{
	"id": "161c3f14-7ba7-4adc-95c7-c7aa385ad5fd",
	"created_at": "2026-04-06T15:52:05.906216Z",
	"updated_at": "2026-04-10T03:36:19.289271Z",
	"deleted_at": null,
	"sha1_hash": "90691651551071549e1e83391c1f6a560edddceb",
	"title": "Dark Pink: New APT group targets governmental, military organizations in APAC, Europe | Group-IB",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126325,
	"plain_text": "Dark Pink: New APT group\r\ntargets governmental,\r\nmilitary organizations in\r\nAPAC, Europe\r\nMedia Center → Press Releases January 11, 2023 · 8 min to read\r\nAPAC APT group Europe Threat Intelligence\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 1 of 11\n\nGroup-IB, one of the global cybersecurity leaders, has today published its findings into Dark Pink,\r\nan ongoing advanced persistent threat (APT) campaign launched against high-profile targets in\r\nCambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina that we\r\nbelieve, with moderate confidence, was launched by a new threat actor. To date, Group-IB’s Threat\r\nIntelligence has been able to attribute seven successful attacks to this particular group from\r\nJune-December 2022, with targets including military bodies, government ministries and agencies,\r\nand religious and non-profit organizations, although the list of victims could be significantly longer.\r\nGroup-IB also noted one unsuccessful attack on a European state development body based in\r\nVietnam.\r\nGroup-IB analysis discovered that the initial access vector for the campaign of Dark Pink (name\r\ngiven by Group-IB) was targeted spear-phishing emails, and the core goal of the threat actors,\r\nwho leverage an almost-entirely custom toolkit, is corporate espionage, as they attempt to\r\nexfiltrate files, microphone audio, and messenger data from infected devices and networks.\r\nGroup-IB, in line with its zero-tolerance policy to cybercrime, has issued proactive notifications to all\r\npotential and confirmed targets of Dark Pink. Our researchers are continuing to uncover and\r\nanalyze all the details behind this particular APT campaign.\r\nDark Pink goes to the core\r\nTo date, Group-IB has been unable to attribute this campaign, which leverages custom tools and\r\nsome rarely seen tactics and techniques, to any known threat actor. As a result, Group-IB believes\r\nthat Dark Pink’s campaign in the second half of 2022 is the activity of an entirely new threat actor\r\ngroup, which has also been termed Saaiwc Group by Chinese cybersecurity researchers. This new\r\nAPT group is notable due to their specific focus on attacking branches of the military, and\r\ngovernment ministries and agencies. Group-IB discovered that, as of December 2022, Dark Pink APT\r\nbreached the security defenses of six organizations in five APAC countries (Cambodia, Indonesia,\r\nMalaysia, Philippines, and Vietnam), and one organization in Europe (Bosnia and Herzegovina).\r\nThe first successful attack took place this past June, when the threat actors gained access to the\r\nnetwork of a religious organization in Vietnam. Following this particular breach, no other attack\r\nattributable to Dark Pink was registered until August 2022, when Group-IB analysts discovered that\r\nthe threat actors had gained access to the network of a Vietnamese non-profit organization.\r\nDark Pink’s activity ramped up in the final four months of the year. Group-IB’s Threat Intelligence\r\nTeam uncovered attacks on a branch of the Philippines military in September, a Malaysian military\r\nbranch in October, two breaches in November, with the victims being government organizations in\r\nBosnia \u0026 Herzegovina and Cambodia, and finally, in early December, an Indonesian governmental\r\nagency. Group-IB’s Threat Intelligence also discovered an unsuccessful attack on a European state\r\ndevelopment agency based in Vietnam in October.\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 2 of 11\n\nFigure 1: Dark Pink APT’s timeline and affected organizations\r\nWhile the first Dark Pink breach, as confirmed by Group-IB, took place in June 2022, there are clues\r\nto suggest that the group was active as far back as mid-2021. Group-IB found that the threat actors,\r\nupon infection of a device, were able to issue commands to the infected computer to download\r\nmalicious files from Github, with these resources uploaded by the threat actors themselves.\r\nInterestingly, the threat actors have used the same Github account for uploading malicious files for\r\nthe entire duration of the APT campaign to date, which could suggest that they have been able\r\nto operate without detection for a significant period of time.\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 3 of 11\n\nFigure 2: Screenshot detailing activity on Github account attributed to Dark Pink APT in 2021\r\n(above) and 2022 (below)\r\nSharpen those custom tools\r\nDark Pink utilizes a set of custom tools and sophisticated tactics, techniques and procedures (TTPs)\r\nthat have made a major contribution to their successful attacks over the past seven months. In their\r\nresearch into Dark Pink, Group-IB analysts detail the entire victim journey from initial infection to\r\ndata exfiltration.\r\nThe threat actors launch their attack with targeted spear-phishing emails. Group-IB was able to find\r\nthe original email sent by the threat actors in one unsuccessful attack. In this instance, the attackers\r\nposed as a job seeker applying for the position of PR and Communications Intern. In the email, the\r\nthreat actor mentions that they found the vacancy on a jobseeker site, which could suggest that\r\nthe threat actors scan job boards and craft a unique phishing email relevant to the organization\r\nthat they find.