Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New PurpleFox Botnet Variant Uses WebSockets For C2 Communication

New PurpleFox Botnet Variant Uses WebSockets For C2 Communication

The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication.

Although it’s mainly based in China, the PurpleFox botnet still has a global presence through hundreds of compromised servers.

Its activity starts with the execution of a PowerShell command that downloads a malicious payload from the specified URL, pointing to an available C2 server.

The payload used in recent campaigns tracked by researchers at Trend Micro is a long script that comprises three privilege escalation components.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

These target Windows 7 to Windows 10 systems, but are limited to 64-bit systems only.

The flaws that are exploited by the latest PurpleFox variants are the following:

  • Windows 7/Windows Server 2008 – CVE-2020-1054, CVE-2019-0808 
  • Windows 8/Windows Server 2012 – CVE-2019-1458 
  • Windows 10/Windows Server 2019 – CVE-2021-1732

PurpleFox detects the host system, selects the appropriate exploit, and then uses the PowerSploit module to load it.

An MSI package is also initiated from an admin-level process without requiring any user interaction, checking for older PurpleFox installations and replacing their components with new ones.

The backdoor that is installed on the host system is a DLL file obfuscated with the VMProtect file compressing utility.

PurpleFox backdoor installation process
PurpleFox backdoor installation process
Source: TrendMicro

The malware also uses a rootkit driver that hides its files, registry keys, and processes, reducing the chances of being detected on the compromised server.

Opening a WebSocket channel and keeping it alive

A new .NET backdoor retrieved from recent campaigns is dropped days after the initial intrusion to leverage WebSockets for C2 communications.

This component is responsible for setting up the communication configuration as well as for the initialization of cryptographic functions.

The use of WebSockets for communications is something unusual in the malware space, but PurpleFox shows that it can be very effective nonetheless.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

The exchanged messages between the infected machine and the selected C2 server begin with negotiations for a session RSA encryption key, but even this first exchange is AES-encrypted using a default key.

AES-encrypted exchange between the machine and the C2
AES-encrypted exchange between the machine and the C2
Source: TrendMicro

By sending “keepalive” messages, the TCP connection is maintained for as long as needed.  

The list of WebSocket commands observed by TrendMicro is extensive, and although there are some discrepancies between different variants, the table below summarizes them all.

Overview of WebSocket commands
Overview of WebSocket commands
Source: TrendMicro

Currently, PurpleFox is still active and there’s a notable number of C&C servers controlling the WebSocket clients.

By doing some profiling of the targets, TrendMicro reports the most notable activity hotspots to be in the US, Turkey, UAE, Iraq, and Saudi Arabia.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us