Inside the SOC

Darktrace Uncovers Persistent PurpleFox Rootkit

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
Nov 2023
Nov 2023
Explore Darktrace's successful hunt for the PurpleFox rootkit. Understand the techniques used to detect and defeat this sophisticated threat.

Versatile Malware: PurpleFox

As organizations and security teams across the world move to bolster their digital defenses against cyber threats, threats actors, in turn, are forced to adopt more sophisticated tactics, techniques and procedures (TTPs) to circumvent them. Rather than being static and predictable, malware strains are becoming increasingly versatile and therefore elusive to traditional security tools.

One such example is PurpleFox. First observed in 2018, PurpleFox is a combined fileless rootkit and backdoor trojan known to target Windows machines. PurpleFox is known for consistently adapting its functionalities over time, utilizing different infection vectors including known vulnerabilities (CVEs), fake Telegram installers, and phishing. It is also leveraged by other campaigns to deliver ransomware tools, spyware, and cryptocurrency mining malware. It is also widely known for using Microsoft Software Installer (MSI) files masquerading as other file types.

The Evolution of PurpleFox

The Original Strain

First reported in March 2018, PurpleFox was identified to be a trojan that drops itself onto Windows machines using an MSI installation package that alters registry values to replace a legitimate Windows system file [1]. The initial stage of infection relied on the third-party toolkit RIG Exploit Kit (EK). RIG EK is hosted on compromised or malicious websites and is dropped onto the unsuspecting system when they visit browse that site. The built-in Windows installer (MSIEXEC) is leveraged to run the installation package retrieved from the website. This, in turn, drops two files into the Windows directory – namely a malicious dynamic-link library (DLL) that acts as a loader, and the payload of the malware. After infection, PurpleFox is often used to retrieve and deploy other types of malware.  

Subsequent Variants

Since its initial discovery, PurpleFox has also been observed leveraging PowerShell to enable fileless infection and additional privilege escalation vulnerabilities to increase the likelihood of successful infection [2]. The PowerShell script had also been reported to be masquerading as a .jpg image file. PowerSploit modules are utilized to gain elevated privileges if the current user lacks administrator privileges. Once obtained, the script proceeds to retrieve and execute a malicious MSI package, also masquerading as an image file. As of 2020, PurpleFox no longer relied on the RIG EK for its delivery phase, instead spreading via the exploitation of the SMB protocol [3]. The malware would leverage the compromised systems as hosts for the PurpleFox payloads to facilitate its spread to other systems. This mode of infection can occur without any user action, akin to a worm.

The current iteration of PurpleFox reportedly uses brute-forcing of vulnerable services, such as SMB, to facilitate its spread over the network and escalate privileges. By scanning internet-facing Windows computers, PurpleFox exploits weak passwords for Windows user accounts through SMB, including administrative credentials to facilitate further privilege escalation.

Darktrace detection of PurpleFox

In July 2023, Darktrace observed an example of a PurpleFox infection on the network of a customer in the healthcare sector. This observation was a slightly different method of downloading the PurpleFox payload. An affected device was observed initiating a series of service control requests using DCE-RPC, instructing the device to make connections to a host of servers to download a malicious .PNG file, later confirmed to be the PurpleFox rootkit. The device was then observed carrying out worm-like activity to other external internet-facing servers, as well as scanning related subnets.

Darktrace DETECT™ was able to successfully identify and track this compromise across the cyber kill chain and ensure the customer was able to take swift remedial action to prevent the attack from escalating further.

While the customer in question did have Darktrace RESPOND™, it was configured in human confirmation mode, meaning any mitigative actions had to be manually applied by the customer’s security team. If RESPOND had been enabled in autonomous response mode at the time of the attack, it would have been able to take swift action against the compromise to contain it at the earliest instance.

Attack Overview

Figure 1: Timeline of PurpleFox malware kill chain.

Initial Scanning over SMB

On July 14, 2023, Darktrace detected the affected device scanning other internal devices on the customer’s network via port 445. The numerous connections were consistent with the aforementioned worm-like activity that has been reported from PurpleFox behavior as it appears to be targeting SMB services looking for open or vulnerable channels to exploit.

