Security News > 2021 > October > New PurpleFox botnet variant uses WebSockets for C2 communication
The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication.
Although it's mainly based in China, the PurpleFox botnet still has a global presence through hundreds of compromised servers.
PurpleFox detects the host system, selects the appropriate exploit, and then uses the PowerSploit module to load it.
An MSI package is also initiated from an admin-level process without requiring any user interaction, checking for older PurpleFox installations and replacing their components with new ones.
NET backdoor retrieved from recent campaigns is dropped days after the initial intrusion to leverage WebSockets for C2 communications.
The use of WebSockets for communications is something unusual in the malware space, but PurpleFox shows that it can be very effective nonetheless.