Abstract: Dark Pink is one of the most prolific threat actors to emerge in the APAC region over the past two years, targeting military, government, and religious institutions across Southeast Asia. This presentation unveils how Dark Pink was first discovered, walking through the investigative steps that exposed the group’s operations and its unique kill chain. We’ll follow the entire journey—from detection through to full analysis—revealing how Dark Pink employs a custom toolset and unconventional techniques to bypass traditional security defenses and remain undetected. We’ll break down each stage of a Dark Pink attack, from initial access to exfiltration, and examine the distinctive artifacts associated with each phase. Using TeleScout, a tool for extracting and analyzing Telegram-based C2 messages, we’ll demonstrate how investigators can trace attacker actions, identify victims, and gather attribution clues. We’ll show how TeleScout enables step-by-step tracking of APT activity and explore its versatility in analyzing other threat actors, including eCrime and nation-state groups. This talk offers practical insights for public sector security professionals and threat investigators into detecting and analyzing sophisticated cyber threats. Presentation Outline: This presentation begins with an in-depth look at Dark Pink, explaining how the APT group was first discovered and the investigative steps that led to the identification of its operations, victimology, and possible motivations. We will then explore how Dark Pink conducts its attacks, starting with phishing emails and ISO images for initial infection, followed by sideloading a malicious DLL through winword.exe to extract the KamiKakaBot payload from a decoy document. The loader establishes persistence by creating registry keys and setting up a service that shuts down infected devices at specific times to evade detection. The payload, saved as an MSBuild XML project file, is compiled and executed in memory on each system restart, leading to the final execution of the KamiKakaBot. KamiKakaBot is a .NET executable that leverages Telegram for command-and-control (C2) communications. Using a custom Python script, we’ll demonstrate how to extract the C2 configuration from the payload and analyze the attacker’s activities on infected hosts. We will introduce TeleScout, our specialized tool that dumps and visualizes Telegram-based C2 communications, allowing analysts to observe post-exploitation actions such as LSASS credential collection, navigation of infected systems, and retrieval of additional tools hosted on platforms like GitHub and Telegram. Next, we’ll examine the exfiltration methods used by Dark Pink, detailing the types of files targeted and attribution clues embedded within them. We will also discuss the Telegram Bot API and explain weaknesses that investigators can exploit to retrieve messages from compromised bots, assuming a bot token can be obtained from malware samples. Finally, we will demonstrate TeleScout’s functionality on other cases, such as DuckTail, an infostealer, and YoroTrooper, a Kazakhstani APT, showing its versatility in analyzing both eCrime and nation-state actors. TeleScout will be released as an open-source tool after the talk, filling a critical gap in the current tooling available for investigating Telegram-based C2. What is new: While blog articles have previously covered Dark Pink’s operations, this talk will reveal unique insights into how the APT group was first discovered, including step-by-step details of the investigative process that led to its identification. We will highlight key artifacts and evidence that supported attribution—information not publicly disclosed before—as well as specific details about Dark Pink's tactics, techniques, and procedures throughout its kill chain. Additionally, we will introduce TeleScout, a tool designed to extract and analyze Telegram-based C2 messages, filling a critical gap in the open-source toolset available to threat investigators. TeleScout will be made freely available after the presentation, as no similar open-source tools currently exist for this purpose.
Speakers: