{
	"id": "b5dd6a52-6f14-4545-9127-ec8ecadbd108",
	"created_at": "2026-04-06T00:12:34.53196Z",
	"updated_at": "2026-04-10T03:20:19.94887Z",
	"deleted_at": null,
	"sha1_hash": "faed724efc34c09c7cf6f6faad217bd8da454f07",
	"title": "A Look Into Purple Fox’s Server Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 422681,
	"plain_text": "A Look Into Purple Fox’s Server Infrastructure\r\nBy Jay Yaneza, Abdelrhman Sharshar, Sherif Magdy ( words)\r\nPublished: 2021-12-13 · Archived: 2026-04-05 21:12:10 UTC\r\nIntroduction\r\nIn one of our previous blog entries, we analyzed the Purple Fox botnet by providing an overview of how it\r\nworked. In addition, we also examined its initial access techniques and some of its associated backdoors.\r\nIn this research, we shed greater light on the later stages of its infection chain that we have observed via Trend\r\nMicro Managed XDRservices — specifically how it infects SQL databases by inserting a malicious SQL CLR\r\nassembly to achieve a persistent and stealthier execution.  It should be noted that most files used in this attack are\r\nnot stored on the disk and are either executed from memory after either being pulled from the command-and-control (C\u0026C) server or encrypted, after which these are loaded by another process.\r\nWe also discuss the botnet’s underlying C\u0026C infrastructure and the motivation behind Purple Fox operators’\r\nchoice to target SQL servers in their recent activities.\r\nBy examining Purple Fox’s routines and activities, both with our initial research and the subject matter we cover\r\nin this blog post, we hope to help incident responders, security operation centers (SOCs), and security researchers\r\nfind and weed out Purple Fox infections in their network.\r\nProcess injection\r\nLet’s begin by analyzing Purple Fox’s process injection routine. The malware first loads its various components\r\nby spawning a suspended svchost.exe (changed to fontdrvhost.exe by the accompanied rootkit) process. It then\r\nloads the DLL component in the process address space, then redirects execution to the loaded DLL.\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 1 of 13\n\nFigure 1. Process tree overview\r\nThe C\u0026C server\r\nThe malware has three different ways to communicate with its C\u0026C servers. Each method is used at a particular\r\nstage of execution for various purposes.\r\nThe DNS is used to get a list of C\u0026C IP addresses at the start of each process execution. It is also used to renew\r\nthis list if all servers fail to respond during this stage, or in a later stage as we see next. One thing to note is that\r\nthe IP addresses received by the DNS requests are not the real IP addresses used for the C\u0026C server. Although\r\nthose received by the DNS requests are encoded, they can be decoded by subtracting a fixed number from the IP\r\naddress. The following table shows examples of this.\r\nIP address from DNS request Decoded IP address\r\n178[.]195.162.94 216[.]189.159.94:12113\r\n79[.]222.214.20 117[.]216.211.20:10669\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 2 of 13\n\n145[.]68.65.106 183[.]62.62.106:13600\r\n73[.]127.195.228 111[.]121.192.228:14640\r\n53[.]238.137.143 91[.]232.134.143:18372\r\nTable 1. Examples of IP addresses received via DNS requests and the actual decoded IP addresses\r\nThe following are the domains used for the DNS requests:\r\nKew[.]8df[.]us which points to m[.]tet[.]kozow[.]com\r\nret[.]6bc[.]Us which points to a[.]keb[.]kozow[.]com\r\nThe list of returned IP addresses changes every few minutes or so, in order to cycle through the botnet C\u0026C\r\ninfrastructure.\r\nThe second communication method, User Datagram Protocol (UDP), is used for various types of messages and\r\nincludes the building of a cache IP address list that will be used for further communication. In addition, it is used\r\nfor pulling configuration for running tools and for retrieving the IP:PORT list for the HTTP traffic discussed in the\r\nnext section.\r\nAfter selecting an IP address from the DNS, it is decoded to the real IP address and a port number, after which a\r\nrequest is made to pull the cache IP address list. If at any point this cache list fails, the malware will return to the\r\nDNS to pull a new IP address to build another cache IP address list.\r\nTo start performing its routine on the system, the malware pulls encrypted DLLs by issuing a GET request in the\r\nformat http://IP:PORT/xxxx[.]moe, where IP:PORT is selected by a UDP message and xxxx[.]moe is one of the\r\nworker DLLs. These DLLs are saved in a file and are loaded by the worker process that decrypts, decompresses,\r\nand executes them.