Malware Profile Updated 13 days ago
Download STIX
Preview STIX
KamiKakaBot is a potent malware designed to extract sensitive information from popular browsers such as Chrome, MS Edge, and Firefox. Discovered by researchers, this malicious software is deployed by the DarkPink APT group, primarily targeting the Asia-Pacific region. The malware infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal data, or even hold the user's data hostage for ransom. Researchers have noted that the malware executes through a DLL side-loading technique, using the social media platform Telegram as its command and control. The malware uses sophisticated infiltration and lateral movement techniques, including email attachments and HTTP/S transfers. Specific instances include KamiKakaBot being sent as a ZIP attachment in emails (#8701 and #8700) and transferred over HTTP/S (#8699 and #8698). These methods allow the malware to penetrate initial defenses and then move laterally within networks, increasing its reach and potential damage. Further, researchers have observed KamiKakaBot being delivered via phishing emails containing a malicious ISO file as an attachment, adding another layer of complexity to its distribution methods. When a user unwittingly clicks on a file named WinWord.exe, the KamiKakaBot loader (MSVCR100.dll), located in the same folder, automatically loads and executes into the memory of WinWord.exe. This stealthy execution process allows the malware to operate undetected, gathering sensitive information without alerting the user or triggering standard security protocols. SafeBreach has provided coverage of the KamiKakaBot Information Stealer Malware, contributing to the broader understanding of this threat and helping organizations develop effective countermeasures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Dark PinkUnspecified
Dark Pink, also known as Saaiwc Group, is a Chinese-aligned cyberespionage entity that has been particularly active since mid-2022. The threat actor has conducted spearphishing campaigns against government, military, and non-profit organizations in Southeast Asia and parts of Europe, using sophistic
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kamikakabot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
CSO Online
a year ago
Dark Pink APT group linked to new KamiKakaBot attacks in Southeast Asia
a year ago
Dark Pink APT Group 'Very Likely' Back in Action
a year ago
Dark Pink APT Group Deploys KamiKakaBot Against South Asian Entities
a year ago
Hacker’s Playbook Threat Coverage Roundup: March 28, 2023
a year ago
KamiKakaBot Malware Used in Latest Dark Pink APT Attacks on Southeast Asian Targets - GIXtools
2 months ago
25th March – Threat Intelligence Report - Check Point Research