New Cyber Espionage Campaign by LilacSquid Affects IT, Energy, and Pharma Industries

• Since at least 2021, LilacSquid has been conducting targeted cyber espionage attacks on the IT, energy, and pharmaceutical sectors in the U.S., Europe, and Asia.
• The group employs sophisticated tools like MeshAgent and PurpleInk, exploiting known vulnerabilities and compromised RDP credentials to steal data and maintain long-term access.

A newly identified cyber espionage threat actor, dubbed LilacSquid, has been implicated in targeted attacks across various sectors in the United States, Europe, and Asia since at least 2021. According to a recent technical report by Cisco Talos researcher Asheer Malhotra, the group’s primary goal is to establish long-term access to compromised organizations to exfiltrate valuable data to attacker-controlled servers. LilacSquid’s targets include information technology firms in the U.S. involved in software development for research and industrial applications, energy companies in Europe, and pharmaceutical companies in Asia, demonstrating wide-ranging victimology.

The attack methods involve exploiting publicly known vulnerabilities to breach internet-facing application servers or using compromised remote desktop protocol (RDP) credentials to deploy a combination of open-source tools and custom malware. A distinctive feature of this campaign is the use of MeshAgent. This open-source remote management tool facilitates the delivery of a customized version of Quasar RAT, known as PurpleInk.

See more: Deceptive Stack Overflow Account Spreads Malware Disguised as Python Package

Alternate infection vectors leveraging compromised RDP credentials involve either deploying MeshAgent or installing a .NET-based loader called InkLoader, which subsequently drops PurpleInk. Upon successful RDP login, InkLoader and PurpleInk are downloaded, copied into specific directories, and registered as services to ensure continuous deployment.

Since 2021, LilacSquid has actively maintained PurpleInk. The malware is heavily obfuscated and versatile, capable of running new applications, performing file operations, gathering system information, enumerating directories and processes, launching a remote shell, and connecting to a remote command-and-control (C2) server. Recent versions discovered in 2023 and 2024 have been streamlined to focus on creating a reverse shell and data transfer via a proxy, likely to avoid detection.

Cisco Talos also identified another custom tool, InkBox, previously used to deploy PurpleInk before transitioning to InkLoader. Notably, the use of MeshAgent is similar to tactics employed by the North Korean threat actor Andariel, part of the notorious Lazarus Group, particularly in attacks on South Korean companies. LilacSquid also uses Secure Socket Funneling (SSF) to maintain secondary access, further aligning its tactics with North Korean APT groups.

MORE ON TECH

• Alert on Linux Kernel Vulnerability Sent Out by CISA
• Swiss Startup FinalSpark To Develop World’s First Living Processor
• Zero-Day Attack Alert: Check Point Warns About Emerging Cyber Threats
• Tech Roundup: Developments in AI, Hardware, and Cybersecurity