Threat Watch

Purple Fox Malware Distributed via Malicious Telegram Installers

Trojanized installers of the Telegram messaging application are being used to distribute Purple Fox malware, a Windows-based rootkit that is used to establish persistence and deliver further payloads on to a system.

The installer for the malicious Telegram application is an AutoIt script that creates two files; the legitimate Telegram application and the malicious executable. The AutoIt script then executes the malicious executable, which downloads the next stage of the infection. The second stage includes a DLL file that is reflectively loaded on to the system. From there, the malware reads and loads yet another file, which first checks to see if the anti-virus program 360 Total Security is installed on the system. If it is, the malware downloads further files that are used to stop the execution of this particular anti-virus (AV) solution. If it is not, the malware then proceeds to communicate with its command-and-control (C2) infrastructure, including gathering system information and checking for any further security products installed, and sending that information to the server. Finally, the Purple Fox payload itself is downloaded on to the system in the form on an .msi file that contains encrypted shellcode. The Purple Fox payload forces the system to restart in order to make registry changes, such as disabling user account control (UAC), take effect.

The attack is particularly effective due to the number of different files used in the infection chain. This helps the threat actor evade AV detection, as each file separately is useless without the entire set, making it harder for AV products to determine that each file is malicious.


The main delivery mechanisms for this malicious Telegram application appear to be via phishing emails or direct downloads from phishing websites. It is highly recommended to only download and install software from the legitimate source of the application. In this case, that would be Telegram’s website. Any other sources (such as third-party websites or email attachments) run the risk of the application containing malware. While the use of multiple files may be able to evade AV detection, the behavior of the malware during the infection chain can be detected. The process chain, registry modifications, and file or directory creations are all behavioral artifacts that can help detect the infection chain utilized by Purple Fox. Binary Defense’s Managed Detection and Response service is an excellent asset for any of these types of detection needs.