Cybersecurity services company Group-IB Global Pvt. Ltd. published a report today on a new advanced persistent threat campaign targeting countries in Southeast Asia and Eastern Europe for overt espionage purposes. An APT called Dark Pink is believed to be a new threat. It was determined that Dark Pink targeted military structures, ministries and institutions, religious and non-profit organizations in Cambodia, Indonesia, Malaysia, the Philippines, Vietnam and Bosnia and Herzegovina.

Group-IB Threat Intelligence researchers attributed seven successful attacks to the group, along with a failed attack on a Vietnam-based European state development agency.

Dark Pink uses phishing emails to target victims of corporate espionage with an almost entirely proprietary set of tools. The group’s tools attempt to steal files, microphone audio and messaging data from infected devices and networks.

Researchers have not been able to link this campaign, which used special tools and some rarely used tactics and techniques, to any known threat. As a result, Group-IB believes the Dark Pink campaign in the second half of 2022 is the activity of an entirely new group, which Chinese cybersecurity researchers call the Saaiwc Group.

While Group-IB researchers were unable to determine the cause of the operation, indications point to a state-sponsored actor, given that the targets of the attack were military units, ministries and related institutions. Successful Dark Pink attacks include a Philippine military contingent in September, a Malaysian military contingent in October, and government agencies in Bosnia and Herzegovina and Cambodia.

Dark Pink, along with a special set of tools, commands infected computers to download malicious files from GitHub. The researchers note that, surprisingly, the attackers used the same GitHub account throughout their campaigns, which is considered a sign that they may have been operating undetected for a significant period of time.

But the group’s phishing campaign is nothing new: fake job applications. Investigators discovered that the group was posing as a job seeker applying for a public relations and communications intern position, saying they found an open job on a job search site. Phishing emails contain a link to a site that asks the victim to download a malicious DLL file.

Group-IB has released the details in line with its zero-tolerance cybercrime policy, which includes proactive notifications to all potential and approved Dark Pink targets. Group-IB researchers continue to uncover and analyze every detail of this particular APT campaign.