\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 4 of 11\n\nFigure 3: Screenshot of original spear-phishing email sent by Dark Pink APT, containing a link to an\r\nISO image hosted on a file-sharing site.\r\nThe spear-phishing emails contain a shortened URL linking to a free-to-use file sharing site, on\r\nwhich the victim is presented with the option to download a malicious ISO file that always contains\r\nthree specific file types: a signed executable file, a nonmalicious decoy document (some ISO files\r\nseen by Group-IB had more than one), and a malicious DLL file. However, these file types can differ\r\nin their content and functionality, and Group-IB analysts uncovered three separate kill chains,\r\nunderscoring the sophistication of this particular APT group.\r\nThe first kill chain analyzed by Group-IB sees the threat actors pack all of the described above files,\r\nincluding a malicious DLL, onto the ISO itself, and after mounting, the DLL will be run using the\r\nattack known as DLL Side-Loading. The second kill chain sees the threat actors leverage Github\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 5 of 11\n\nafter initial access, allowing them to automatically download a template document that contains\r\nmacro codes that are responsible for running the threat actors’ malware. Finally, the third, and most\r\nrecent kill chain leveraged by the threat actors (in December 2022) sees their malware launched with\r\nthe assistance of an XML file, which contains an MSBuild project that includes a task to execute\r\n.NET code in order to launch their custom malware.\r\nThe sophistication of Dark Pink’s attacks is also underlined by the custom malware and stealers in\r\nthe threat actors’ arsenal. They created two custom modules, named by Group-IB as TelePowerBot\r\nand KamiKakaBot, which are written in PowerShell and .NET, respectively. These two pieces of\r\nmalware are designed to read and execute commands from a threat actor-controlled Telegram\r\nchannel via Telegram bot. Group-IB researchers noted that all communication between the\r\ndevices of the threat actors and victims was based entirely on Telegram API, and they utilized\r\nnumerous evasion techniques, including Bypass User Account Control, to remain undetected.\r\nThe threat actor also created two custom stealers, dubbed Cucky and Ctealer by Group-IB. When\r\nlaunched on the victims’ device, the stealers are able to steal passwords, history, logins, and cookies\r\nfrom dozens of web browsers. In this campaign, the threat actors also wrote script that allowed\r\nthem to transfer their malware to USB devices connected to the compromised machine, and also\r\nspread their malware across network shares.\r\nThe threat actors also leveraged a custom utility, dubbed ZMsg by Group-IB, to exfiltrate data from\r\nthe Zalo messenger on victims’ devices. Researchers found evidence that the APT group could\r\nsteal data from the Viber and Telegram messengers as well. One of the only off-the-shelf tools that\r\nthe threat actors utilized was the publicly available PowerSploit module Get-MicrophoneAudio,\r\nwhich is loaded onto the victim’s device via download from Github. This module, which the threat\r\nactors customized to ensure they were able to bypass antivirus software, allowed them to record\r\naudio input and later exfiltrate these recordings via their Telegram bot. Group-IB analysts noted\r\nthat the custom script added to this PowerSploit module was changed multiple times, after several\r\nunsuccessful attempts to record the microphone audio on infected devices.\r\nDark Pink exfiltrated data from victims via three specific pathways: via Telegram, Dropbox and\r\nemail. In fact, the name Dark Pink comes from a hybrid of two of the email addresses\r\n(blackpink.301@outlook[.]com and blackred.113@outlook[.]com) used by the threat actors during\r\ndata exfiltration via the latter pathway.\r\nAndrey Polovinkin\r\nMalware Analyst at Group-IB\r\n“Group-IB’s analysis of Dark Pink is of major significance, as it details a highly\r\ncomplex APT campaign launched by seasoned threat actors. The use of an\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 6 of 11\n\nalmost entirely custom toolkit, advanced evasion techniques, the threat\r\nactors’ ability to rework their malware to ensure maximum effectiveness, and\r\nthe profile of the targeted organizations demonstrate the threat that this\r\nparticular group poses. Group-IB will continue to monitor and analyze both\r\npast and future Dark Pink attacks with the aim of uncovering those behind\r\nthis campaign.”\r\nDark Pink APT’s recent campaign is yet another example of how individuals’ interactions with spear-phishing emails can result in the penetration of the security defenses of even the most protected\r\norganizations. Group-IB recommends solutions, such as its proprietary Business Email Protection,\r\nthat can counter this threat effectively and stop malicious emails from ending up in employees’\r\ninboxes. That said, Group-IB urges organizations to foster a culture of cybersecurity and educate\r\ntheir employees on how to identify phishing emails. Group-IB’s Threat Intelligence platform led the\r\nanalysis into Dark Pink, and can help organizations shore up their security posture by equipping\r\nthem with the latest insights into emerging threats.\r\nTry Group-IB Threat Intelligence now!