Mandiant cybersecurity experts: The APT (aka UNC2452) also shows two distinct clusters of activity, UNC3004 and UNC2652.
Guardicore: Purple Fox is now spread as a worm. The malware uses indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes
The Purple Fox malware is propagated in a new campaign as a worm. It has been discovered by Guardicore cybersecurity experts. It was discovered in March of 2018 and was covered as an exploit kit targeting Internet Explorer and Windows machines with various privilege escalation exploits. However, throughout the end of 2020 and the beginning of 2021, it started using new spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes. May of 2020 brought a significant amount of malicious activity and the number of infections observed has risen by roughly 600%, amounting to a total of 90,000 cybercrime attacks. Furthermore, the malware includes a rootkit which allows the threat actors to hide it on the machine and make it difficult to detect and remove.