Cybersecurity services company Group-IB Global Pvt. Ltd. today published a report on a new advanced persistent threat campaign targeting countries in Southeast Asia and Eastern Europe for apparent espionage purposes.

Dubbed “Dark Pink,” the APT is believed to be a new threat actor. Dark Pink has been found to be targeting military bodies, government ministries and agencies, and religious and nonprofit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam and Bosnia and Herzegovina.

Group-IB’s Threat Intelligence researchers have linked seven successful attacks to the group, along with one unsuccessful attack on a European state development body based in Vietnam.

Dark Pink is using spear-phishing emails to target victims for corporate espionage with an almost-entirely custom toolkit. The group’s tools attempt to exfiltrate files, microphone audio and messenger data from infected devices and networks.

To date, the researchers have been unable to attribute this campaign, which leverages custom tools and some rarely-seen tactics and techniques, to any known threat actor. As a result, Group-IB believes that Dark Pink’s campaign in the second half of 2022 is the activity of an entirely new group, which has also been termed Saaiwc Group by Chinese cybersecurity researchers.

While the Group-IB researchers have been unable to attribute the campaign, the signs point to a state-sponsored actor, given the targets include branches of the military, government ministries and related agencies. Successful Dark Pink attacks include a branch of the Philippines military in September, a Malaysian military branch in October and government organizations in Bosnia and Herzegovina and Cambodia.

Along with a custom toolkit, Dark Pink was found to be issuing commands to infected computers to download malicious files from GitHub. The researchers note that surprisingly, the threat actors have been using the same GitHub account for the entire duration of their campaign, which is seen as a sign that they have been able to operate without detection for a significant period of time.

The group’s spear-phishing campaign, however, is nothing new: fake job applications. The researchers found that the group posed as a job seeker applying for a position as a public relations and communications intern, mentioning that they found the vacancy on a jobseeker site. The spear-phishing emails contain a link to a site that prompts the victim to download a malicious DLL file.

Group-IB has gone public with the details in line with its zero-tolerance policy for cybercrime, which includes proactive notifications to all potential and confirmed targets of Dark Pink. Group-IB researchers are continuing to uncover and analyze all the details behind this particular APT campaign.

Image: Rawpixel