September 21, 2023

A new APT campaign targeting countries in Southeast Asia and Eastern Europe for apparent espionage purposes has been spotted by the researchers.

The APT group Dubbed as Dark Pink, believed to be a new threat actor. Dark Pink has been found to be targeting military bodies, government ministries and agencies, and religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam and Bosnia and Herzegovina.


The group is using spear-phishing emails to target victims for corporate espionage with an almost-entirely custom toolkit. The group’s tools attempt to exfiltrate files, microphone audio and messenger data from infected devices and networks. It leverages custom tools and some rarely-seen tactics and techniques, to any known threat actor.

The targets include branches of the military, government ministries and related agencies. Successful Dark Pink attacks include a branch of the Philippines military in September, a Malaysian military branch in October and government organizations in Bosnia and Herzegovina and Cambodia.

Along with a custom toolkit, Dark Pink was found to be issuing commands to infected computers to download malicious files from GitHub. The researchers note that surprisingly, the threat actors have been using the same GitHub account for the entire duration of their campaign, which is seen as a sign that they have been able to operate without detection for a significant period.

The researchers found that the group posed as a job seeker applying for a position as a public relations and communications intern, mentioning that they found the vacancy on a jobseeker site. The spear-phishing emails contain a link to a site that prompts the victim to download a malicious DLL file.

This research was documented by researchers from Group IB


Indicators Of Compromise

  • 9976625B5A3035DC68E878AD5AC3682CCB74EF2007C501C8023291548E11301A
  • C60F778641942B7B0C00F3214211B137B683E8296ABB1905D2557BFB245BF775
  • E3181EE97D3FFD31C22C2C303C6E75D0196912083D0C21536E5833EE7D108736
  • E45DF7418CA47A9A4C4803697F4B28C618469C6E5A5678213AB81DF9FCC9FD51

Registry path

  • HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  • HKCU\Environment\OSBuild
  • HKCU\Environment\STMP
  • HKCU\Environment\SYSPS
  • HKCR:\zolfile\shell\open\command
  • HKCR:\zolofile\shell\open\command\zolo
  • HKCU:\Environment\guid
  • HKCU:\Environment\Update
  • HKCU:\Environment\UserInitMprLogonScript
  • HKCU:\SOFTWARE\\Classes\\abcdfile\shell\abcd\
  • HKCU:\SOFTWARE\Classes\.4ID\
  • HKCU:\SOFTWARE\Classes\.abcd
  • HKCU:\SOFTWARE\Classes\.psr
  • HKCU:\SOFTWARE\Classes\.zol
  • HKCU:\SOFTWARE\Classes\.zolo
  • HKCU:\SOFTWARE\Classes\4IDfile\shell\open\command
  • HKCU:\SOFTWARE\Classes\4IDfile\shell\open\command\
  • HKCU:\SOFTWARE\Classes\4IDfile\shell\open\command\DelegateExecute
  • HKCU:\SOFTWARE\Classes\4IDfile\shell\open\command\DelegateExecute\
  • HKCU:\SOFTWARE\Classes\abcdfile\shell
  • HKCU:\SOFTWARE\Classes\abcdfile\shell\aaaa
  • HKCU:\SOFTWARE\Classes\abcdfile\shell\abcd
  • HKCU:\SOFTWARE\Classes\abcdfile\shell\open\command
  • HKCU:\SOFTWARE\Classes\abcdfile\shell\open\command\abcd
  • HKCU:\SOFTWARE\Classes\abcdfile\shell\open\command\DelegateExecute
  • HKCU:\SOFTWARE\Classes\psrfile\shell\open\command
  • HKCU:\SOFTWARE\Classes\psrfile\shell\open\command -Name DelegateExecute
  • HKCU:\SOFTWARE\Classes\zolfile\shell\open\command\DelegateExecute
  • HKCU:\SOFTWARE\Classes\zolfile\shell\open\command\zolo
  • HKCU:\SOFTWARE\Classes\zolofile\shell\open\command
  • HKCU:\SOFTWARE\Classes\zolofile\shell\open\command -Name DelegateExecute
  • HKCU:\SOFTWARE\Classes\zolofile\shell\open\command -Name DelegateExecute
  • HKCU:\SOFTWARE\Classes\zolofile\shell\open\command -Name zolo
  • HKCU:\SOFTWARE\Classes\zolofile\shell\open\command -Name zolo -Value
  • HKCU:\SOFTWARE\Classes\zolofile\shell\open\command\zolo
  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Forfiles
  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Psr
  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Recents

Leave a Reply

%d bloggers like this: