Purple fox is a veteran malware-as-a-service campaign, which until recently, infected devices through its exploit kit capabilities, spreading through vulnerable Microsoft Internet Explorer instances. A blog post by Guardicore revealed that the malware added a new propagation technique, using SMB brute-force to infect new machines.

Upon threat hunting for IOCs of this threat, we found an infection attempt by Purple Fox exploit kit that was thwarted by Minerva in November of last year (2020):

As reported by Guardicore, the malware installs a new service on a device it wants to infect, which will use a pre-existing Windows binary, msiexec.exe, to remotely download its malicious payload , which is a known Living Off the Land technique.


As mentioned in the report, Purple Fox has compromised a “vast network” of compromised servers, most of which are Microsoft IIS 7.5 Servers.

When Purple Fox was first analyzed in 2018, investigators reported that it was using mostly exploit kits and phishing emails as its main methods of distribution. However, the new round of intensifying infections, which began in earnest in January 2021 is relying more on the recently-added worm module.

Estimates of the number of attacks by Purple Fox are reported to be approximately 90,000.


Minerva Armor can prevent this behavior, in addition to the Internet Explorer exploits, thus granting protection and visibility on Purple Fox’s attacks.

Organizations of all sizes might become victims of such threat which have been used for various purposes, and for that reason organizations cannot assume they are immune to the interest of threat hunting groups.

This is yet another type of attack,  one of an endless number of threats. According to Cisco every second 22 new unique malware strains are created.