{"id":42046,"date":"2021-07-01T00:00:00","date_gmt":"2021-07-01T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/purplefox-using-wpad-to-targent-indonesian-users.html"},"modified":"2021-07-01T00:00:00","modified_gmt":"2021-07-01T00:00:00","slug":"purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/","title":{"rendered":"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/purplefox-wpad\/purplefox-wpad-5.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"endpoints,research,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-07-01\"> <meta property=\"article:tag\" content=\"cyber threats\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/purplefox-using-wpad-to-targent-indonesian-users.html\"> <title>PurpleFox Using WPAD to Target Indonesian Users<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/purplefox-using-wpad-to-targent-indonesian-users.html\"><br \/>\n<meta property=\"og:title\" content=\"PurpleFox Using WPAD to Target Indonesian Users\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/purplefox-wpad\/purplefox-wpad-5.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"PurpleFox Using WPAD to Target Indonesian Users\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/purplefox-wpad\/purplefox-wpad-5.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"48.848484848485\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"237839157\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"35\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.<\/p>\n<p class=\"article-details__author-by\">By: William Gamazo Sanchez <time class=\"article-details__date\">July 01, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.519269776876\">\n<div readability=\"35.281947261663\">\n<p>In September 2020, we published a blog describing how the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/i\/purple-fox-ek-relies-on-cloudflare-for-stability.html\">PurpleFox Exploit Kit used Cloudflare services<\/a> to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/19\/i\/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html\">public vulnerabilities<\/a> into its arsenal.<\/p>\n<p>Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/16\/h\/badwpad-doubtful-legacy-wpad-protocol.html\">making use of WPAD domains<\/a> to infect users. While a WPAD abuse attack is a technique that has been around for approximately 14 years, it still works. <a href=\"https:\/\/www.wpadblock.com\/\" target=\"_blank\" rel=\"noopener\">Initiatives to prevent this attack<\/a> help, but they are not sufficient.<\/p>\n<p>Our systems started detecting victims accessing the \u201cwpad.id\u201d domain, which makes use of the Indonesian top level domain (*.id). We did not find any other country top level domain affected. Using this technique, a zero-click attack can be implemented, as the WPAD URL is accessed whenever the system starts, without any user input.<\/p>\n<p><b>PurpleFox WPAD landing page<\/b><\/p>\n<p>To abuse WPAD, the PurpleFox authors registered the domain \u201cwpad.id\u201d with Cloudflare. They then load the URL for WPAD services, which is located at <i>http:\/\/wpad[.]id\/wpad[.]dat<\/i>. At the time of analysis, this would return a standalone JavaScript version of the <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-1367\" target=\"_blank\" rel=\"noopener\">CVE-2019-1367<\/a> with custom shellcode to follow the attack chain setup for the WPAD attack. Figure 1 shows the WPAD resolution and malicious sample delivery.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/purplefox-wpad\/purplefox-wpad-1.png\" alt=\"Figure 1. CVE-2019-1367 exploit delivery using WPAD\"><figcaption>Figure 1. CVE-2019-1367 exploit delivery using WPAD<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/purplefox-wpad\/purplefox-wpad-2.png\" alt=\"Figure 2. The CVE-2019-1367 JavaScript standalone exploit\"><figcaption>Figure 2. The CVE-2019-1367 JavaScript standalone exploit<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.580740740741\">\n<div readability=\"17.546666666667\">\n<p>The custom shellcode downloads the next stage from the URL <i>http:\/\/9kf[.]me\/in[.]php?id=1<\/i>. The domain \u201c9kf.me\u201d was no longer accessible by the time we analyzed the samples, but we were be able to find two more active domains, \u201c2kf.me\u201d and \u201c6kf.me,\u201d that contained the same payload.<\/p>\n<p>Following the request logic, we retrieved the full chain used in this deployment. The PurpleFox chain is designed with multiple complicated stages abusing PowerShell and MSI files as previously described by Trend Micro and <a href=\"https:\/\/labs.sentinelone.com\/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow\/\" target=\"_blank\" rel=\"noopener\">other researchers<\/a>. This post will not go into the details; we will limit ourselves to showing how the two domains are chained to deliver the full attack chain.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/purplefox-wpad\/purplefox-wpad-3.png\" alt=\"Figure 3. The 2kf.me domain redirecting to 6kf.me\"><figcaption>Figure 3. The 2kf.me domain redirecting to 6kf.me<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The domain resolution and access to the attack chain artifacts are all being proxied through Cloudflare servers, as shown in the Figure 4.