New Dark Pink APT group hits government and military in Asia-Pacific


A wave of advanced persistent threat (APT) attacks labeled Dark Pink is hitting the Asia-Pacific region, prompting researchers to turn their attention to a new active player on the cybercriminal scene.

When identifying the threat actor, Group IB highlighted the likelihood of Dark Pink being a brand-new APT group. Its name comes from some of the email addresses used by Dark Pink during data exfiltration, although it’s also been dubbed Saaiwc Group by Chinese cybersecurity researchers.

Group-IB’s sector-leading Threat Intelligence confirmed seven attacks by the group, which most probably emerged as early as mid-2021 based on a discovered Github account.

Many of their attacks targeted the Asia-Pacific region, with a handful of strikes against the European government. According to researchers, the confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia, and Bosnia and Herzegovina, and a religious organization in Vietnam. A European state development agency based in Vietnam was also targeted with a failed attack.

New tactics

Group IB discovered a variety of new tactics employed by Dark Pink, such as a custom toolkit featuring TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers, utilized to obtain high-profile information held on the networks of government and military organizations. These custom modules execute commands through a supervised Telegram bot.

The group achieved initial access by successful spear-phishing emails, which included a malicious ISO image. In one of the identified emails, threat actors posed as a job applicant applying for the position of PR and Communications intern with a fake link to the applicant’s “documents.”

Dark Pink can also allegedly infect the USB devices attached to compromised computers and gain access to messengers on infected machines, as well as capture the sound from the microphones of compromised devices.

“Furthermore, Dark Pink threat actors utilize two core techniques: DLL Side-Loading and executing malicious content triggered by a file type association (Event Triggered Execution: Change Default File Association). The latter of these tactics is one rarely seen utilized in the wild by threat actors,” the researchers explain.

Previous research by Group IB tied various nation-state threat actors from China, North Korea, Iran, and Pakistan to increased cyber threats in the Asia-Pacific region, which it considers a “key arena” of APT activity. These attacks are usually carried out for the purpose of espionage.