Tuesday, June 25, 2024

LilacSquid Hackers Attacking IT Industries To Harvest Confidential Data

Hackers target IT industries as they hold valuable data, possess critical infrastructure, and often have access to sensitive information from various sectors. 

Compromising IT companies can provide hackers with high-impact opportunities for espionage, financial gain, and disruption of essential services.

Recently, cybersecurity researchers at Cisco Talos detected that LilacSquid hackers have been actively attacking the IT industries to harvest confidential data.

LilacSquid Hackers Attacking IT Industries

Talos is confident that the “LilacSquid” APT group has been conducting a data theft campaign since at least 2021, successfully compromising targets in the pharmaceuticals, oil, gas, and technological industries across Asia, Europe, and the U.S. 

Initial access leveraged vulnerabilities and stolen RDP credentials. Post-compromise, LilacSquid deployed the MeshAgent remote access tool, a customized “PurpleInk” variant of QuasarRAT, and open-source proxying tools like SSF, overlapping with TTPs from North Korean groups like Lazarus and Andariel.

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

The campaign establishes longstanding access for data exfiltration, and prior supply chain compromises highlight risks from this type of persistent, advanced threat.

LilacSquid employs two main ways to initiate infections:-

  • Hacking vulnerable web apps
  • Stolen RDP credentials

After breaching, they use programs like MeshAgent for remote access, SSF for secure tunneling and customized malware InkLoader, PurpleInk RAT etc.

During application exploitation, MeshAgent acts as a first point of compromise to allow for the delivery of other implants.

They set up persistence before deploying PurpleInk by placing InkLoader first in reboots when using hacked RDP logins.

This stratified method creates multiple routes of duplicative approaches and techniques that APT uses for information stealing across victims.

LilacSquid’s initial access & activity (Source – Cisco Talos)

PurpleInk is the flagship malware of LilacSquid, a dynamic QuasarRAT variant first seen in 2021. 

This rat is heavily disguised and flexible enough to kill processes, execute code, steal files, collect system details, and pass connections through affected hosts acting as relays. 

However, recent samples in the years of 2023 and 2024 are slighter having sacrificed functions like file management possibly for the sake of stealthiness or evading detection.

This malware’s mainstay features have been maintained through its core reverse shell and proxy ability, showing how threat actors adapt their malware’s functionality iteratively according to operational necessities.

LilacSquid uses a multi-stage infection chain that consists of several malware components. InkBox is a loader that decrypts and executes PurpleInk backdoor payloads.

A different method involves InkLoader, which has run PurpleInk in a separate process since 2023. MeshAgent is an open-source remote management tool commonly used as an initial foothold for deployment using configuration files containing victim identifiers and C2 addresses.

Once compromised, MeshAgent enables further distribution of malware such as SSF or PurpleInk to infected systems, allowing the APT group wide-ranging capabilities for remote access.

This modular approach allows LilacSquid to create redundant access points while hiding their activity.



  • 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8 

Network IOCs:

  • 67[.]213[.]221[.]6 
  • 192[.]145[.]127[.]190 
  • 45[.]9[.]251[.]14 
  • 199[.]229[.]250[.]142

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles