A new advanced threat actor known as Dark Pink, also referred to as Saaiwc Group, has been found to be targeting government agencies and military bodies in multiple countries in the APAC region using custom malware to steal confidential information.

According to a report by Group IB, Dark Pink uses uncommon tactics, techniques, and procedures and its goal is to steal information from browsers, gain access to messengers, exfiltrate documents, and capture audio from infected device microphone.

dark-pink-overview.png

They typically use spear-phishing emails disguised as job applications to trick victims into downloading a malicious ISO image file, which then deploys one of the group’s custom information stealers, such as Ctealer or Cucky, which attempts to extract password, browsing history, and other information from a variety of web browsers.

They also use registry implants, TelePowerBot and KamiKakaBot, to execute commands and steal information, and have been observed to record audio through microphone and steal communications through messengers such as Viber, Telegram, and Zalo.