Dark Pink

Dark Pink, also known as Saaiwc Group, is a Chinese-aligned cyberespionage entity that has been particularly active since mid-2022. The threat actor has conducted spearphishing campaigns against government, military, and non-profit organizations in Southeast Asia and parts of Europe, using sophisticated techniques such as DLL side-loading to load malware onto targeted machines. Dark Pink has also been observed conducting lateral movement over USB devices and infecting USB devices attached to compromised computers. The group's activities highlight the significant risks that spear-phishing campaigns pose to organizations. The Dark Pink APT group has been attributed with numerous attacks, utilizing legitimate tools like MsBuild.exe to run the KamiKakaBot malware on victims' devices. This malware, delivered via phishing emails, aims to steal credentials, browsing history, and cookies from browsers like Chrome, Edge, and Firefox. Notably, Dark Pink was among multiple APT groups observed exploiting the CVE-2023-38831 vulnerability. The group's campaign underscores the importance of continuous education for personnel on detecting spear-phishing emails. Group-IB, a cybersecurity firm, first profiled Dark Pink earlier this year, detailing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate data. More recently, Dark Pink has been linked to fresh attacks targeting government and military entities in Southeast Asian countries with the KamiKakaBot malware. The ongoing activities of Dark Pink underscore the persistent nature of these threats and the evolving tactics, techniques, and procedures (TTPs) they employ.