\r\nThe Worker DLLs\r\nThe first of the worker DLLs is a SQL Server scanner that pulls its core module from /3FE8E22C.moe using the\r\nHTTP communication described previously. This core module is injected to a new process and the scanner\r\nconfiguration is pulled using UDP communication, which has the starting public address for scanning.\r\nIt scans local and public IP addresses for SQL Server over port 1433. If it finds an open port, it begins a brute-force attack for the SQL Server authentication using the 10 million-strong word list.\r\nWhen the malware is authenticated, it executes an SQL script that installs a backdoor assembly (evilclr.dll) on the\r\nSQL Server database that is used to facilitate executing commands using SQL statements. Using this assembly,\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 3 of 13\n\nPowerShell commands are executed on the SQL Server to start Purple Fox’s infection chain as discussed in our\r\nprevious blog entry.\r\nFigure 2. An SQL brute-force request\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 4 of 13\n\nFigure 3. A failed response to the SQL brute-force request\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 5 of 13\n\nFigure 4. A successful response to the SQL brute-force request\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 6 of 13\n\nFigure 5. Executing SQL statements\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 7 of 13\n\nFigure 6. Database before infection\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 8 of 13\n\nFigure 7. Database after infection\r\nThe second worker DLL is an XMR Coinminer that starts its routine by retrieving the configuration over UDP. It\r\nthen begins executing an embedded XMRig binary with the configuration pulled, making the bot join the mining\r\npool on 108[.]177[.]235[.]90:443.\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 9 of 13\n\nFigure 8. Custom XMRig running in the foreground\r\nOperating system execution via SQL Server\r\nPurple Fox focuses on SQL servers as its target as opposed to normal computers for the former’s cryptocurrency-mining activities. This is mainly because of the more powerful hardware configuration — for both CPU and\r\nmemory — that the servers would usually have. More specifically for SQL servers, the combination of CPU,\r\nmemory, and disk factors should scale with the database-related operations to avoid bottlenecks in performance.\r\nThese machines normally possess much greater computing power compared to normal desktops, as such servers\r\nare usually fitted with hardware such as the Intel Xeon line of CPUs that produces a significantly higher amount\r\nof hash-based calculations (hash rates), making a server more advantageous to coinmining compared to a typical\r\ndesktop computer.\r\nSince SQL databases support different vectors for executing operating system commands directly, Purple Fox has\r\nleveraged the stealthiest method of having a binary inserted in the SQL server database that can be executed via\r\nTSQL commands. The following interfaces are available from the SQL components for the malicious actors to use\r\nwhen targeting an SQL server:\r\nMethod Details\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 10 of 13\n\nNET\r\nNew Process() + UseShellExecute\r\nSystem.management.automation.powershell\r\nCommon Language Runtime (CLR) Assemblies\r\nC++\r\nShellExecute/ShellExecuteEx\r\nxp_cmdshell \r\nCOM objects\r\nwscript.shell\r\nshell.application\r\nTable 2. The available interfaces from the SQL components\r\nPurple Fox opted to go with the .NET method using CLR Assemblies, a group of DLLs that can be imported into a\r\nSQL Server, in its infection chain instead of the more popular xp_cmdshell, which is heavily monitored by\r\nsecurity analysts. Once the DLLs have been imported, they can be linked to stored procedures that can be\r\nexecuted via a TSQL script. The affected versions for this vector start from SQL Server 2008.\r\nThis method, which requires a system administrator role by default, executes as an SQL Server service account.\r\nBy leveraging this interface, an attacker is able to compile a .NET assembly DLL and then have it imported into\r\nthe SQL server. It is also able to have an assembly stored in the SQL Server Table, create a procedure that maps to\r\nthe CLR method, and finally, run the procedure.\r\nThe CLR Assemblies method is reported to have been used before by groups other than Purple Foxservices, such\r\nas MrbMiner and Lemon Duck.\r\nInfrastructure\r\nThe C\u0026C servers used in the communication schemes that have been described here are infected servers that are\r\npart of the botnet used to host the various payloads for Purple Fox. We deduced this via the following facts:\r\nThe C\u0026C servers are SQL Servers themselves.\r\nThe HTTP server header is mORMot, which is written in Delphi, the same language used for the various\r\ncomponents.\r\nThere is a large number of servers (1,000+ in just over a week).\r\nBoth initial DNS requests are CNAMEs to subdomains under kozow[.]com, which is a free dynamic domain\r\nservice provided by dynu[.]com. This service can be updated with an API to make it point to different IP addresses\r\n— a technique the attacker uses to change the IP address at a regular interval.\r\nOther notable characteristics\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 11 of 13\n\nUsing our telemetry, we found non-server systems infected with Purple Fox, indicating that there are other\r\npossible initial access methods other than the SQL Server brute-force attack to spread the malware.\r\nThis activity is similar to the ones seen in Lemon Duck attacks and even shares some techniques, like the use of\r\nPowerSploit for reflective PE loading and implementing the same backdoor, evilclr.dll, for the SQL Server\r\nassembly. Both attacks also share the same goal of mining Monero.\r\nSecurity recommendations\r\nUpon observing any suspicious activities related to the Purple Fox botnet on a SQL server, we recommend the\r\nfollowing steps to completely remove all the malicious remnants from the infection.\r\nReview all the SQL Server’s Stored Procedures and Assemblies for any suspicious assemblies not\r\nrecognized by the DBAs. Remove any of these assemblies if detected.\r\nExecute the following TSQL script to remove the following remnants of malicious CLR assemblies that are\r\ninserted into the database:         \r\nUSE [master]\r\nGO\r\nDROP ASSEMBLY [fscbd]\r\nGO\r\nDisable all the unknown accounts on the database server and change all the passwords.\r\nAs a defensive posture, do not publish externally exposed port TCP 1433 to an untrusted zone. In addition,\r\nsecure the SQL server hosts via a perimeter firewall in a DMZ zone with well-protected access policies.\r\nImplement proper network microsegmentation and network zoning while also applying a zero trust policy\r\nvia your network security controls.\r\nRestrict the traffic to and from SQL servers. These servers have a very specific function; therefore, they\r\nshould only be allowed to communicate with other trusted hosts. Inbound and outbound internet\r\naccessibility should also be controlled.\r\nDetections and Mitigations\r\nTrend Micro Vision One™️ with Managed XDRproducts focuses on both the early stages of the attack kill chain\r\n(covered in the previous research) and the final payloads intended to do the actual damage, thereby protecting\r\nusers of this service against the damage caused by the latest evolution of this botnet.  \r\nBoth the Vision One platform and Managed XDR threat experts can correlate the suspicious activities observed\r\nfrom the protected SQL servers. An environment that has any of the behavioral detections found in our Vision One\r\nheuristics rules might mean that the SQL servers within the environment have already been affected by an attack.\r\nThis  extends even to stealthy malware, such as Purple Fox, that does not store majority of its files on the disk.\r\nSince servers have a predictable network footprint and behavior, unusual or unexpected network patterns\r\ncould be a sign of botnet propagation.\r\nThe same goes for unusual and unexpected SQL server application login failures that seem like brute-force\r\nattacks . The main propagation method for Purple Fox when infecting SQL servers uses brute-force attacks\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 12 of 13\n\nrather than acting as a worm that exploits only the vulnerable services.\r\nWhen a SQL server starts having unusual traffic related to UDP and TCP, there should be a massive surge\r\nin traffic since it scans public IP addresses and the local network. This will create a domino effect within an\r\nenvironment due to most organizations having more than one SQL server, such as standby or backup\r\nservers.\r\nUnusual network traffic patterns and login failures on the SQL server are also a good indicator for this\r\nthreat.\r\nA sudden and unexpected spike in CPU utilization on the SQL server could also be a sign of SQL\r\nbottlenecks or an infection with the XMR Coinminer. Furthermore, there could also be unusual amounts of\r\nnetwork traffic on the server as it joins the mining pool.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nhttps://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html"
	],
	"report_names": [
		"a-look-into-purple-fox-server-infrastructure.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/faed724efc34c09c7cf6f6faad217bd8da454f07.pdf",
		"text": "https://archive.orkl.eu/faed724efc34c09c7cf6f6faad217bd8da454f07.txt",
		"img": "https://archive.orkl.eu/faed724efc34c09c7cf6f6faad217bd8da454f07.jpg"
	}
}