Dark Pink APT Expands Its Targeting Portfolio


  • ransom-4


Dark Pink APT is believed to originate from Asia-Pacific and has been extensively targeting multiple sectors since 2021.

It primarily targets government educational institutions military NGO developmental entities located in East Asia and recently expanded its operations within Europe.

This group is known to use sophisticated custom tools and multiple kill chains for maintaining access within victim systems and remain undetected while exfiltrating victim data.

Dark Pink continues to rely on ISO archives sent via spear-phishing to gain initial access to victim systems and employs DLL side-loading to launch backdoors such as "TelePowerBot" "KamiKakaBot".

After downloading backdoors It can exfiltrate sensitive information in a ZIP archive to attacker-controlled telegram accounts from compromised victim hosts.

Threat actors use an HTTP protocol called web-hook.site to create a temporary endpoint used for sending sensitive information in the past cloud services such as Dropbox were used for exfiltrating data.

The threat actor also maintains a GitHub account where multiple payloads are hosted and uses TextBin.net for distributing payloads within victim systems

SkyWatchSM Alert Legend

  • small-bell


  • active-threat0-lt-green

    Active Threat

  • malware-lt-green


  • ransome-lt-green


  • warning-green


  • file-green


Glesec Information Sharing Protocol

GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).

  • TLP-White

    Disclosure is Not Limited.

  • TLP-Green

    Limited Disclosure, Restricted Only to the Community.

  • TLP-Amber

    Limited Disclosure, restricted to the Participant's Organization.

  • TLP-Red

    Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.

Discover Glesec.

Authority. Consistency.

Sign-up today for SkywatchSM Alerts.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.