analyst @ nohacky :~/threat-actors $
cat / threat-actors / dark-pink-saaiwc
analyst@nohacky:~/dark-pink-saaiwc.html
active threat profile
type Nation-State
threat_level High
status Active
origin Southeast Asia — state-suspected
last_updated 2026-03-27
DP
dark-pink-saaiwc

Dark Pink / Saaiwc Group

also known as: Saaiwc Saaiwc Group

A relatively new and previously undocumented state-suspected APT first publicly identified by Group-IB in January 2023, though activity traces back to mid-2021. Dark Pink stands out for deploying an almost entirely custom toolkit — TelePowerBot, KamiKakaBot, Cucky, Ctealer, ZMsg — while similarly-positioned groups rely heavily on commodity or publicly available tools. The group's collection mandate is unusually broad for a surveillance APT: steal browser credentials, exfiltrate documents, record microphone audio every minute, steal messenger communications, and spread laterally via USB drives. Two rarely-seen techniques define the group's persistence approach: DLL side-loading via legitimate signed Microsoft executables and Event Triggered Execution via Change Default File Association — the latter documented by Group-IB as rarely observed in the wild.

attributed origin Southeast Asia — Asia-Pacific (assessed)
first observed Mid-2021 (public report: Jan 2023)
primary motivation Corporate espionage, intelligence collection
primary targets Government, Military, NGO — Southeast Asia & Europe
toolkit profile Almost entirely custom — 5 proprietary tools
c2 mechanism Telegram bot API — PowerShell over Telegram
initial vector Spearphishing — job application ISO delivery
unique persistence Event Triggered Execution: File Association (rare)
threat level High

Overview

Dark Pink / Saaiwc Group is a previously undocumented advanced persistent threat publicly disclosed by Group-IB on January 11, 2023 — though Group-IB's analysis traced the group's earliest confirmed activity to mid-2021, with an accelerating tempo through 2022. The group was simultaneously documented by Chinese cybersecurity researchers at Anheng Hunting Labs, who named it Saaiwc. The name "Dark Pink" was derived by Group-IB from email addresses used by the threat actors during data exfiltration operations.

Attribution remains uncertain. Group-IB assessed with confidence that Dark Pink is a previously untracked APT — not a known group operating under a new name — given the novel TTPs and unique custom toolkit. The targeting profile strongly suggests state-sponsorship: victims include military branches, government ministries, and diplomatic organizations across Southeast Asia and Eastern Europe. The group's focus on the Philippines, Malaysia, Vietnam, Cambodia, and Indonesia — alongside European targets in Bosnia and Herzegovina and Belgium — maps to an intelligence collection mandate with geopolitical interest in ASEAN military and diplomatic affairs.

What distinguishes Dark Pink from other Southeast Asian-origin APTs is the investment in custom tooling. Group-IB noted that almost all tools leveraged by the threat actors were custom and self-made — the only public tool used was a PowerSploit module (Get-MicrophoneAudio), which the group customized extensively to bypass antivirus detection. This level of proprietary development investment is atypical for a group at this scale and indicates either significant resources, established developer capacity, or both. The group also continuously updated its tools — the February 2023 EclecticIQ analysis documented improved obfuscation routines relative to the January 2023 Group-IB samples, indicating active maintenance cycles.

rarely-seen persistence technique — event triggered execution: file association

Dark Pink uses a persistence mechanism documented by Group-IB as rarely seen in the wild: Event Triggered Execution via Change Default File Association (MITRE T1546.001). By modifying Windows file type associations for common document extensions, the group ensures TelePowerBot executes automatically whenever the victim opens a file with the targeted extension — without requiring typical persistence mechanisms like scheduled tasks, registry Run keys, or service installation. This technique is harder to detect with standard persistence auditing tools that focus on more common persistence paths.

Custom Toolkit — Five Proprietary Tools

Almost every tool in Dark Pink's arsenal was purpose-built by the group. The one exception — Get-MicrophoneAudio from PowerSploit — was so extensively modified that it was not trivially recognizable from the original. The breadth of the toolkit's collection mandate (credentials, documents, audio, messenger communications, USB propagation) is notable.

