Camouflaging malware within legitimate files has been a very common practice for hackers for many years. However, the arrival of new mechanisms made it lose popularity and we no longer receive so much news of this type. At least until now, when Purple Fox malware has been detected as being distributed in fake Telegram installers.

Purple Fox installs itself on computers, incorporates more malicious programs, and collects system information to send it to the attacker.

Beware of fake Telegram and Purple Fox installers

Purple Fox is a malware known since 2018 for being distributed via pishing emails. In March of the previous year, it was also something to talk about when its presence was detected infecting computers accessible from the Internet. Its mission is to install itself, bring more malicious programs to the computer, scan and collect information from the victim’s computer and then be sent to the attacker.

But malware and computer attacks in general have the ability to reinvent themselves or find other avenues of attack. This is precisely what has happened with Purple Fox, which is now incorporated into fake Telegram installers. When we want to install this application, we must go directly to the official site. If we don’t, we run the risk of getting an infected installer on any other page.

Running the fake Telegram installer unpacks two files, a legitimate installer and an Autolt script. This last file runs in the background and starts downloading the other malicious files. The malware brings 5 ​​files that it converts into DLLs and inserted into Program Data. In addition, it modifies the registry in order to avoid being detected by the computer’s security solutions.

To find out if you are infected with Purple Fox, just follow this path in Windows Explorer C: Users Username AppData Local Temp. If you are infected, you will see not only the Telegram installer but also the Autolt script file.