Purple Fox with new infection vector

Sicherheit (Pexels, allgemeine Nutzung)[German]Trend Micro Research has published a new blog post reporting on a new malware campaign. Purple Fox operators are using updated tools and a new arrival vector to infect their victims. They use fake copies of popular software like WhatsApp installer to trop their first stage loader.


The malware or group has been known since 2018, when over 30,000 victims were infected. In 2021, Trend Micro Research was able to find out how the malware downloads and deploys crypto miners. At the same time, it could be observed that the gang continued to improve its infrastructure while adding new backdoors. Now there are probably new insights into the malware and new tools used by the group.

In the above tweet, there is a link to an article describing details about the attack path and the tools used. This is how a remote access Trojan FatalRAT is used. The attackers spread their malware via disguised software packages that contain the First Stage Loader. They use popular legitimate application names such as Telegram, WhatsApp, Adobe and Chrome to hide their malicious installation packages.

Currently, the threat potential for Germany still seems low, as some of the infected software packages were frequently used by Chinese users. The following list shows the recently used software and the corresponding malicious payload for the second phase of the infection. As mentioned above, the various payloads are provided by the C&C during execution based on the last character in the module's file name.

Purple Fox Loader-Software-Pakete


Users and administrators can only be advised to ensure that the installer packages for used software are used by the responsible developer companies. At the same time, it should be kept in mind that the people behind the malware are constantly developing it further and that the distributed malware can change more frequently via the C&C servers. Therefore, it is important to ward off the downloader so that it does not even land on the systems to load and install further malware.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *