Dark Pink APT is believed to originate from Asia-Pacific and has been extensively targeting multiple sectors since 2021.
It primarily targets government educational institutions military NGO developmental entities located in East Asia and recently expanded its operations within Europe.
This group is known to use sophisticated custom tools and multiple kill chains for maintaining access within victim systems and remain undetected while exfiltrating victim data.
Dark Pink continues to rely on ISO archives sent via spear-phishing to gain initial access to victim systems and employs DLL side-loading to launch backdoors such as "TelePowerBot" "KamiKakaBot".
After downloading backdoors It can exfiltrate sensitive information in a ZIP archive to attacker-controlled telegram accounts from compromised victim hosts.
Threat actors use an HTTP protocol called web-hook.site to create a temporary endpoint used for sending sensitive information in the past cloud services such as Dropbox were used for exfiltrating data.
The threat actor also maintains a GitHub account where multiple payloads are hosted and uses TextBin.net for distributing payloads within victim systems
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.