

Purple Fox infection chain and payload updates These notable changes are covered in the sections below and further explained in our technical brief. They are also trying to improve their signed rootkit arsenal for antivirus (AV) evasion to be able to bypass security detection mechanisms. The operators are updating their arsenal with new malware, including a variant of the remote access trojan FatalRAT that they seem to be continuously upgrading. Other security companies have also reported on Purple Fox’s recent activities and their latest payloads. The installers are actively distributed online to trick users and increase the overall botnet infrastructure. Our data shows that users’ machines are targeted via trojanized software packages masquerading as legitimate application installers. This most recent investigation covers Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. In 2021 we covered how it downloaded and executed cryptocurrency miners, and how it continued to improve its infrastructure while also adding new backdoors. We have been continuously tracking the Purple Fox threat since it first made waves in 2018, when it reportedly infected over 30,000 users worldwide.
