View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Chinese APT gang Dark Pink claims five new victims in hacking spree

The group has been active since 2021 but has been ramping up activities throughout 2023.

By Claudia Glover

A Chinese state-sponsored hacking gang dubbed Dark Pink is on a crime spree targeting government, military and education organisations. Security researchers have been tracking the group’s activity, and say it has claimed five new victims in 2023 and shows “no signs of slowing down”.

Chinese hackers known as Dark Pink have claimed five victims in 2023 already. (Photo by Art_Rich/Shutterstock)

The most recent targets of the Advanced Persistent Threat (APT) group include an educational institution in Belgium and a government agency in Indonesia.

Chinese hackers are in the (Dark) Pink

A report released today by security company Group-IB has revealed a Dark Pink has attacked five organisations so far this year, with a total of 13 since it was first uncovered in mid-2021.

Recent attacks show that the gang has revamped its attack chain, the report says, persistently updating its tools to slip past defence mechanisms. 

Last year, the gang appears to have attacked seven groups in Asia and one in Europe. This year, Dark Pink widened its attack surface to include Brunei, Thailand and Belgium, including one government agency in Indonesia last month.

“The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails,” said Group-IB malware analyst Andrey Polovinkin.” Once the attackers gain access to a target’s network, they use advanced persistence mechanisms to stay undetected and maintain control over the compromised system.

“As we continued to track the group’s activity, we identified new tools, exfiltration mechanisms and victims in new industries, in countries that Dark Pink has never targeted before.”

Content from our partners
<strong>Powering AI’s potential: turning promise into reality</strong>
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

How Dark Pink targets its victims

The gang’s primary attack vector continues to be spear-phishing emails, where criminals send targeted attack attempts to an individual with key credentials to an attack. The group has updated its tactics, techniques and procedures this year, explains the Group-IB report.

It has implemented a new version of the KamiKakaBit malware, splitting its functions into two parts, one stealing data and the other controlling devices. 

The gang has a GitHub repository where it hosts modules to install onto its victims’ machines, directed by malicious code. According to the report, data is also being transmitted by the textbin.net service. 

Stolen data is then exfiltrated using a service called Webhook. “Webhook.site is a powerful and versatile service that allows users to easily inspect, test, and debug HTTP requests and webhooks,” explained Polovinkin. “With webhook.site, it is possible to set up temporary endpoints in order to capture and view incoming HTTP requests.”

The gang’s recent activities show that it has no intentions of slowing down, Polovinkin added. “APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception,” he said. “The profile of the affected targets underscores the significant danger that Dark Pink poses for both public – and private-sector actors. Group-IB will continue to analyse all Dark Pink activity and ensure that confirmed and potential victims are informed.”

Read more: APT-27 Chinese hackers target Linux devices

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU