromised machine,\r\nCopies 360.tct with “360.dll” name —\u003e rundll3222.exe —-\u003e svchost.txt to the ProgramData folder\r\nExecutes ojbk.exe with the “ojbk.exe -a” command line\r\nDeletes 1.rar and 7zz.exe and exits the process\r\nLater, a  registry key is created and a DLL disables UAC the payload is executed and the following five additional\r\nfiles are dropped into the infected system,\r\nCalldriver.exe\r\nDriver.sys\r\ndll.dll\r\nkill.bat\r\nspeedmem2.hg\r\nhttps://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/\r\nPage 2 of 5\n\nThese extra files is used to block the initiation of 360 AV processes and avoid detection of Purple Fox on the\r\naffected device.  Moving further the malware gather system details, scans for security tools running in the device\r\nand then send the hard coded C2 address.\r\nDiscover more\r\nData Management\r\nComputer\r\nComputer Security\r\nSoftware\r\nNetwork Monitoring \u0026 Management\r\nComputer security\r\nsoftware\r\nComputer Hardware\r\nBusiness \u0026 Productivity Software\r\nWindows \u0026 .NET\r\nComplete capabilities of Purple Fox malware\r\nAfter this process, Purple Fox is downloaded from the C2 in the form of an .msi file that has encrypted shellcode\r\nfor both 64- and 32- bit systems. Once the Purple Fox is executed, the compromised devices are restarted for the\r\nregistry settings to work, especially the disabled User Account Control (UAC).\r\nTo achieve this, the dll.dll file sets the following three registry keys to 0:\r\n1. HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System ConsentPromptBehaviorAdmin\r\n2. HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA\r\n3. HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop\r\nDisabling bypassing UAC is vital because it deploys viruses and malware with administrator privileges. In\r\ngeneral, UAC prevents the installation of unauthorized apps and the change of system settings, to be active on all\r\nWindows devices.\r\nWhen disabled Purple Fox will perform malicious functions like searching of file, exfiltration, deletion of data,\r\nprocess killing, downloading and running code. and even worming to other Windows devices. Malware similar to\r\nPurple Fox are actively being distributed via Youtube Videos, malicious websites, and other forum sites.\r\nSubscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin,\r\nInstagram, Twitter and Reddit. You can reach out to us via Twitter or Facebook, for any advertising requests.\r\nhttps://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/\r\nPage 3 of 5\n\nShare the article with your friends\r\nAuthor\r\nJohn Greenwood\r\nHe has been working with Cybersec and Infosec market for 12+ years now. Passionate about AI, Cybersecurity,\r\nInfo security, Blockchain and Machine Learning. When he is not occupied with cybersecurity, he likes to go on\r\nbike rides!\r\nYou may also like\r\nhttps://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/\r\nPage 4 of 5\n\nSource: https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/\r\nhttps://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/"
	],
	"report_names": [
		"purple-fox-malware-is-actively-distributed-via-telegram-installers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434648,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d320aa2e23de6169cfdba57f4d5e92df96f0feb3.pdf",
		"text": "https://archive.orkl.eu/d320aa2e23de6169cfdba57f4d5e92df96f0feb3.txt",
		"img": "https://archive.orkl.eu/d320aa2e23de6169cfdba57f4d5e92df96f0feb3.jpg"
	}
}