Derp.ca

PurpleFox

Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

C2 Infrastructure

Hosting/VPS80%
ISP/Residential20%

Last 7 days

Apr 16, 2026
C2 Hosts: 1
Apr 15, 2026
C2 Hosts: 6
Apr 13, 2026
C2 Hosts: 3

Further Reading

Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
trendmicro.com
PurpleFox Using WPAD to Target Indonesian Users

The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.

trendmicro.com
PurpleFox Adds New Backdoor That Uses WebSockets
trendmicro.com
A Look Into Purple Fox’s Server Infrastructure

By examining Purple Fox’s routines and activities, both with our initial research and the subject matter we cover in this blog post, we hope to help incident responders, security operation centers ...

trendmicro.com
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
trendmicro.com
Security 101: The Impact of Cryptocurrency-Mining Malware | Trend Micro (US)

As cryptocurrencies like bitcoin are more widely used, so will the threats that cybercriminals use to abuse it. Here’s a closer look at cryptocurrency-mining malware—their emergence in the threat l...

trendmicro.com