Purple Fox Malware

Purple Fox is file-less downloader malware, first discovered in 2018, is malware that used to rely on exploits kits and phishing emails to spread. When it was first arrived it targeted Windows machines and repurposes compromised systems to host malicious payloads.

Infection chains may begin through internet facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks.

Exploit used by Purple Fox

CVE and Exploits

CVE-2018–8174 //VBScript exploits//

CVE-2018–15982 //Adobe flash exploits//

CVE-2014–6332 //Internet explorer exploits//

Purple Fox attacks unpatched vulnerability to run windows powershell and downloads additional malware to conduct its malicious actions. It can caused mainly when user visits a corrupted website injected with a Purple Fox malicious script. The malware detects the vulnerabilities it needs to compromise the system and then infiltrated the target machine while still on the given website. Typically, users land on such dangerous pages after being redirected by malicious ads or spam e-mails.

Now, the threat actors have found new ways delivering the same Purple Fox rootkit version using the same attack chain.

The malicious telegram installer has been developed as a compiled AutoIt script, a legitimate telegram installer is dropped but never used together with a malicious downloader called TextInputh.exe. Most of files had very low detection rates by AV engines.

Steps used by Purple Fox :

TextInputh.exe creates a new folder and connects to the malware (C2) server

Two new files are then downloaded and executed which unpack .RAR archives and a file used to load a malicious reflectively.DLL.

A registry key is created to enable persistence on an infected machine,

Five further files are dropped into the ProgramData folder to perform functions

Shutting down a wide range of antivirus processes before Purple Fox is finally deployed.

How to Avoid Purple Fox :

Keep windows system up to date by installing latest patches for known vulnerabilities.

Restrict privileges to administrator tools would allow enforcing the principle of least privilege.

Anti-Malware solution that offers advanced layers of security will disarm threats.

User awareness , not to click on link or any malicious emails or accessing unknown websites.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rajhans patel

Rajhans patel


Learning daily new cybersecurity things to get most of it and have all round development in cyber defence field