Security Experts:

Connect with us

Hi, what are you looking for?



Sophisticated ‘Dark Pink’ APT Targets Government, Military Organizations

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.

Referred to as Dark Pink, the threat actor was seen launching seven successful attacks against high-profile targets since June 2022, but it appears to have been active since at least mid-2021, based on the activity associated with a GitHub account.

Between June and December 2022, Dark Pink successfully breached military and government agencies, a religious organization, and a non-profit organization. The targets were located in Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam.

During the same period, the hacking group also launched a cyberattack against a European state development agency based in Vietnam.

The tactics, techniques, and procedures (TTPs) used by the threat actor are “rarely utilized by previously known APT groups”, such as the execution of malware triggered by a file type association, in addition to DLL sideloading.

Dark Pink uses PowerShell scripts and custom information stealers (Cucky and Ctealer) and trojans (KamiKakaBot and TelePowerBot), can infect USB drives connected to the victim’s machine, and relies on the Telegram API for communication with the infected devices.

“Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers,” Group-IB notes.

The hacking group uses job application-themed spear-phishing emails containing a shortened link, luring victims into downloading a malicious ISO image. The APT appears to be scanning online job vacancy portals for relevant information to include in the tailored emails sent to victims.

The malicious ISO images appear tailored for each victim, containing a signed executable, a decoy document, and a malicious DLL file. The executable poses as a Word document containing the applicant’s resume, but is meant to load the malicious DLL.

Group-IB identified three different execution chains employed by Dark Pink, where the malicious DLL is sideloaded to execute TelePowerBot or KamiKakaBot – along with the Ctealer or Cucky information stealers – and to ensure persistence.

Following the initial compromise, Dark Pink proceeds to harvest information (system data, browser data, installed applications, and connected USB drives and network shares) and to move laterally on the network.

The attackers also register a new WMI event handler, so that a malware dropper is placed on any USB drive that the victim connects to the system. The necessary files are fetched from the threat actors’ GitHub account, and LNK files (named the same as the user’s folders) are placed on the USB drive.

The data harvested by Dark Pink’s malware is exfiltrated in ZIP archives to the attackers’ Telegram bot or via Dropbox.

The APT also leverages several techniques to bypass User Account Control (UAC) and modify Windows Defender settings, and was also seen using the publicly available PowerSploit module Get-MicrophoneAudio to record the microphone audio on infected devices.

Related: New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Related: Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine

Related: Iran-Linked OilRig APT Caught Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.