Purple Fox malware is being spread using a malicious Telegram application for Desktop users. The malware is a rootkit used to install additional malicious payloads on compromised devices.

What has happened?

According to researchers, the attackers compiled the installer with the AutoIt script Telegram Desktop[.]exe. 
  • The script drops two files including an actual Telegram installer and a malicious downloader. The genuine installer of Telegram dropped along with the downloader isn't executed. 
  • The researchers discovered that a large number of malicious installers deliver the same Purple Fox version using the same attack chain. 
  • Some were believed to be spreading using email, while others were probably downloaded from phishing websites.

A complex chain of actions

  • When the AutoIT program runs the downloader (TextInputh[.]exe), it creates a new folder (1640618495) at the location at C:\Users\Public\Videos\ and then connects to a C2 for downloading RAR archive (1[.]rar) and 7z utility.
  • The archive includes the payload and configuration files. 
  • The 7z program unloads everything at the ProgramData folder and, further, performs a chain of actions, creating and deleting several files.

Attaining persistence

For persistence, it performs several additional tasks. A registry key is created, a DLL (rundll3222[.]dll) disables the UAC, a payload (scvhost[.]txt) is executed, and five additional files are dropped.
  • The additional five files, identified as Calldriver[.]exe, Driver[.]sys, dll[.]dll, kill[.]bat, and speedmem2[.]hg, block antivirus processes and stop the detection of Purple Fox on the infected machine.
  • Subsequently, the malware gathers basic system information, checks running security tools, and sends all stolen information to a hardcoded C2 address.
  • Post-reconnaissance, Purple Fox is downloaded from the C2 in the form of a .msi file that includes encrypted shellcode for both 64 and 32-bit systems.
  • While the malware runs, the compromised machine is restarted for the newly added registry settings to take effect, which includes the disabled User Account Control (UAC).


The attackers behind Purple Fox are using legitimate software to drop malicious files via a sophisticated chain of attacks. By splitting the entire operation into smaller phases and creating a dependency on different files for each phase allow this attack to stay undetected from security radars.

Cyware Publisher