- PurpleBravo targeted at least 3,136 IP addresses and claimed 20 potential victim organizations across multiple regions.
- Attackers used fake recruiter/developer profiles, malicious code in developer workflows, and infected GitHub projects to deploy backdoors and infostealers.
- The campaign runs two Malware families, BeaverTail and GolangGhost, with command-and-control infrastructure administered via Astrill VPN.
- The activity overlaps with a long‑running North Korean IT worker campaign (also called Wagemole/PurpleDelta), creating broader supply‑chain risk.
Recorded Future‘s Insikt Group identified the cluster tracked as PurpleBravo, reporting that roughly 3,136 individual IP addresses were targeted from August 2024 to September 2025 across South Asia and North America. The activity claimed 20 potential victim firms in Europe, South Asia, the Middle East, and Central America and focused on espionage and financial theft. See the detailed findings at Recorded Future.
The potential victim organizations span AI, cryptocurrency, financial services, IT services, marketing, and software development, with bases in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the U.A.E., and Vietnam. Many of these firms serve large customer bases, increasing supply‑chain exposure.
Jamf Threat Labs documented a notable iteration of the campaign that used malicious Visual Studio Code projects and compromised developer workflows; details are available at Korea-linked-hackers-target.html”>this report. Investigators also observed fake LinkedIn personas and malicious GitHub repositories used to distribute malware.
The actors operated two primary malware toolsets: the JavaScript infostealer and loader BeaverTail, and a Go-based backdoor known as GolangGhost (aka FlexibleFerret or WeaselStore), which reuses components from the open-source HackBrowserData tool. Command-and-control servers for these tools ran across 17 Hosting providers.
Infrastructure analysis shows administration traffic from an Astrill VPN IP range and hosting originating in China. The group’s use of Astrill has been documented elsewhere; see reporting at Spur and Silentpush.
Recorded Future noted operational overlap with the separate IT worker campaign known as Wagemole (PurpleDelta), including shared VPN administration and IPs linked to North Korean IT worker activity. “In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target,” the report said. “Many of these [potential victim] organizations advertise large customer bases, presenting an acute supply-chain risk to companies outsourcing work in these regions.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- XRP Slides Below $2; Fed’s $55B Liquidity Could Spur Rebound
- Gold’s surge pressures Bitcoin; analysts expect BTC rebound.
- Intel Surges 145% Since 2026 as AI Boom Fuels Q4 Hopes Today
- Guernsey seizes $11.4M tied to OneCoin in Cryptoqueen probe.
- Local Currencies Challenge US Dollar as Its Reign Shifts Now!
