Cisco Talos tracks LilacSquid as an espionage-motivated APT active since at least 2021, compromising organizations in pharmaceuticals, oil and gas, and technology across Asia, Europe, and the United States. The campaign gains access through vulnerable internet-facing applications or stolen RDP credentials, then deploys MeshAgent, Secure Socket Funneling, InkLoader, and the PurpleInk implant, a heavily customized QuasarRAT variant. Talos notes overlap with North Korean APT tradecraft, including Andariel's reported use of MeshAgent and Lazarus use of proxy and tunneling tools for secondary access and exfiltration, but the activity is attributed here to LilacSquid. PurpleInk provides remote control, file operations, system discovery, reverse shell, and proxy capabilities, supporting long-term access and data theft.