Security researchers have recently observed a malware distribution of Purple Fox Backdoor through trojanized installers of the Telegram messaging application.

Based on the report of Minerva Labs (, this threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection. 


A. Nature of Attack

The malicious Telegram installer is compiled using AutoIt with the script called “Telegram Desktop.exe”. This is only the first stage of the attack which will create a new folder named “TextInputh” and will drop a malicious downloader called TextInputh.exe.Once the malicious downloader has been executed, it will try to connect to the C&C server to download the next-stage malware. Next, the malware will check and block if there are processes associated with different antivirus before advancing to the final stage to execute the Purple Fox Rootkit.   


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Having an anti-virus software and/or host-based detection tool running with the latest version is a must.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Having a good backup of the system before patching is a good practice, in case there are anomalies and issues encountered.
  • In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information, kindly refer to the official Advisory(


C. List of Indicators of Compromise (IOC)

Item TypeIndication value
Hashes41769d751fa735f253e96a02d0cccadfec8c7298666a4caa5c9f90aaa826ecd1 Telegram Desktop.exe
Hashesaf8eef9df6c1f5645c95d0e991d8f526fbfb9a368eee9ba0b931c0c3df247e41Legitimate Telegram Installer
Hashesb5128b709e21c2a4197fcd80b072e7341ccb335a5decbb52ef4cee2b63ad0b3erundll3222.exe – legitimate rundll32.exe
IP193.164.223[.]77  C&C Server – 2nd stage
IP144.48.243[.]79   C&C Server – Last Stage
URLhxxp://193.164.223[.]77:7456/h?=1640618495Contains 1.rar file
URLhxxp://193.164.223[.]77:7456/77Contains 7zz/exe file
URLhxxp://144.48.243[.]79:17674/C558B828.PngPurple Fox Rootkit