C2 Implant TelePowerBot

A registry implant (PowerShell script) that launches at system boot and connects to a threat actor-controlled Telegram channel to receive commands. Executes PowerShell commands issued through the Telegram bot API. Provides full interactive remote access to infected systems — operators issue standard commands (net share, Get-SmbShare) to enumerate connected network shares, then explore and exfiltrate files of interest. TelePowerBot also propagates itself to USB drives via a WMI event handler that deploys LNK files mimicking the victim's folder structure. Persistence secured via a registry implant and the rare file association technique. Collects all staged data from %TEMP%\backuplog for Telegram exfiltration.

C2 Implant .NET KamiKakaBot

The .NET version of TelePowerBot — functionally equivalent but implemented in .NET for flexibility across deployment scenarios. Reads and executes commands from the same Telegram bot channel. Can exfiltrate Chrome, MS Edge, and Firefox browser data before receiving commands. Uses MsBuild.exe (a living-off-the-land binary) to execute an XOR-encrypted XML payload during installation — the XML file is hidden at the end of a decoy Word document and only decrypted at execution time. Updates itself from the attacker's GitHub repository. Sends stolen data via Telegram in compressed ZIP format. Obfuscation routine was improved between January and February 2023 campaigns, demonstrating active maintenance.

Browser Stealer .NET Cucky

A .NET-based browser credential stealer that extracts passwords, browsing history, saved logins, and cookies from over 20 browsers: Chrome, MS Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldi, Kometa, Nichrome, Maxthon, Comodo Dragon, Avast Secure Browser, and Yandex Browser. Data is written to %TEMP%\backuplog for subsequent Telegram exfiltration. The inclusion of CocCoc (a Vietnamese-market Chromium browser) and Zalo/Viber in related tools indicates deliberate targeting of a Southeast Asian user base. Launching the stealer is optional during initial access — operators can also issue a download command to deploy it later.

Browser Stealer C++ Ctealer

The C/C++ analog of Cucky — functionally identical but implemented in a different language for deployment flexibility and to provide redundancy if one is detected. Extracts passwords, history, logins, and cookies from a similar browser list including Chrome, Chromium, Edge, Brave, Epic Privacy, Amigo, Vivaldi, Orbitum, Atom, Kometa, Dragon, Torch, Comodo, Slimjet, 360 Browser (common in Southeast Asian markets), Maxthon, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Yandex Browser. Results staged in %TEMP%\backuplog. Can be deployed by TelePowerDropper during initial access or via a subsequent operator command.

Messenger Stealer .NET ZMsg

A .NET utility downloaded from the group's GitHub repository that steals message data from Zalo, Telegram, and Viber — three messaging apps widely used across Southeast Asia and Eastern Europe. Stolen communications are staged in %TEMP%\KoVosRLvmU\ until exfiltrated via the Telegram bot. The inclusion of Zalo — a Vietnamese-developed messenger with over 100 million users primarily in Vietnam — is a strong indicator of deliberate targeting of Vietnamese government and military communications. ZMsg goes beyond credential collection to capture the actual content of private communications.

Audio Capture (modified) Get-MicrophoneAudio (PowerSploit)

The only non-proprietary tool in Dark Pink's toolkit — PowerSploit's Get-MicrophoneAudio module, downloaded from GitHub. Dark Pink extensively customized the script to bypass antivirus detection, and had to iterate the customization multiple times after initial versions failed to record audio on infected devices. The final working version records microphone audio every minute, saves it as a ZIP archive in the Windows temporary folder, and exfiltrates it to the operator's Telegram bot. This capability transforms infected government workstations into persistent ambient listening devices — capturing meetings, phone calls, and sensitive discussions in the physical environment of the compromised system.

Target Profile

Dark Pink's targeting reflects a mandate for military and governmental intelligence collection across Southeast Asia, with selective European targeting that exploits ASEAN-European diplomatic relationships as a social engineering surface.

