Purple Fox Threat Actors Leverage New FatalRAT Version

The ones who created Purple Fox malware have upgraded their malware arsenal, as currently, they are using a new FatalRAT version, a remote access trojan. Besides, its functionalities to avoid detection have been also upgraded.

New FatalRAT Version Wreaking Havoc on the Cyber Scene

Experts from TrendMicro have recently published a report on this topic emphasizing what’s the purpose of this new RAT version.

Users’ machines are targeted via trojanized software packages masquerading as legitimate application installers. The installers are actively distributed online to trick users and increase the overall botnet infrastructure.


The findings are based on previous Minerva Labs research that revealed a similar method of distributing the backdoor via phony Telegram applications. WhatsApp, Adobe Flash Player, and Google Chrome are among the other disguised software installs, as hackernews.com mentions.

How Does the Infection Chain Unfold?

According to the same report by TrendMicro, in the Purplefox infection chain, a single character is included in the installers, that matches a specific payload. The execution parent then adds the second stage payload as a single character to the first stage command and control (C&C) server’s request.

An illustration of the infection chain is shown below.

Image Source

Which Tools

Read More: https://heimdalsecurity.com/blog/purple-fox-threat-actors-leverage-new-fatalrat-version/