Threat Research

APT Profile: Dark Pink APT Group – SOCRadar® Cyber Intelligence Inc.

Securonix

Dark Pink APT Group (Saaiwc) is a Southeast Asia–focused cyber-espionage actor noted for stealthy campaigns, custom malware, and targeted operations across government, military, and educational sectors. The group relies on spear-phishing, bespoke tools like TelePowerBot and KamiKakaBot, and exposure through GitHub and exfiltration via Telegram and HTTP webhook sites. Hashtags: #DarkPink #Saaiwc #KamiKakaBot #TelePowerBot #CVE-2017-0199 #OceanLotus #APT-C-35 #GitHub

Keypoints

  • Dark Pink APT Group (Saaiwc) is a sophisticated cyber-espionage actor active since 2021, with potential links to OceanLotus and operations in Southeast Asia.
  • The primary initial access method is spear-phishing emails delivering an ISO containing a decoy document, a signed executable, and a malicious DLL.
  • Custom malware tools TelePowerBot and KamiKakaBot are used for data exfiltration; KamiKakaBot can be controlled via a Telegram bot for device control and information harvesting.
  • CVE-2017-0199 (Microsoft Office Remote Code Execution) is frequently exploited by Dark Pink, with overlaps to APT-C-35.
  • The group uses GitHub to host PowerShell scripts, ZIP archives, and custom malware, aiding follow-on installation on victims.
  • Data exfiltration methods include Telegram-based C2 and HTTP exfiltration via webhook.site, with TelePowerBot persistence via an Excel add-in.

MITRE Techniques

  • [T1566] Phishing – Initial access via spear-phishing emails delivering an ISO with decoy document, signed executable, and malicious DLL. Quote: ‘The primary method of intrusion used by Dark Pink is spear-phishing e-mails.’
  • [T1566.001] Phishing: Spearphishing Attachment – ISO file transmitted in phishing attacks. Quote: ‘This ISO file always contains the following files: A decoy document, A signed executable file, A malicious DLL file.’
  • [T1059] Command and Scripting Interpreter – Execution via command/script interpreters used by the group. Quote: ‘Command and Scripting Interpreter’
  • [T1059.001] PowerShell – Use of PowerShell for executing commands. Quote: ‘PowerShell’
  • [T1047] Windows Management Instrumentation – Use of WMI for execution/persistence. Quote: ‘Windows Management Instrumentation’
  • [T1569] System Services – Abuse or manipulation of system services for execution. Quote: ‘System Services’
  • [T1569.002] System Services: Service Execution – Service-based execution as part of persistence/privilege
  • [T1053] Scheduled Task/Job – Use of scheduled tasks or jobs for persistence. Quote: ‘Scheduled Task/Job’
  • [T1547] Boot or Logon Autostart Execution – Autostart mechanisms to maintain presence. Quote: ‘Boot or Logon Autostart Execution’
  • [T1548] Abuse Elevation Control Mechanism – Elevation control abuses (e.g., UAC bypass). Quote: ‘Abuse Elevation Control Mechanism’
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Bypass UAC. Quote: ‘Bypass User Account Control’
  • [T1036] Masquerading – Masquerading to look legitimate. Quote: ‘Masquerading’
  • [T1027] Obfuscated Files or Information – Obfuscation/packing techniques. Quote: ‘Obfuscated Files or Information’
  • [T1027.002] Obfuscated Files or Information: Software Packing – Software packing/packing obfuscation. Quote: ‘Software Packing’
  • [T1497] Virtualization/Sandbox Evasion – Evasion against sandbox/virtual environments. Quote: ‘Virtualization/Sandbox Evasion’
  • [T1140] Deobfuscate/Decode Files or Information – Deobfuscation/ decoding steps. Quote: ‘Deobfuscate/Decode Files or Information’
  • [T1127] Trusted Developer Utilities Proxy Execution – Use of legitimate utilities for proxy execution. Quote: ‘Trusted Developer Utilities Proxy Execution’
  • [T1574] Hijack Execution Flow – DLL side-loading to hijack execution. Quote: ‘Hijack Execution Flow’ and ‘DLL Side-Loading’
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – DLL side-loading technique. Quote: ‘DLL Side-Loading’
  • [T1555] Credentials from Password Stores – Access credentials from password stores.
  • [T1012] Query Registry – Registry queries for discovery/persistence. Quote: ‘Query Registry’
  • [T1083] File and Directory Discovery – Discovery of files/directories. Quote: ‘File and Directory Discovery’
  • [T1082] System Information Discovery – Gather system information. Quote: ‘System Information Discovery’
  • [T1123] Audio Capture – Capture audio on the host. Quote: ‘Audio Capture’
  • [T1113] Screen Capture – Capture screenshots. Quote: ‘Screen Capture’
  • [T1132] Data Encoding – Encode data for exfiltration. Quote: ‘Data Encoding’
  • [T1102] Web Service – Use of web services for C2/communication. Quote: ‘Web Service’

Indicators of Compromise

  • [Email Address] Exfiltration accounts – blackpink.301@outlook[.]com, blackred.113@outlook[.]com
  • [Domain] Exfiltration domain – webhook.site
  • [Domain] Code hosting domain – github.com

Read more: https://socradar.io/apt-profile-dark-pink-apt-group/