  • Southeast Asian military organizations: Confirmed victims include a branch of the Philippines military (September 2022) and a Malaysian military branch (October 2022). Military targeting is the highest-priority collection category for the group — access to military networks provides intelligence on defense posture, procurement, and operational planning. The groups' custom tools' capability to record microphone audio is particularly significant in a military context.
  • Government ministries and agencies: Government organizations in Cambodia, Indonesia, Vietnam, and Bosnia and Herzegovina were confirmed victims in the 2022 campaign. An Indonesian government agency was breached on December 8, 2022. Additional 2023 victims were documented in Belgium, Brunei, Indonesia, Thailand, and Vietnam across government, educational, and non-profit sectors.
  • European targets — ASEAN diplomatic context: Dark Pink's inclusion of European targets — particularly Bosnia and Herzegovina, Belgium, and a European state development body based in Vietnam — appears to leverage ASEAN-EU diplomatic relationships. EclecticIQ assessed that the group specifically exploits relations between ASEAN and European nations to construct credible spearphishing lures. European government entities engaged with ASEAN policy and development are secondary targets compared to the ASEAN primary focus.
  • Non-profit and religious organizations: Group-IB's initial report identified religious and non-profit organizations as targets — consistent with intelligence collection mandates focused on civil society, human rights organizations, or faith-based groups with access to sensitive regional information.
  • Educational institutions: Confirmed in the 2023 campaign targeting Belgium, Brunei, Indonesia, Thailand, and Vietnam — educational institutions with government-funded research programs or diplomatic relationships are a secondary target category.

Tactics, Techniques & Procedures

Dark Pink's TTP set combines novel persistence techniques, multiple kill chain variants, and an unusually comprehensive collection mandate — targeting credentials, documents, audio, messenger data, and lateral spread via USB simultaneously.

mitre id technique description
T1566.001 Spearphishing — Job Application Lures Dark Pink's primary initial access vector: spearphishing emails disguised as job applications. Group-IB found evidence that the group scanned online job vacancy portals to identify open positions, then crafted emails impersonating applicants for the specific role advertised. One documented case saw the threat actor pose as an applicant for a PR and Communications intern position. The emails contained shortened URLs linking to file-sharing sites hosting malicious ISO images. The per-target customization of both the lure and the ISO contents distinguishes this from bulk phishing.
T1574.002 DLL Side-Loading — Legitimate Signed Executables ISO images contain a legitimate, Microsoft-signed executable (Winword.exe or equivalent) alongside a malicious DLL placed in the same directory. When the victim executes the signed file, Windows DLL loading behavior causes the malicious DLL to be loaded alongside it — the signed file's reputation protects the malicious DLL from initial scrutiny. The malicious DLL (TelePowerDropper or KamiKakaDropper) then establishes persistence and deploys the core C2 implant. Decoy document displayed to the victim during execution completes the social engineering.
T1546.001 Event Triggered Execution — File Association (Rare) Dark Pink modifies Windows file type associations to ensure TelePowerBot executes automatically when the victim opens a file with a commonly used extension. Group-IB specifically called this out as "one rarely seen utilized in the wild by threat actors." Unlike registry Run keys or scheduled tasks — which are standard persistence audit targets — file association modifications require specifically targeted detection. The persistence survives reboots and remains active for as long as the file association modification persists in the registry.
T1059.001 Telegram Bot C2 — PowerShell Commands Both TelePowerBot and KamiKakaBot receive PowerShell commands from a threat actor-controlled Telegram channel via the Telegram bot API. All C2 traffic is outbound HTTPS to Telegram's legitimate infrastructure — making it extremely difficult to block without disrupting legitimate Telegram usage. Operators issue commands interactively through the Telegram channel; the bot reads new messages and executes them as PowerShell commands on the infected host. Responses and exfiltrated data return via the same Telegram bot channel.
T1025 USB Drive Propagation — WMI Event Handler Dark Pink registers a WMI event handler that fires when a new USB drive is connected to the compromised machine. The handler downloads a malware dropper from the group's GitHub account and places it on the USB drive, along with LNK files named to match the victim's folder structure — disguising the malicious files as the victim's own folders. When the infected USB is connected to another system and the user opens what they believe is their folder, the LNK executes the dropper. This propagation mechanism enables air-gap bridging in partially isolated environments.
T1123 Microphone Audio Collection — Every Minute A customized version of PowerSploit's Get-MicrophoneAudio records audio from the device microphone every minute. Each recording is saved as a ZIP archive in the Windows temporary folder before exfiltration to the Telegram bot. The group iterated the customization script multiple times to successfully bypass antivirus detection. A compromised government workstation effectively becomes a persistent ambient listening device — capturing conversations in the physical environment including meetings, phone calls, and sensitive discussions.
T1560 Exfiltration — Telegram, Dropbox, and Webhook.site Dark Pink uses three data exfiltration channels: Telegram bot (primary — all collected data in ZIP format), Dropbox (secondary), and webhook.site (for temporary HTTP endpoint capture, documented in the extended 2023 campaign). All data staged in %TEMP%\backuplog is copied to %TEMP%\backuplog1, compressed to a ZIP archive, and transmitted before the staging directory is deleted. Using Telegram and Dropbox — both legitimate cloud services — as exfiltration channels means data exits through HTTPS connections to trusted domains, bypassing many DLP and network inspection controls.
T1547.001 GitHub C2 Infrastructure — Payload and Module Distribution Dark Pink maintains dedicated GitHub accounts hosting PowerShell scripts, ZIP archives, and custom malware for deployment to already-compromised machines. Modules including ZMsg and the microphone recording scripts are downloaded from GitHub during post-exploitation. Commands in TelePowerBot and KamiKakaBot may specify GitHub as the source for fetching additional capability modules. Using GitHub for payload hosting means downloads blend with legitimate development traffic and originate from github.com — a domain rarely blocked by enterprise security controls.

Known Campaigns

Confirmed Dark Pink campaign activity from Group-IB's initial disclosure through subsequent 2023 analysis, illustrating the group's consistent geographic focus and tool evolution.

Initial Campaign — Seven Successful Attacks Across APAC Jun–Dec 2022

Dark Pink launched at least seven successful attacks against government and military organizations between June and December 2022 — with Group-IB noting the actual number could be higher given the group's low public visibility prior to disclosure. Confirmed victims include a Philippines military branch (September 2022), a Malaysian military branch (October 2022), government organizations in Cambodia, Bosnia and Herzegovina, Indonesia (December 8, 2022), and Vietnam. An unsuccessful attack against a European state development body based in Vietnam was also attributed. Spearphishing emails disguised as job applications delivered ISO images containing DLL side-loading execution chains. Three distinct kill chain variants were documented across the campaign, all deploying TelePowerBot or KamiKakaBot with Ctealer or Cucky browser stealers.

February 2023 Campaign — Improved Obfuscation Feb 2023

EclecticIQ identified a February 2023 campaign using KamiKakaBot that was nearly identical to the Group-IB-documented January 2023 campaigns, with one key difference: the obfuscation routine had been significantly improved to better evade anti-malware solutions. ISO images delivered Winword.exe (legitimate signed executable) alongside MSVCR100.dll (malicious loader) and a decoy Microsoft Word document with XOR-encrypted content. The KamiKakaBot loader decrypted and executed the XML payload via MsBuild.exe — a living-off-the-land binary — before writing a registry key for Winlogon persistence. Phishing lures specifically exploited ASEAN-European diplomatic relationships, targeting entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam. The rapid obfuscation update between January and February 2023 confirmed active tool maintenance cycles.

Extended 2023 Campaign — Belgium, Brunei, Indonesia, Thailand, Vietnam Feb–Apr 2023

Group-IB's updated analysis from May 2023 linked five additional attacks to Dark Pink across Belgium, Brunei, Indonesia, Thailand, and Vietnam between February and April 2023. Targets included educational institutions, government agencies, military bodies, and non-profit organizations. The group introduced a new GitHub account hosting PowerShell scripts, ZIP archives, and custom malware uploaded between January 9 and April 11, 2023 — indicating ongoing infrastructure development in parallel with active campaigns. Webhook.site was documented as an additional exfiltration channel in these attacks alongside the Telegram and Dropbox mechanisms used in 2022. The expanded institutional targeting (education, NGOs) alongside continued government/military focus suggests either broadening collection mandate or opportunistic expansion.

Indicators of Compromise

indicators of compromise — behavioral and structural
behavior Winword.exe executing MSVCR100.dll from same directory — DLL side-loading pattern
behavior MsBuild.exe executing XML file from %TEMP% directory — KamiKakaBot LOLBin execution
registry HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell — KamiKakaBot persistence key
behavior Windows file type association modification for common document extensions — rare persistence technique
network Outbound HTTPS to api.telegram.org from non-browser processes — Telegram bot C2 pattern
directory %TEMP%\backuplog\ and %TEMP%\backuplog1\ — data staging directories before Telegram exfiltration
directory %TEMP%\KoVosRLvmU\ — ZMsg messenger data staging directory
behavior WMI event subscription that triggers on USB drive insertion — USB propagation mechanism
network Outbound connections to raw.githubusercontent.com for payload download from actor GitHub accounts
network Outbound HTTP to webhook.site endpoints — secondary exfiltration channel (2023 campaigns)

Mitigation & Defense

Dark Pink's attack chain has multiple intervention points — the ISO delivery mechanism, the DLL side-loading execution, the novel file association persistence, and the Telegram C2 channel are all separately detectable.