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/purplefox-wpad\/purplefox-wpad-4.png\" alt=\"Figure 4. The attack chain\"><figcaption>Figure 4. The attack chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.472403924775\">\n<div class=\"responsive-table-wrap\" readability=\"34.395748160262\">\n<p>Analysis of the full chain revealed that the following CVEs were being exploited: <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-1054\" target=\"_blank\" rel=\"noopener\">CVE-2020-1054<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-8120\" target=\"_blank\" rel=\"noopener\">CVE-2018-8120<\/a>, as well as an <a href=\"https:\/\/github.com\/euphrat1ca\/ms15-051\" target=\"_blank\" rel=\"noopener\">exploit for MS15-051<\/a>. The binary exploiting the MS15-051 leak the symbols path <i>C:\\Users\\K8team\\Desktop\\ms15-051\\ms15-051\\ms15-051\\Win32\\ms15-05, <\/i>suggesting that PurpleFox is reusing tools from <a href=\"https:\/\/github.com\/k8gege\/K8tools\" target=\"_blank\" rel=\"noopener\">K8team<\/a>, which is responsible for maintaining public repositories of CVE exploits POCs and hack tools.<\/p>\n<p><b>Defending against PurpleFox<\/b><\/p>\n<p>The PurpleFox Exploit Kit continues to be very active and appear to be looking for new infection tactics. Our feedback shows that this specific attempt is not only affecting Indonesian victims, as users in other countries who are using the Indonesian TLD are being affected as well. At same time, PurpleFox is trying to reach servers where the user interaction is minimal but are potentially affected by the WPAD technique, such as unattended machines.<\/p>\n<p>Continuous vigilance against threat groups is an important aspect of keeping up with \u2014 if not staying one step ahead of \u2014 threats. To protect systems from this type of threat, users can use multilayered security solutions like <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection.html\">Trend Micro Protection Suites<\/a> that help detect and block attacks.&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro Vision One\u2122\ufe0f<\/a>&nbsp;also provides visibility, correlated detection, and behavior monitoring across multiple layers, such as emails, endpoints, servers, and cloud workloads. This ensures that no significant incidents go unnoticed and allows faster response to threats before they can do any real damage to the system.&nbsp;<\/p>\n<p><b>Indicators of Compromise<\/b><\/p>\n<p><i>Files<\/i><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"14\">\n<tr readability=\"2\">\n<td>SHA256<\/td>\n<td>Filename<\/td>\n<td>Trend Micro Detection Name<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>1aa1df57f786224f4997f1d6284a123176291f3f3d43bc4b942ae423c58cc356<\/td>\n<td>winupdate64.log<\/td>\n<td>Trojan.Win64.FUPORPLEX.D<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td valign=\"bottom\" readability=\"5\">\n<p>3039208b2a34bb2e71bc6a77ae3be2fa588abd359fdb0068253739f3839f3425<\/p>\n<\/td>\n<td>2020-09-09_16-25-29_764_raw.githack.store_P1-1-2_PurpleFox.exe.bak<\/td>\n<td>Trojan.Win32.CVE20188120.E<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>36725374d7ec66c9876eb1d5edc2a5889643e01dbd0ac7a6705babbc3c3ea6a9<\/td>\n<td>M0011.cab<\/td>\n<td>Trojan.Win32.FUPORPLEX.ENF<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>61113a0acd6469ce0d860db55c2afa3cdcbac2f5411fe8259cca43c10c042239<\/td>\n<td>1505132.jpg<\/td>\n<td>TROJ_CVE20151701.B<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>905cc7b3027cad361ae7a29969dfd7e63f8f1189d7e0abdf5b2efe0f1ec13e5c<\/td>\n<td>pe_1<\/td>\n<td>Trojan.Win32.CVE20190808.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>db7c4a360b460a13148d6e5fff530afaa0fa161959166cdab342d0aa9760ba68<\/td>\n<td>sysupdate.log<\/td>\n<td>Backdoor.Win32.FUPORFLEX.ENC<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>f09c502f4b5862641b3c3eff19ae96d949fab465b3fddd1888fe945817c9e2fd<\/td>\n<td>N\/A<\/td>\n<td>Trojan.Win32.FUPORPLEX.ENF<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>URLs<\/i><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">http:\/\/2kf[.]me\/in[.]php<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/6kf[.]me\/in[.]php<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/9kf[.]me\/in[.]php<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/purplefox-using-wpad-to-targent-indonesian-users.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":42047,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9508,9509],"class_list":["post-42046","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-01T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1550\" \/>\n\t<meta property=\"og:image:height\" content=\"1116\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher\",\"datePublished\":\"2021-07-01T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/\"},\"wordCount\":874,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/\",\"name\":\"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png\",\"datePublished\":\"2021-07-01T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png\",\"width\":1550,\"height\":1116},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/","og_locale":"en_US","og_type":"article","og_title":"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-07-01T00:00:00+00:00","og_image":[{"width":1550,"height":1116,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher","datePublished":"2021-07-01T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/"},"wordCount":874,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/","url":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/","name":"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png","datePublished":"2021-07-01T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher.png","width":1550,"height":1116},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-using-wpad-to-target-indonesian-users-sr-threat-researcher\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"PurpleFox Using WPAD to Target Indonesian Users Sr. Threat Researcher"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42046"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42046\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42047"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}