{
	"id": "119af26b-0559-4ab2-ab76-0b6020be26f0",
	"created_at": "2026-04-06T00:15:58.325757Z",
	"updated_at": "2026-04-10T03:21:34.398305Z",
	"deleted_at": null,
	"sha1_hash": "ecb6716768f391b7615d62022d805da381f96559",
	"title": "From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411 | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1655502,
	"plain_text": "From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-\r\n26411 | HP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2021-04-14 · Archived: 2026-04-05 16:48:20 UTC\r\nBrief history\r\nPurple Fox is a multi-component malware family that was first documented by Qihoo 360 in September 2018.\r\nOriginally, it was a trojan that was delivered using the Rig exploit kit (EK). Since then its developers have added\r\nnew capabilities, including a rootkit component and an exploit kit (also known as Purple Fox EK) to deliver the\r\nmalware. In mid-2020, Proofpoint suggested that Purple Fox EK may have been developed to replace Rig,\r\nplausibly as a cost-saving measure to avoid having to pay another entity to distribute the malware. Exploits\r\nagainst two vulnerabilities, CVE-2020-0674 and CVE-2019-1458, were integrated into Purple Fox at this time.\r\nThe former exploits a vulnerability in Internet Explorer’s scripting engine to gain code execution, while the latter\r\nexploits a vulnerability in win32k.sys to run code with elevated privileges.\r\nIn October 2020, SentinelOne described a significant change to Purple Fox’s infection chain and the integration of\r\nother privilege escalation exploits. In addition to running several stages of obfuscated PowerShell code to infect\r\nsystems, Purple Fox’s developers added a feature enabling it to extract other malware stages from image files.\r\nNotably, malicious code is hidden inside the images using steganography to avoid detection by web proxies and\r\nfirewalls.\r\nMarch 2021 – Purple Fox developers add CVE-2021-26411 exploit\r\nOn 12 April 2021, we isolated a Purple Fox EK sample from a HP Sure Click Enterprise customer in the Middle\r\nEast. Interestingly, the sample attempted to exploit a memory corruption vulnerability in Internet Explorer (CVE-2021-26411) that appeared to be a new addition to Purple Fox’s exploit arsenal. Other Purple Fox EK samples\r\nexploiting this vulnerability in the wild were also reported by security researchers.\r\nWhat is notable about this exploit is that the code run by Purple Fox is very similar to a proof of concept (PoC)\r\npublished by Enki to the public in mid-March 2021. According to Enki, the PoC script was originally exploited in\r\na social engineering campaign targeting security researchers in January 2021. One possible explanation for their\r\nsimilarity is that the Purple Fox developers simply copied the script from that article. Since the time from PoC to\r\nin the wild (ITW) sightings was a couple of weeks (Figure 1), organisations only had a small window to patch\r\nbefore risking compromise by Purple Fox.\r\nhttps://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/\r\nPage 1 of 6\n\nFigure 1 – Timeline showing the history of CVE-2021-26411. The PoC-to-ITW time is highlighted in orange.\r\nInfection chain\r\nThe user encountered Purple Fox EK after searching for the term “زيارة-تمديد-نموذج-”) “Form-extension-visit-” in\r\nArabic) in Google. They clicked on one of the search results to loislandgraf[.]us, which then led to the exploit via\r\nseveral redirects. During the analysis, we noticed that the exploit is not triggered in every case because geofencing\r\nwas used to control who is targeted. The attacker’s exact strategy in terms of targeted regions remains unclear. The\r\npage could not be accessed from countries such as the USA, UK, France, Germany, the Netherlands and Egypt,\r\nwhereas Italy, Switzerland, Ireland, Sweden and Japan could trigger the infection chain, although this is not an\r\nexhaustive list.\r\nhttps://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/\r\nPage 2 of 6\n\nFigure 2 – Purple Fox EK web redirections.\r\nExamining the exploit code shows that it is obfuscated in several stages and encrypted using AES. We were able\r\nto recover the source code, which shares many similarities to the PoC code released by Enki. The only major\r\ndifference between the two is that the shellcode in the Purple Fox exploit script is much longer.\r\nFigure 3 – CVE-2021-26411 exploit shellcode.\r\nThe shellcode is straightforward to decode. It runs a PowerShell statement that downloads a file from a remote\r\nserver and executes it once again with PowerShell. The following diagram shows the process flow of the exploit,\r\nwhich was isolated inside a disposable micro-virtual machine by HP Sure Click Enterprise when the user clicked\r\non the link.