Skip to main content

New APT Group 'Dark Pink' Discovered Targeting Military Branches and Government Agencies in APAC and Europe


A new APT group, known as Dark Pink, has been discovered by cybersecurity firm Group-IB. The group, which has been active since mid-2021, has been found to be targeting military branches, government ministries, and agencies in the APAC region, as well as one organization in Europe. As of December 2022, Dark Pink had successfully breached the defenses of six organizations in five APAC countries (Cambodia, Indonesia, Malaysia, Philippines, and Vietnam), and one organization in Europe (Bosnia and Herzegovina).

Dark Pink uses a variety of custom tools and sophisticated tactics, techniques, and procedures (TTPs) to launch its attacks. The group begins with targeted spear-phishing emails, using a shortened URL to direct victims to a file sharing site where they can download a malicious ISO file. This file contains three different file types: a signed executable file, a non-malicious decoy document, and a malicious DLL file. However, the contents and functionality of these files can vary, with Group-IB analysts discovering three separate kill chains used by the group.

The first kill chain sees the threat actors pack all the files, including a malicious DLL, onto the ISO itself. After the ISO is mounted, the DLL will be run using the attack known as DLL Side-Loading. The second kill chain sees the threat actors leverage Github after initial access, allowing them to download additional malicious files. The third kill chain involves the use of a malicious DLL file that is launched using the DLL Hijacking technique.

Group-IB's Threat Intelligence Team also discovered that the group uses the same Github account to upload malicious files throughout the entire duration of the APT campaign, which suggests that the group has been able to operate without detection for a significant period of time. The group has also been found to scan job boards and craft unique phishing emails relevant to the organization they are targeting.

The Dark Pink APT group is notable for its specific focus on attacking military branches, government ministries, and agencies. Group-IB has been unable to attribute the group's campaign to any known threat actor and believes that it is the activity of an entirely new group, which has also been termed Saaiwc Group by Chinese cybersecurity researchers. With their custom tools and sophisticated tactics, the Dark Pink APT group poses a significant threat to organizations in the APAC region and Europe.


Popular posts from this blog

Unleashing Chaos: Craxs Rat Update V5 Introduces Terrifying New Features

The notorious Craxs Rat malware has recently unleashed its latest version, Update V5, introducing a range of new features and enhancements. This update further strengthens the capabilities of Craxs Rat, posing an increased threat to individuals and organizations alike. In this article, we delve into the details of the updated features of Craxs Rat V5, shedding light on its improved functionality and potential impact on cybersecurity.

Prilex: The Most Advanced PoS Malware with the Ability to Block Contactless Payments

Prilex is a highly advanced malware that has evolved from ATM-focused malware into a unique modular PoS malware, known to be the most advanced PoS threat seen so far. It has a unique cryptographic scheme, performs real-time patching in target software, forces protocol downgrades, manipulates cryptograms, performs GHOST transactions and performs credit card fraud. Recently, three new versions of Prilex have been discovered with the ability to block contactless payment transactions, which have become popular due to the pandemic. These new versions block NFC-based transactions and force victims to use their physical card by inserting it into the PIN pad reader, which allows the malware to capture the data coming from the transaction.

BlackLotus UEFI Bootkit: A New Threat to Windows Security

In March 2023, security researchers from ESET announced the discovery of a new UEFI bootkit called BlackLotus . This bootkit is capable of bypassing UEFI Secure Boot, a security feature that is designed to prevent malware from infecting a computer's firmware. Once BlackLotus is installed, it can give an attacker complete control over the computer, including the ability to steal data, install other malware, and disrupt the computer's operation. BlackLotus is a sophisticated piece of malware that is difficult to detect and remove. It is also relatively new, so there is limited information about how it works. However, ESET researchers have been able to learn a lot about BlackLotus, and they have published a detailed analysis of the malware.