‘Dark Pink’ hackers target state and military organizations in Asia, Europe

A new hacking group dubbed “Dark Pink” is targeting government, military, religious and non-profit organizations in Asia and Europe with phishing emails, according to new research. 

The group’s core goal, according to a report by Group-IB, is corporate espionage, as hackers have exfiltrated files, microphone audio and messenger data from infected devices.

The group was responsible for at least seven successful attacks between June and December 2022. Its victims include “high-profile targets” in Cambodia, Indonesia, Malaysia, Philippines, Vietnam and Bosnia and Herzegovina, according to researchers. Dark Pink also attempted to attack a European state development agency based in Vietnam but failed.

The researchers have not been able to attribute Dark Pink’s activity to any known hacking group — it uses "custom tools and some rarely seen tactics and techniques," the report said.

Dark Pink is particularly focused on military and government agencies in Asia and Europe. It ramped up its attacks late last year, targeting the Philippine military in September, a Malaysian military branch in October and an Indonesian government agency in early December.

Researchers detected Dark Pink’s first attack in June, when hackers gained access to the network of a religious organization in Vietnam, but researchers believe the group was active as early as mid-2021.

How Dark Pink attacks

In recent attacks, Dark Pink initially sent targets tailored phishing emails, such as posing as a job seeker applying for a PR internship.

These emails contained a shortened URL that linked to free file-sharing websites that hosted malicious files. Before infecting victims' devices, hackers uploaded malicious files to GitHub and then issued commands to the infected computer to download these files.

Dark Pink used the same GitHub for the entire duration of their campaign, suggesting that they operated undetected.

Custom toolkit

One of the main reasons for the success of this group's operation is its arsenal of custom malware and stealers, according to Group-IB.

For example, hackers controlled two of their malware pieces, TelePowerBot and KamiKakaBot, using a Telegram bot. They also used Telegram to exfiltrate data from victims.

The group's custom stealers obtained passwords, history, logins and cookies from dozens of web browsers when they were launched on the victims' devices. 

The threat actors also wrote a script that allowed them to transfer their malware to USB devices connected to compromised machines and spread it across networks.

The techniques make Dark Pink "a highly complex" threat actor that reworks malware "to ensure maximum effectiveness" and is good at evading detection, according to Andrey Polovinkin, a malware analyst at Group-IB.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Daryna Antoniuk

Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.