  • Block ISO auto-mount and restrict ISO attachment delivery: Dark Pink's primary delivery mechanism is ISO images distributed via shortened URLs or spearphishing email links. Prevent auto-mounting of ISO files via Group Policy (Windows 10+ and Windows 11 offer native MotW propagation for ISO contents in updated builds). Email gateways should flag messages containing links to file-sharing sites (WeTransfer, Dropbox links) leading to disk image file types. Educate staff that receiving ISO files from job applicants or unsolicited contacts is abnormal and should not be mounted.
  • Monitor DLL side-loading patterns with signed Microsoft executables: Alert on Winword.exe, Excel.exe, or other signed Office executables loading DLLs from directories other than their standard installation paths. Dark Pink places the malicious MSVCR100.dll in the same directory as the signed Winword.exe — any DLL loaded from a non-standard path by a trusted Microsoft executable warrants investigation. EDR platforms with process behavior monitoring detect this pattern reliably.
  • Audit file type association changes: Monitor the Windows registry for modifications to file type associations (HKCU\Software\Classes and HKLM\Software\Classes) that change the default handler for common document extensions (.docx, .pdf, .xlsx, etc.). Changes made by user-space processes rather than application installers are high-suspicion indicators. Dark Pink's rare Event Triggered Execution persistence technique exploits the relative lack of monitoring on this registry path.
  • Monitor MsBuild.exe execution from non-development paths: MsBuild.exe should only be executed by Visual Studio or defined build systems in a corporate environment. Any execution of MsBuild.exe with an XML project file located in %TEMP% is a high-fidelity KamiKakaBot execution indicator. Alert and investigate immediately. LOLBin execution monitoring for MsBuild.exe is available in most EDR platforms.
  • Inspect Telegram API traffic from non-browser processes: Outbound HTTPS to api.telegram.org from any process other than the Telegram desktop client is abnormal in a corporate environment. Alert on api.telegram.org connections from PowerShell, cmd.exe, or any process not in an approved application list. This detection catches both TelePowerBot and KamiKakaBot C2 communications.
  • Monitor WMI event subscriptions for USB triggers: Dark Pink uses WMI event subscriptions to automatically deploy malware to connected USB drives. Monitor for new WMI permanent event subscriptions, particularly those with filter conditions matching USB device insertion events. Windows Event IDs 5857, 5858, 5859, 5860, 5861 capture WMI activity; many EDR platforms flag suspicious permanent WMI subscriptions directly.
  • Control GitHub access from corporate endpoints: Dark Pink uses GitHub (raw.githubusercontent.com) to host and serve PowerShell scripts, malware payloads, and ZMsg. While blocking GitHub entirely is generally impractical, alerting on raw.githubusercontent.com downloads by non-development processes (PowerShell, cmd.exe, scheduled tasks) is feasible and detects Dark Pink's GitHub-hosted payload delivery. Consider content inspection for downloads from raw.githubusercontent.com on managed endpoints.
  • Physical security awareness for microphone exposure: Dark Pink's continuous one-minute microphone recording capability turns any infected workstation into an ambient listening device. Security-sensitive discussions — particularly in government and military contexts — should not take place adjacent to internet-connected workstations without microphone verification. Consider hardware microphone controls (physical disconnect switches or mute hardware) for workstations used in sensitive meeting contexts.
analyst note

Dark Pink is one of the more significant newly-documented APT groups in recent years because it represents a genuinely unknown actor with a mature, purpose-built toolkit — not a rebranding of a known group. The investment in five custom tools, three distinct kill chain variants, and two novel persistence techniques (file association modification alongside registry-based persistence) indicates a developer capacity well above opportunistic crime groups. The one-minute microphone recording cycle is an unusually aggressive surveillance mandate that goes beyond typical document and credential theft — it suggests targets with physical meeting contexts where ambient audio collection has direct intelligence value. Group-IB's assessment that Dark Pink is "Asia-Pacific origin" remains the primary attribution basis; the specific country of origin has not been publicly confirmed. The group's focus on Vietnam (multiple confirmed victims, ZMsg targeting Zalo), the Philippines, and Malaysia alongside European ASEAN-engaged entities is consistent with several potential state sponsors in the Southeast Asian region.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile