DARK PINK
Malware Dissection Playbook
Dark Pink (aka Saaiwc Group) is a Southeast Asia-linked advanced persistent threat (APT) group active since at least mid-2021group-ib.comsocradar.io. Focused on espionage, Dark Pink has targeted military, government, and religious organizations across Asia-Pacific (Vietnam, Malaysia, Philippines, Cambodia, Indonesia, Brunei, Thailand) and even Europe (e.g. Bosnia and an EU-based agency in Vietnam)group-ib.comgroup-ib.com. The group’s operations are characterized by stealth and custom tooling designed to steal sensitive data (documents, credentials, even microphone audio and messenger data)group-ib.comsocradar.io. Dark Pink employs a novel toolkit – notably the TelePowerBot PowerShell backdoor and KamiKakaBot .NET malware – alongside proprietary stealers Cucky and Ctealer, rather than off-the-shelf malwaregroup-ib.comgroup-ib.com. They utilize unconventional techniques rarely seen in the wild, such as DLL side-loading and malicious file association hijacking, to gain initial access and persistencegroup-ib.comgroup-ib.com. All known attacks have leveraged spear-phishing emails (often masquerading as job applicants) with malicious ISO attachments to infiltrate targetsgroup-ib.com. As of 2023, Dark Pink remains active and evolving – expanding its victimology to new countries and refining its tools to evade detection
Analysis
-
Spear-phish → ISO archive → Legitimate EXE (Word) + Malicious DLL + Decoy Doc
-
DLL side-load → Deploy TelePowerBot or KamiKakaBot
-
Payload fetch/update via GitHub/TextBin
-
Exfiltration via Telegram, Dropbox, Webhook.site
Execution Chain
Persistence
-
Registry keys:
-
HKCU\Environment\UserInitMprLogonScript
-
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
-
-
Custom file extensions (.abcd, .zol) with malicious handlers
-
Excel add-in (XLL in %AppData%\XLSTART)
-
WMI event subscription for USB drive infection
Evasion
-
Obfuscated PowerShell + .NET payloads
-
Memory-only execution (via MSBuild)
-
Abuses LOLBins (WinWord.exe, MsBuild.exe, ConfigSecurityPolicy.exe)
-
Disables Windows Defender (Set-MpPreference flood)
-
Uses trusted services (Telegram, GitHub, Outlook, Dropbox)
Networking
-
Telegram Bot API (api.telegram.org) – main C2
-
GitHub (payload hosting)
-
Dropbox, Webhook.site (exfiltration)
-
IP: hxxp://176.10.80.38 (exfil server)
IOC's and Artifacts
This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.
Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.
File Artifacts
-
Malicious DLLs: MSVCR100.dll, WWLIB.dll, Dismcore.dll
-
Decoy EXEs: Signed WinWord.exe with .docx.exe naming
-
Payload dirs: %TEMP%\\backuplog\\, %APPDATA%\\archive.zip
Registry Persistence
-
HKCU\Environment\UserInitMprLogonScript
-
HKCU\Software\Classes\.abcd (custom extension)
-
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
​
Patterns:
-
Spread via malicious email attachments (subjects like “Error”, “Mail Delivery System”)
-
Also spread via P2P (Kazaa) under enticing filenames
-
Opens TCP 3127 for backdoor access
-
SMTP spam engine → floods email servers
​​
Domains:
-
api.telegram.org
-
ifconfig.me
-
raw.githubusercontent.com/efimovah/abcd/
-
gist.githubusercontent.com/
-
textbin.net
-
webhook.site
-
dl.dropbox.com
-
content.dropboxapi.com
-
mediafire.com–
​
Custom File Extensions:
-
.abcd
-
.zol / .zolo
-
.psr
-
.4ID
​
Malicious Emails:
-
blackpink.301@outlook
-
blackred.113@outlook
-
alibaba.113@outlook
-
lanhuong.jsc@outlook
-
nphuongmai.97@outlook
​
​
Refrences:
-
Group-IB: Dark Pink APT discovery
-
EclecticIQ: KamiKakaBot analysis
-
BleepingComputer: Dark Pink campaign update
-
SOCRadar: APT profile – Dark Pink