Security News > 2021 > October > Newer PurpleFox botnet variants leverage WebSockets for coms
The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication.
Although it's mainly based in China, the PurpleFox botnet still has a global presence through hundreds of compromised servers.
PurpleFox detects the host system, selects the appropriate exploit, and then uses the PowerSploit module to load it.
NET backdoor retrieved from recent campaigns is dropped days after the initial intrusion to leverage WebSockets for C2 communications.
The use of WebSockets for communications is something unusual in the malware space, but PurpleFox shows that it can be very effective nonetheless.
Currently, PurpleFox is still active and there's a notable number of C&C servers controlling the WebSocket clients.