\r\nOptimize strategic, operational and tactical decision-making with best-in-class cyber\r\nthreat analytics\r\nShare article\r\nRequest Threat Intelligence Demo Right Now\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 7 of 11\n\nAbout Group-IB\r\nFounded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity\r\ntechnologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the\r\ncompany’s DNA, shaping its technological capabilities to defend businesses, citizens, and support\r\nlaw enforcement operations.\r\nGroup-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central\r\nAsia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific\r\nthreats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime\r\nprevention and continually expand its threat-hunting capabilities.\r\nGroup-IB’s decentralized and autonomous operational structure helps it offer tailored,\r\ncomprehensive support services with a high level of expertise. We map and mitigate adversaries’\r\ntactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and\r\nrequirements of various industries, including retail, healthcare, gambling, financial services,\r\nmanufacturing, crypto, and more.\r\nThe company’s global security leaders work in synergy with some of the industry’s most advanced\r\ntechnologies to offer detection and response capabilities that eliminate cyber disruptions agilely.\r\nGroup-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted\r\ncyber environment by utilizing intelligence-driven technology and agile expertise that completely\r\ndetects and defends against all nuances of digital crime. The platform proactively protects\r\norganizations’ critical infrastructure from sophisticated attacks while continuously analyzing\r\npotentially dangerous behavior all over their network.\r\nThe comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete\r\nFraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed\r\nExtended Detection and Response (XDR), All-infrastructure Business Email Protection, and External\r\nAttack Surface Management.\r\nFurthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently\r\nelevated industry standards. This includes the 77,000+ hours of cybersecurity incident response\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 8 of 11\n\ncompleted by our sector-leading DFIR Laboratory, more than 1,400 successful investigations\r\ncompleted by the High-Tech Crime Investigations Department, and round-the-clock efforts of\r\nCERT-GIB.\r\nTime and again, its solutions and services have been revered by leading advisory and analyst\r\nagencies such as Aite Novarica, Gartner®, Forrester, Frost \u0026 Sullivan, KuppingerCole Analysts AG,\r\nand more.\r\nBeing an active partner in global investigations, Group-IB collaborates with international law\r\nenforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer\r\ncyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3)\r\nAdvisory Group on Internet Security, which was created to foster closer cooperation between\r\nEuropol and its leading non-law enforcement partners.\r\nRead next\r\nMarch 19, 2026\r\nGroup-IB\r\nPartners with\r\nCopy Cat Group\r\nto Strengthen\r\nIntelligence-Led\r\nCybersecurity\r\nAcross East\r\nAfrica\r\nMarch 13, 2026\r\nGroup-IB\r\nSupports\r\nINTERPOL’s\r\nOperation\r\nSynergia III,\r\nContributing\r\nIntelligence to\r\nGlobal\r\nCybercrime\r\nTakedown\r\nMarch 12, 2026\r\nGroup-IB\r\nExpands into the\r\nAmericas with\r\nLaunch of Digital\r\nCrime Resistance\r\nCenter in Chile\r\nMarch 3, 2026\r\nGroup-IB and\r\nNebrija\r\nUniversity\r\nStrengthen\r\nCybersecurity\r\nEducation\r\nThrough MOU\r\nand Threat\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 9 of 11\n\nIntelligence\r\nIntegration\r\nFebruary 26, 2026\r\nGroup-IB\r\nPartners with\r\nSavex\r\nTechnologies to\r\nAdvance\r\nPredictive Threat\r\nIntelligence and\r\nCyber Fraud\r\nProtection\r\nAcross India and\r\nSAARC\r\nFebruary 16, 2026\r\nNational\r\nPolytechnic\r\nUniversity of\r\nArmenia and\r\nGroup-IB sign\r\nstrategic\r\npartnership to\r\nstrengthen\r\ncybersecurity\r\neducation and\r\nresearch in\r\nArmenia\r\nGo to all Press Releases →\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 10 of 11\n\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/media-center/press-releases/dark-pink-apt/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.group-ib.com/media-center/press-releases/dark-pink-apt/"
	],
	"report_names": [
		"dark-pink-apt"
	],
	"threat_actors": [
		{
			"id": "fd4c3ddd-11cc-4192-9c94-ff107d7f8492",
			"created_at": "2023-02-18T02:04:24.06294Z",
			"updated_at": "2026-04-10T02:00:04.644528Z",
			"deleted_at": null,
			"main_name": "Dark Pink",
			"aliases": [
				"Saaiwc Group"
			],
			"source_name": "ETDA:Dark Pink",
			"tools": [
				"Ctealer",
				"Cucky",
				"KamiKakaBot",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"PowerSploit",
				"TelePowerBot",
				"ZMsg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fbe45970-1e9e-4a82-bc06-46317a248479",
			"created_at": "2026-02-03T02:00:03.45132Z",
			"updated_at": "2026-04-10T02:00:03.947304Z",
			"deleted_at": null,
			"main_name": "DarkPink",
			"aliases": [
				"Saaiwc"
			],
			"source_name": "MISPGALAXY:DarkPink",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775490725,
	"ts_updated_at": 1775792179,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90691651551071549e1e83391c1f6a560edddceb.pdf",
		"text": "https://archive.orkl.eu/90691651551071549e1e83391c1f6a560edddceb.txt",
		"img": "https://archive.orkl.eu/90691651551071549e1e83391c1f6a560edddceb.jpg"
	}
}