<\/a><\/figure><\/div>\n\n\nInkLoader is .NET-based loader designed to run a hardcoded executable or command. It supports persistence mechanism and was spotted deploying PurpleInk.<\/p>\n\n\n\n
LilacSquid uses InkLoader in conjunction with PurpleInk when they can create and maintain remote desktop (RDP) sessions using stolen credentials. After a successful RDP login, attackers downloaded InkLoader and PurpleInk, copied to specific directories, and InkLoader is registered as a service. The service is used to launch the InkLoader, which in turn deploys PurpleInk.<\/gwmw><\/p>\n\n\n\n
PurpleInk is actively developed since 2021, it relies on a configuration file to obtain information such as the command and control (C2) server’s address and port, which is typically base64-decoded and decrypted.<\/p>\n\n\n\n
PurpleInk is heavily obfuscated and versatile, the malware supports multiple RAT capabilities including:<\/p>\n\n\n\n