Threat Research

PurpleBravo’s Targeting of the IT Software Supply Chain

RecordedFuture
PurpleBravo’s Targeting of the IT Software Supply Chain

Recorded Future / Insikt Group documents PurpleBravo, a North Korean-linked campaign that uses fraudulent developer/recruiter personas and malicious GitHub repositories to deliver infostealers and multi-platform RATs (BeaverTail, GolangGhost/PylangGhost, InvisibleFerret) targeting software developers—especially in the cryptocurrency sector and South Asia. The report details obfuscated JavaScript (Base64 + XOR), RC4/MD5 C2 protocols, registry Run-key persistence, Chrome credential-theft techniques (including DPAPI and app-bound bypasses), extensive C2 infrastructure (dozens of IPs and Astrill VPN nodes), and overlap with PurpleDelta activity. #PurpleBravo #BeaverTail

Keypoints

  • PurpleBravo (tracked by Insikt Group) uses fraudulent LinkedIn/GitHub personas and fake job-interview lures (Google Docs, Figma) to recruit and compromise software developers, with heavy targeting in South Asia and the cryptocurrency industry.
  • Malicious GitHub repositories delivered BeaverTail JavaScript infostealers (Base64 + XOR obfuscated) and references to additional C2 IPs; repositories impacted organizations including an Indian software company and other developer targets.
  • Recorded Future identified multiple malware families used by the cluster: BeaverTail (JS infostealer), GolangGhost/PylangGhost (multi-platform RATs with Chromium stealers), and InvisibleFerret (Python RAT with keylogger and browser-stealer modules).
  • PylangGhost and GolangGhost implement RC4-wrapped HTTP POST C2 with MD5 integrity prefix, support file upload/download, remote shell, persistence via registry Run keys and VBS loaders, sleep/jitter, and automated Chromium-wallet/extension harvesting.
  • Insikt Group mapped extensive infrastructure: 62 BeaverTail C2 servers, 14 GolangGhost C2 servers, 3,136 likely target IPs, many Astrill VPN nodes, and administrative activity from IP ranges in China and Transtelecom IPs tied to testing.
  • Insikt Group observed operational overlap between PurpleBravo and PurpleDelta (shared artifacts, exposed email hundredup2023[@]gmail[.]com, AnyDesk/Astrill usage), raising supply-chain and insider-threat concerns for software development outsourcing.
  • Mitigations recommended include blocklisting C2 IPs, restricting direct-to-IP HTTP/S on nonstandard ports, locking down package registries (npm/go), requiring EDR-enrolled devices for contractors, and hunting obfuscated Base64/XOR JS in developer profiles.

MITRE Techniques

  • [T1555.003 ] Credentials from Web Browsers – Automated theft of Chromium-based browser secrets and cookies across OSes using stealer modules (‘automated theft of Chromium-based browser secrets (Windows/macOS/Linux)’)
  • [T1547.001 ] Boot or Logon Autostart Execution – Achieves persistence by creating a registry Run key that launches a Visual Basic Script (VBS) loader via wscript.exe (‘HKCUSoftwareMicrosoftWindowsCurrentVersionRuncsshost = “wscript.exe” “”‘)
  • [T1059.005 ] Command and Scripting Interpreter (Visual Basic) – Uses VBS loader and wscript.exe to execute persistent payloads on Windows (‘launches a Visual Basic Script (VBS) loader via wscript.exe’)
  • [T1056.001 ] Input Capture: Keylogging – InvisibleFerret deploys a Windows keylogger using Python libraries to capture keystrokes, mouse activity, active window info, and clipboard content (‘Windows keylogger uses Python libraries, including pyWinhook, pyperclip, psutil, and pywin32, to capture keystrokes, mouse activity, active window information, and clipboard content’)
  • [T1041 ] Exfiltration Over Command and Control Channel – Stolen data (keychain/login info, browser artifacts) is packaged and sent via encoded or plaintext HTTP POST requests to hardcoded C2 endpoints (‘sent to a hardcoded command-and-control (C2) server with an encoded HTTP POST request’; ‘exfiltrates … via HTTP POST requests to the /keys endpoint’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols (HTTP) – C2 communications use HTTP POST with application/octet-stream and typical User-Agent strings (python-requests, Go-http-client) for commanding and exfiltration (‘HTTP POST body uses the application/octet-stream MIME type; and its observed User‑Agent strings include python-requests and Go-http-client’)
  • [T1027 ] Obfuscated Files or Information – JavaScript files and Python builds are obfuscated (Base64 + XOR in JS; PyObfuscate/OSRipper for Python) to hide malicious functionality (‘encoded in Base64 with an XOR cipher’ and ‘Newer builds appear protected by the use of PyObfuscate or OSRipper tooling’)
  • [T1105 ] Ingress Tool Transfer – Malware downloads and stages additional modules (browser stealer, AnyDesk helper) via HTTP endpoints (/brow, /adc, /uploads) to extend capabilities (‘Downloads the AnyDesk Module (/adc): Downloads the AnyDesk software to ~/.n2/adc’)
  • [T1219 ] Remote Services – Operators install and use third-party remote desktop software such as AnyDesk for post-compromise access and administration (‘PurpleBravo has previously been observed installing AnyDesk on victim machines post-compromise’)
  • [T1003.002 ] OS Credential Dumping: LSASS Memory – PylangGhost implements advanced Chrome v20 app-bound credential bypass that requires LSASS impersonation and dual-layer DPAPI unwrapping to obtain system-level secrets (‘requires LSASS impersonation to achieve SYSTEM privileges, dual-layer DPAPI unwrapping, and custom key derivation via Windows CNG APIs to bypass Chrome’s hardened encryption’)
  • [T1566 ] Phishing – Social-engineering lures (fake recruiter personas, Google Docs, Figma job/interview documents) are used to trick developers into executing malicious challenges or downloads (‘interview lures, which incorporate Google Docs and Figma into their activities’)

Indicators of Compromise

  • [IP Address ] BeaverTail C2 servers (C2 infrastructure) – 147[.]124[.]214[.]129, 216[.]173[.]115[.]200, and 60+ other BeaverTail C2 IPs observed in Appendix B
  • [IP Address ] GolangGhost C2 servers (C2 infrastructure) – 154[.]58[.]204[.]15, 31[.]57[.]243[.]29, and a dozen+ additional GolangGhost IPs listed in Appendix B
  • [Domain ] Lures, infrastructure, and service providers – lumanagi[.]online (Lumanagi job/Figma lure), proxy-seller[.]com (infrastructure/proxy service) and other supplier domains observed as operator infrastructure
  • [File Name ] Malicious repository artifacts and runtime files – index[.]js (BeaverTail JS instance), routes[.]js (obfuscated BeaverTail variant), and temporary runtime files .store and .host used for PID/machine-id tracking
  • [Email Address ] Operator/credential artifacts tied to overlap activity – hundredup2023[@]gmail[.]com, aaron19101301[@]gmail[.]com observed on operator systems and in exposed scripts
  • [Account/Handle ] GitHub and persona identifiers – GitHub user domin191013 (operator persona), linked LinkedIn personas claiming Lumanagi and other recruiter identities

Read more: https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain