TLP-GREEN
Dark Pink APT is believed to originate from Asia-Pacific and has been extensively targeting multiple sectors since 2021.
It primarily targets government educational institutions military NGO developmental entities located in East Asia and recently expanded its operations within Europe.
This group is known to use sophisticated custom tools and multiple kill chains for maintaining access within victim systems and remain undetected while exfiltrating victim data.
Dark Pink continues to rely on ISO archives sent via spear-phishing to gain initial access to victim systems and employs DLL side-loading to launch backdoors such as "TelePowerBot" "KamiKakaBot".
After downloading backdoors It can exfiltrate sensitive information in a ZIP archive to attacker-controlled telegram accounts from compromised victim hosts.
Threat actors use an HTTP protocol called web-hook.site to create a temporary endpoint used for sending sensitive information in the past cloud services such as Dropbox were used for exfiltrating data.
The threat actor also maintains a GitHub account where multiple payloads are hosted and uses TextBin.net for distributing payloads within victim systems
SkyWatchSM Alert Legend
Warning
Active Threat
Malware
Ransomware
Phishing
Network/IOT
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
TLP-White
Disclosure is Not Limited.
TLP-Green
Limited Disclosure, Restricted Only to the Community.
TLP-Amber
Limited Disclosure, restricted to the Participant's Organization.
TLP-Red
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.
Discover Glesec.
Authority. Consistency.
Sign-up today for SkywatchSM Alerts.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.