\r\nhttps://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/\r\nPage 3 of 6\n\nFigure 4 – Process execution flow in HP Sure Controller, showing the exploit that HP Sure Click Enterprise\r\nisolated.\r\nThe execution of the malware largely corresponds to the infection chain already described by SentinelOne. The\r\nscript checks whether the user is an administrator and installs the malware using an MSI file if this is the case. If\r\nthe user is not an administrator, further malware modules are downloaded from the Internet. Steganography now\r\ncomes into play.\r\nFigure 5 – Purple Fox EK steganographic images (code removed).\r\nPowerShell scripts are extracted from the downloaded images, which are then executed and lead to privilege\r\nescalation through one of the integrated exploits:\r\nCVE-2015-1701\r\nCVE-2018-8120\r\nCVE-2019-1458\r\nCVE-2019-0808\r\nCVE-2020-1054\r\nCVE-2021-1732 (Nb. The exploit delivered by Purple Fox EK is similar to this publicly available PoC.)\r\nIf the exploit is successful, then the MSI and the payload is installed on the client.\r\nConclusion\r\nAlthough we have seen fewer sightings of EKs since 2017, the active development of Purple Fox EK suggests this\r\nmalware delivery method has not gone completely out of fashion. Purple Fox has been around for over two and a\r\nhalf years, during which its developers have regularly extended the EK with new exploits and additional\r\nfunctionality to bypass detection. The addition of a CVE-2021-26411 exploit about a month after the release of the\r\npatch does not rule out the possibility that the vulnerability was exploited by the malware before. However, the\r\ncode similarity between the Enki PoC and the exploit code run by Purple Fox demonstrates how malware\r\ndevelopers can easily and quickly adapt public exploit code to their needs. The short time from PoC to real-world\r\nsightings once again shows how important it is to patch security vulnerabilities promptly and to monitor and\r\ndetect anomalies as they occur.\r\nhttps://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/\r\nPage 4 of 6\n\nIndicators of Compromise\r\nJavaScript:\r\nbe9fc372f19c9a50c1a72bfb0a59e8c61188ea5c249fee0f861d91943b7e44ff\r\n46114cd251ce7724db978be8ade624c798b125467e1599fac19a31ff099c94d7\r\nbfa9cc5c1ce788349e8c215ce100a8d91f620b12d0b89de9e84aac4e9c271f99\r\nPowerShell:\r\na1cf6f10a700c70d95941497164b03b08ea63eb3b8f67d88255bf775aa564d1f\r\na4237b2123f701136a2e1e01eb2fefcb99a8f2ee32ad147e2280fa39aa3f0109\r\nf7938b01fc97daa164bce34c5cd0ab4c02a8c58c9d4a7102364dd9dfe0f90d30\r\nMSI:\r\nf68e95cde6170068ca64f57f34757ddfe9386c888090d02afb32a89204b8bc09\r\n7a8469d5ca87ce05b91cc1e22183513af54f26a0b9684a2f31e6ab243fa2ffde\r\n231485bfd3e299ba3cc51fc6ce48a60b8d205adb3c9c0662210a2e654f593967\r\nImages containing code hidden using steganography:\r\nd20ccd52ffd1a3b831c65a1f1f7955494d267cdf5df3df7a95c47f4de34f72c2\r\n01f954cbc2e1b35c67f86e1ae090f4641ce9d7a40efe0b73517d1817274ffab9\r\n2dea273fa8f6f15297d0f0f98d7e27ac1ec02b59b81c6b7888ae3b99c57b3d8f\r\n419848f8832a9a4cefdfff4d712922cce05aa72bd47b84aafc5276d050072111\r\n0cb6e176a87702a779b73b5cf4787f5dfc6ebf763c895ec37a6422b8335287ab\r\n1a71c739d20fb3c8649a7e620d0d046ba01a3cbeddc5d3b2c2d7fa3b136bae12\r\nPrivilege escalation exploits:\r\nca7bd2830405ed53fd7f56738d7644ff8ecfd5bc63d079d322c99601c6106843\r\n7b9a0b674d9502abe5a7227ef60f3854ef6e12803a74b480581a199c6df3165c\r\ne0092a2d0da3eb745d0b0fbf57c0f68ea781770c216ff7bdeb4cd0029bd4d1c3\r\n079c13fbc30a32e4f0386cd53c56d68404961b8f1cd4d4fde1a1e9def42aa557\r\n7465b738ba31fa2fff7fef1d770ef32e43b01d49a937b3b1c11dc2e4e45fd019\r\n90658e4d79007577c3ad13a79a9d47f39c6949dcca3ee618de476c27b214c5a1\r\nDomains:\r\nwww.loislandgraf[.]us\r\nwww.healthier-patriot[.]shop\r\niauisdoenki[.]xyz\r\neyoruas.iauisdoenki[.]xyz\r\nveoipc.ahntncaiiribi[.]xyz\r\nahntncaiiribi[.]xyz\r\ncnghfekiutetw[.]xyz\r\niauisdoenki[.]xyz\r\nktecydnn[.]xyz\r\nvmendehep[.]xyz\r\nhttps://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/\r\nPage 5 of 6\n\nktecydnn[.]xyz\r\nbroad-block-d151.weteon.workers[.]dev\r\nplain-forest-2233.ethcrartb.workers[.]dev\r\nshy-feather-00c8.itttsfbir.workers[.]dev\r\nsummer-shadow-5f60.oryfannne.workers[.]dev\r\nrawcdn.githack[.]net\r\nSource: https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/\r\nhttps://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/"
	],
	"report_names": [
		"purple-fox-exploit-kit-now-exploits-cve-2021-26411"
	],
	"threat_actors": [],
	"ts_created_at": 1775434558,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ecb6716768f391b7615d62022d805da381f96559.pdf",
		"text": "https://archive.orkl.eu/ecb6716768f391b7615d62022d805da381f96559.txt",
		"img": "https://archive.orkl.eu/ecb6716768f391b7615d62022d805da381f96559.jpg"
	}
}