Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign

A group called "Dark Pink" is likely based in Southeast Asia and shows signs of development and ongoing activity, researchers say.
A vendors looks at her phone in Hanoi on March 31. (Photo by Nhac Nguyen/AFP via Getty Images)

An additional five victims in an expanding set of countries has been added to the list of a likely southeast Asian hacking campaign discovered earlier this year, researchers with Group-IB said Wednesday.

Group-IB dubbed the group “Dark Pink” in a January analysis and said it likely represented an “entirely new [advanced persistent threat] group” targeting a range of organizations across the Asia-Pacific region, and one in Europe, to steal corporate data and other high-value secrets. Additional research has revealed an additional five victims, expanding its operations to Belgium, Brunei and Thailand, the researchers said Wednesday.

Along with the expanded operations, the campaign’s operators have updated their tools and data exfiltration methods in operations as recent as this month, the researchers said, a sign “that the group shows no signs of slowing down.”

Group-IB has linked the campaign to attacks on 13 organizations to date across nine countries: Vietnam, Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, Philippines, Belgium, Thailand and Brunei. Targeted organizations include military bodies, government ministries and an educational institution, the company said.


Group-IB has not attributed the campaign, but in January the Chinese security firm Anheng Hunting Labs linked the activity — which it tracks as the “Saaiwc Group” — to an unnamed southeast Asian country. A March analysis from EclecticIQ noted some metadata that pointed to China, but said there was a lack of conclusive proof and characterized it as a “low confidence” attribution.”

The latest research shows that the campaign’s operators have modified their KamiKakaBot malware — which is designed to steal sensitive information and data from targeted systems — in apparent efforts to obfuscate static analysis.

Dark Pink has also demonstrated new exfiltration methods. Previous research revealed that stolen data was sent to a Telegram chat in a zip archive, and also stolen using email or publicly available cloud services such as Dropbox, the researchers said. In a recent attack, however, the group exfiltrated data using the Webhook[.]site service, which can be used for legitimate data communication and testing purposes, but also abused to facilitate illicit data transfers.

That Dark Pink has added new victims in new countries in operations that remain ongoing suggests “the threat actors geography could be broader than initially thought,” the Group-IB researchers said. “The fact that two attacks were executed in 2023 indicates that Dark Pink remains active and poses an ongoing risk to organizations. Evidence shows that the cybercriminals behind these attacks keep updating their existing tools in order to remain undetected.”

Latest Podcasts