This initial scanning activity was detected by Darktrace DETECT, specifically through the model breach ‘Device / Suspicious SMB Scanning Activity’. Darktrace’s Cyber AI Analyst™ then launched an autonomous investigation into these internal connections and tied them into one larger-scale network reconnaissance incident, rather than a series of isolated connections.

Figure 2: Cyber AI Analyst technical details summarizing the initial scanning activity seen with the internal network scan over port 445.

As Darktrace RESPOND was configured in human confirmation mode, it was unable to autonomously block these internal connections. However, it did suggest blocking connections on port 445, which could have been manually applied by the customer’s security team.

Figure 3: The affected device’s Model Breach Event Log showing the initial scanning activity observed by Darktrace DETECT and the corresponding suggested RESPOND action.

Privilege Escalation

The device successfully logged in via NTLM with the credential, ‘administrator’. Darktrace recognized that the endpoint was external to the customer’s environment, indicating that the affected device was now being used to propagate the malware to other networks. Considering the lack of observed brute-force activity up to this point, the credentials for ‘administrator’ had likely been compromised prior to Darktrace’s deployment on the network, or outside of Darktrace’s purview via a phishing attack.


Darktrace then detected a series of service control requests over DCE-RPC using the credential ‘admin’ to make SVCCTL Create Service W Requests. A script was then observed where the controlled device is instructed to launch mshta.exe, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files. This enables the execution of arbitrary script code, VBScript in this case.

Figure 4: PurpleFox remote service control activity captured by a Darktrace DETECT model breach.
Figure 5: The infected device’s Model Breach Event Log showing the anomalous service control activity being picked up by DETECT.

There are a few MSIEXEC flags to note:

  • /i : installs or configures a product
  • /Q : sets the user interface level. In this case, it is set to ‘No UI’, which is used for “quiet” execution, so no user interaction is required

Evidently, this was an attempt to evade detection by endpoint users as it is surreptitiously installed onto the system. This corresponds to the download of the rootkit that has previously been associated with PurpleFox. At this stage, the infected device continues to be leveraged as an attack device and scans SMB services over external endpoints. The device also appeared to attempt brute-forcing over NTLM using the same ‘administrator’ credential to these endpoints. This activity was identified by Darktrace DETECT which, if enabled in autonomous response mode would have instantly blocked similar outbound connections, thus preventing the spread of PurpleFox.

Figure 6: The infected device’s Model Breach Event Log showing the outbound activity corresponding to PurpleFox’s wormlike spread. This was caught by DETECT and the corresponding suggested RESPOND action.


On August 9, Darktrace observed the device making initial attempts to download a malicious .PNG file. This was a notable change in tactics from previously reported PurpleFox campaigns which had been observed utilizing .MOE files for their payloads [3]. The .MOE payloads are binary files that are more easily detected and blocked by traditional signatured-based security measures as they are not associated with known software. The ubiquity of .PNG files, especially on the web, make identifying and blacklisting the files significantly more difficult.

The first connection was made with the URI ‘/test.png’.  It was noted that the HTTP method here was HEAD, a method similar to GET requests except the server must not return a message-body in the response.

The metainformation contained in the HTTP headers in response to a HEAD request should be identical to the information sent in response to a GET request. This method is often used to test hypertext links for validity and recent modification. This is likely a way of checking if the server hosting the payload is still active. Avoiding connections that could possibly be detected by antivirus solutions can help keep this activity under-the-radar.

Figure 7: Packet Capture from an affected customer device showing the initial HTTP requests to the payload server.
Figure 8: Packet Capture showing the HTTP requests to download the payloads.

The server responds with a status code of 200 before the download begins. The HEAD request could be part of the attacker’s verification that the server is still running, and that the payload is available for download. The ‘/test.png’ HEAD request was sent twice, likely for double confirmation to begin the file transfer.

Figure 9: PCAP from the affected customer device showing the Windows Installer user-agent associated with the .PNG file download.

Subsequent analysis using a Packet Capture (PCAP) tool revealed that this connection used the Windows Installer user agent that has previously been associated with PurpleFox. The device then began to download a payload that was masquerading as a Microsoft Word document. The device was thus able to download the payload twice, from two separate endpoints.

