In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.
We also found a new backdoor written in .NET implanted during the intrusion, which we believe is highly associated with PurpleFox. This backdoor, which we call FoxSocket, leverages WebSockets to…