By masquerading as a Microsoft Word file, the threat actor was likely attempting to evade the detection of the endpoint user and traditional security tools by passing off as an innocuous text document. Likewise, using a Windows Installer user agent would enable threat actors to bypass antivirus measures and disguise the malicious installation as legitimate download activity.  

Darktrace DETECT identified that these were masqueraded file downloads by correctly identifying the mismatch between the file extension and the true file type. Subsequently, AI Analyst was able to correctly identify the file type and deduced that this download was indicative of the device having been compromised.

In this case, the device attempted to download the payload from several different endpoints, many of which had low antivirus detection rates or open-source intelligence (OSINT) flags, highlighting the need to move beyond traditional signature-base detections.

Figure 10: Cyber AI Analyst technical details summarizing the downloads of the PurpleFox payload.
Figure 11 (a): The Model Breach generated by the masqueraded file transfer associated with the PurpleFox payload.
Figure 11 (b): The Model Breach generated by the masqueraded file transfer associated with the PurpleFox payload.

If Darktrace RESPOND was enabled in autonomous response mode at the time of the attack it would have acted by blocking connections to these suspicious endpoints, thus preventing the download of malicious files. However, as RESPOND was in human confirmation mode, RESPOND actions required manual application by the customer’s security team which unfortunately did not happen, as such the device was able to download the payloads.


The PurpleFox malware is a particularly dynamic strain known to continually evolve over time, utilizing a blend of old and new approaches to achieve its goals which is likely to muddy expectations on its behavior. By frequently employing new methods of attack, malicious actors are able to bypass traditional security tools that rely on signature-based detections and static lists of indicators of compromise (IoCs), necessitating a more sophisticated approach to threat detection.  

Darktrace DETECT’s Self-Learning AI enables it to confront adaptable and elusive threats like PurpleFox. By learning and understanding customer networks, it is able to discern normal network behavior and patterns of life, distinguishing expected activity from potential deviations. This anomaly-based approach to threat detection allows Darktrace to detect cyber threats as soon as they emerge.  

By combining DETECT with the autonomous response capabilities of RESPOND, Darktrace customers are able to effectively safeguard their digital environments and ensure that emerging threats can be identified and shut down at the earliest stage of the kill chain, regardless of the tactics employed by would-be attackers.

Credit to Piramol Krishnan, Cyber Analyst, Qing Hong Kwa, Senior Cyber Analyst & Deputy Team Lead, Singapore


Darktrace Model Detections

  • Device / Increased External Connectivity
  • Device / Large Number of Connections to New Endpoints
  • Device / SMB Session Brute Force (Admin)
  • Compliance / External Windows Communications
  • Anomalous Connection / New or Uncommon Service Control
  • Compromise / Unusual SVCCTL Activity
  • Compromise / Rare Domain Pointing to Internal IP
  • Anomalous File / Masqueraded File Transfer


  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Antigena / Network / External Threat / Antigena File then New Outbound Block

List of IoCs

IoC - Type - Description

/C558B828.Png - URI - URI for Purple Fox Rootkit [4]

5b1de649f2bc4eb08f1d83f7ea052de5b8fe141f - File Hash - SHA1 hash of C558B828.Png file (Malware payload)

190.4.210[.]242 - IP - Purple Fox C2 Servers

218.4.170[.]236 - IP - IP for download of .PNG file (Malware payload)

180.169.1[.]220 - IP - IP for download of .PNG file (Malware payload)

103.94.108[.]114:10837 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

221.199.171[.]174:16543 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

61.222.155[.]49:14098 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

178.128.103[.]246:17880 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

222.134.99[.]132:12539 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

164.90.152[.]252:18075 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

198.199.80[.]121:11490 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)


Tactic - Technique

Reconnaissance - Active Scanning T1595, Active Scanning: Scanning IP Blocks T1595.001, Active Scanning: Vulnerability Scanning T1595.002

Resource Development - Obtain Capabilities: Malware T1588.001

Initial Access, Defense Evasion, Persistence, Privilege Escalation - Valid Accounts: Default Accounts T1078.001

Initial Access - Drive-by Compromise T1189

Defense Evasion - Masquerading T1036

Credential Access - Brute Force T1110

Discovery - Network Service Discovery T1046

Command and Control - Proxy: External Proxy T1090.002


Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Piramol Krishnan
Cyber Security Analyst
Book a 1-1 meeting with one of our experts
share this article
No items found.
COre coverage
No items found.

More in this series

No items found.


No items found.

How 1.27 Centimeters Opened My Eyes to Continuous Threat and Exposure Management

Default blog imageDefault blog image
Jul 2024


Fifteen years ago, I never realized that one point twenty-seven centimeters was the difference between keeping my family safe and having an intruder break into our home.

Yet that is exactly what happened. We came home one night and did not know intruders were already in our basement; and the only reason we were alerted to their presence was when they attempted to move to the upper levels after we had gone to sleep, and the main floor motion sensors triggered an alarm.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

The culprit of the successful breach? Screws measuring 1.27 centimeters (that’s a half-inch if you’re not on the metric system yet) that held the glass windows of our basement French doors. Despite having door opening sensors and glass breakage sensors, we missed that the glass panel could be forcefully kicked out – and land – onto the carpeted floor.  No door was opened. No glass was broken (we used to have cats that roamed the basement, so motion sensors were not an option when we first moved in). The screws were not long enough to better secure the framing of the window.

Continuous Threat and Exposure Management

What does this have to do with CTEM, or Continuous Threat and Exposure Management? Well, once our situation changed and our cats were no longer with us; we a) did not reassess our detection capabilities and b) still did not realize we had a vulnerability exposure that could lead to a breach.

I fell into the same trap many organizations fall into where point in time assessments can create a false sense of security. Instead, CTEM offers a cyclical approach to assessing risk that involves five stages:  

Scope: To adopt a CTEM approach, organizations should first identify key business programs. There should be an understanding for each program what the impact to the business would be if something were to occur. An organization can, and most likely will, have multiple scopes defined as part of the CTEM process. For example, your customer relationship management (CRM) project may encompass a Saas solution such as SalesForce, tie-ins with selling partners, supply chain vendors, and multiple user groups (sales, finance, etc.).

Discover: Next, identification of systems, applications, and SaaS subscriptions that support the business program should be accounted for and documented. As you build out risk profiles for these assets, I believe it is also important to identify associated users (end-users, administrators, etc.), especially since user error / account takeover is a favored attack vector.

Prioritization: Proper prioritization is essential to a solid CTEM program. I go into more detail about Risk-Based Vulnerability Management (RBVM) later; but for now, prioritization deals with measuring the potential impact based on factors such as: prevalence of an exploit, lack of controls, program / asset criticality, and available mitigations.

Validation: This stage helps identify if an adversary could launch a successful attack. Red team exercises and breach simulation solutions are often utilized to exercise the organization’s ability to halt an attack before damage is done. Validation should go beyond the initial stage of the attack and explore available methods to reach the adversary’s mission objective.

Mobilization: Identified responses to breach attempts should be categorized into automated or manual processes. Automated response solutions such as Security Orchestration, Automation, and Response (SOAR) can be integral in ensuring actions are taken with appropriate authorization, remediation / response times are rapid, and procedures are executed without human error.

A properly managed CTEM program will help ensure survivability and rapid recovery when an attack occurs as well as minimizing the risk of an attack being successful. This also helps organizations move towards a more proactive security posture.

Implementing a Risk-Based Vulnerability Management Program

Now don’t get me wrong. I thought I had done a pretty good job covering the bases when we first moved in. I walked the alarm company “expert” through every room of the house, and we discussed every possible entry point. I ensured that every avenue of access was covered by two types of sensors. I asked questions about how an intruder was most likely to attempt to gain entry and ensured we had addressed the exposure.

I relied on the expertise of someone that while they worked for an alarm company, was not actually trained and experienced in criminal break-ins. At the end of this paper, I will list the recommendations made by a friend of ours that was a Deputy Chief of Police. Hint: It was eye-opening.

Risk-Based Vulnerability Management (RBVM) is an approach that helps organizations not boil the ocean (try to address every possible vulnerability that may exist) and avoid becoming myopically focused that you miss an attack path that is relevant.

Without expending the entire blog on all the details of CTEM and RBVM, let’s touch on the main components.

Vulnerability Scanning

Vulnerability Scanners can help you identify all the vulnerabilities that exist in your organization but are generally a point in time view. Update systems or applications, change configuration settings, deploy new systems or applications and the scan data may be meaningless – not to mention new vulnerabilities are discovered all the time.

CVE, or Common Vulnerabilities and Exposures, is a compilation of all known vulnerabilities. I emphasize known because adversaries love finding zero-days (and for how I describe zero-days, check out my LinkedIn posting: Race to the Bottom).

CVSS, or Common Vulnerability Scoring System, is a method to define the severity of the vulnerability. Scoring can be determined by things like complexity and skill to utilize the vulnerability, privileges required, what type of attack path is needed, and if user interaction is required to trigger the vulnerability.

CVE and CVSS however, do not address context of the vulnerability in an organization’s environment. A small number of vulnerabilities will account for the most risk in an organization. Remember, adversaries don’t care about risk scores…. If it gets them in, they will use it.

EPSS, or Exploit Prediction Scoring System, estimates whether a vulnerability is likely to be utilized by adversaries and provides an indication of the threat level to the organization.

Another nuance is ensuring you understand how the scanner is gathering and reporting vulnerabilities. One of my favorite questions to ask candidates I’ve interviewed is “How can two scanners interrogate the same system, where nothing changed in the system, both scanners executed flawlessly and knew to scan for the specific vulnerability…. yet one reports vulnerable and the other reports not vulnerable?” I had this occur, and the answer was that one scanner interrogated the running service, and based on how it responded could determine if the vulnerable version was running. The other scanner authenticated into the system and checked patch level installed – but the service/system had not been restarted. The configured state was NOT vulnerable, but the running state WAS vulnerable. This happens a lot after Microsoft Super Tuesday patches go out and users login and think “I’ve got work to do; I will reboot later”.

External Attack Surface Management (EASM)

Simply put, you can have a vulnerability, but if there is no path to exploiting the vulnerability, then the risk should be lowered. Even a high severity vulnerability is not a risk if it cannot be exploited, whereas a low-risk vulnerability (like 1.27cm screws) can provide a path to success for the adversary. EASM solutions were built to provide that context: Vulnerability + Exposure. BTW – I would not neglect Internal Attack Surface Management for potential Insider Threat risks.

Breach and Attack Simulation (BAS)

YARN | On my mark, rotate launch keys to "launch." | WarGames | Video gifs  by quotes | 24d1705c | 紗

It’s one thing to list vulnerabilities, another thing to say there are exposed systems with those vulnerabilities that could lead to an attack. But executing an attack simulation that shows you what the potential outcome(s) are if an attack occurred? This is what BAS solutions were built to assist with, and not only show attack paths ripe for exploitation, but also exercise SOC / IR teams in nearly real-world situations. Table-top exercises are good for verifying processes, but live-fire exercises are imperative to ensure your teams respond quickly and precisely when the real deal occurs (don’t make me whip out the beginning of Wargames on you, I’ve already used that movie twice before!).  

Risk-Based Context

I’ve often wondered why it’s 2024, I’ve been doing this for 30+ years, and breaches are still inevitable and security teams still struggle with many of the same issues they faced when I first got into this career.

I believe not addressing an RBVM approach could be one of those reasons. It’s not a priority if you have a vulnerability on a system that is not exposed for exploitation. It’s not a priority if a vulnerability has been mitigated by other compensating controls. Focusing solely on vulnerability scoring without regard to whether the vulnerability poses a real and credible threat to your organization diverts focus away from vulnerabilities that matter (this is the same mantra you will hear me evangelizing around SOCs expending time on alerts that do not matter).

When assessing context, I think of it in the following manner:

How Can Darktrace Help with your CTEM?

The Darktrace ActiveAI Security Platform is designed with CTEM in mind. Using patented AI capabilities at its core, components of the platform work in harmony to provide actionable intelligence to risks facing the organization.

PREVENT/ASM utilizes AI to help understand scope and what makes externally facing assets yours while providing associated risks and trends on the risk types identified. These findings are communicated to DETECT and RESPOND to harden critical paths.

Prevent/End-to-End (E2E) delivers attack path modeling for discovery and prioritization of high-value targets across all assets in your program’s scope, providing continuous visibility into relevant risks the organization faces.  E2E also utilizes AI-generated social engineering generated content for Breach & Attack Emulation scenarios involving Phishing / Spear-Phishing attack vectors.

Darktrace threat detection and autonomous response utilizes unsupervised machine learning at its core to identify anomalous activity, and if malicious events are occurring, enforce Pattern of Life allowing business operations to continue while stopping the breach from progressing.  This provides unprecedented speed of response to emerging threats.

So, ensure you’re addressing vulnerabilities in the proper context, because you never know when 1.27cm will ruin your day.

Appendix A: Deter Burglars from Breaking into Your Home

Another question I have asked candidates centers around what security controls they would implement to keep an advanced adversary away from a highly classified project; and shockingly, very few would mention any physical security controls or use of air-gapped networks. So, as promised, here are some recommendations from our Deputy Chief of Police friend on better securing your home, because we must protect ourselves, our information on our home and work computers, especially for remote staff:

32 in. x 80 in. Rustic Knotty Alder 2-Panel Square Top Left-Hand/Inswing  Grey Stain Wood Prehung Front Door
  1. Solid (no glass) doors that open outward for rear / side entryways – a kicked door will press against the framing providing stability. Hinges should not be exposed to the outside.  

STASUN LED Flood Light Outdoor, 150W 15000lm Outdoor Area Lighting, IP66  Waterproof Exterior Floodlight Commercial Security Light, 3000K Warm White,  3 ...
  1. Motion activated exterior flood lights – illumination is the enemy of thieves.  

Mortise Lock Set Screws (2 Screws Per Pack)
  1. Replace door hardware lockset screws with minimum 4-inch (that’s 10.16 centimeters) screws on all doors including interior ones – this should ensure screws firmly attach to trimmer and king studs in door frame and will add additional valuable seconds for the intruder to break through

home security Memes & GIFs - Imgflip
Dog Food Bowl
  1. Get a dog – a big dog. (I’ve amended this to include putting out fake dog bowls to make it look like you have a big dog!)  

SPT Interior/Exterior Simulated Security Camera
  1. Exterior video cameras – record and alert on activity around the house
LARSON Platinum Secure Glass Full-view Aluminum Storm Door With Quickfit  Handle | Retractable Screen Door Lowes |
  1. Tempered Safety Glass Storm Doors – whack at it for hours with a baseball bat and they still can’t get in
Should You Install Fake Home Security Yard Signs? – Forbes Home
  1. Alarm system warning signs for windows and doors
LG Electronics Recalls Free-Standing 86-Inch Smart Televisions and Stands  Due to Serious Tip-Over and Entrapment Hazards (Recall Alert) |
  1. Pictures of valuables along with serial numbers (this won’t stop a break-in but could help in recovery of stolen items).

  1. Finally, an alarm system combining motion sensors with door/window sensors.
Continue reading
About the author
John Bradshaw
Sr. Director, Technical Marketing


Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Default blog imageDefault blog image
Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

  • Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
  • Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
  • Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
  • Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

  • C2 infrastructure
  • Ability to download and execute malware
  • Execution of PowerShell scripts and commands
  • Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

  • HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
  • HTTP POST requests specifically to the root directory of a rare external endpoint.
  • Data streams being sent to unusual external endpoints
  • Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.
Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.
Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.
Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.
Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).
Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).


The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)












Darktrace Model Detections

  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compromise / HTTP Beaconing to Rare Destination
  • Unusual Activity / Unusual External Data to New Endpoints
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Large Number of Suspicious Successful Connections
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Excessive Posts to Root
  • Compromise / Sustained SSL or HTTP Increase
  • Security Integration / High Severity Integration Detection
  • Security Integration / Low Severity Integration Detection
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

  • Unusual Repeated Connections
  • Possible HTTP Command and Control to Multiple Endpoints
  • Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint

Continue reading
About the author
Nahisha Nobregas
SOC Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.