Full Report
A familiar tactic popularized by chaotic crime crew Lapsus$
Analysis Summary
# Threat Actor: Pink
## Attribution & Identity
* **Primary Name:** Pink (Pink Extortion Brand)
* **Tracking Designation:** CL-CRI-1147 (Palo Alto Networks Unit 42)
* **Associated Groups:** Likely a member or affiliate of **The Com** (a loosely knit umbrella of English-speaking hackers, SIM swappers, and extortionists).
* **Historical Lineage:** Follows the "playbook" popularized by **Lapsus$** and later adopted by **Scattered Spider** (UNC3944/MUGSHOT) and **ShinyHunters**.
## Activity Summary
Pink is a recently identified extortion-focused threat cluster that emerged in early 2026. The group’s presence was confirmed on May 31, 2026, when its dedicated leak site (DLS) went live. The actor engages in data theft via credential harvesting and vishing, subsequently demanding ransom payments to prevent the public release of stolen sensitive corporate and customer information.
## Tactics, Techniques & Procedures
* **Initial Access:** Voice Phishing (Vishing) and IT help-desk impersonation.
* **Identity Fraud:** Phishing for credentials and Multi-Factor Authentication (MFA) tokens to bypass security controls.
* **Internal Reconnaissance:** Using compromised accounts to snoop through cloud-based productivity suites.
* **Lateral Movement/Communication:** Utilizing internal Microsoft Teams messages from compromised accounts to harass or extort the victim organization.
* **Exfiltration:** Harvesting data from enterprise cloud storage (SharePoint, OneDrive) and databases.
* **Extortion:** 72-hour deadline for response; use of qTox for communication and free webmail accounts for initial extortion notices.
* **Domain Strategy:** Reuse of second-level domains for multiple targets, while using victim-specific thematic third-level domains (subdomains).
## Targeting
* **Sectors:** Organizations using enterprise cloud storage and productivity platforms (e.g., SharePoint, OneDrive).
* **Geography:** Primarily English-speaking targets (consistent with "The Com" affiliations).
* **Victims:** Multiple organizations targeted between early 2026 and June 2026 (specific names withheld in the report but linked to previous negotiation clusters).
## Tools & Infrastructure
* **Phishing Domains (Defanged):**
* passkeyadd[.]com
* passkeydeploy[.]com
* deploypasskey[.]com
* **Infrastructure (Defanged):**
* 185[.]178.208[.]153 (Hosting phishing domains)
* 172[.]93.100[.]252 (Used to access compromised accounts)
* 96[.]232.20[.]66 (Residential proxy IP used for extortion email creation)
* **User-Agent Strings (During Exfiltration):**
* `Microsoft.Graph.Client/5.62.0`
* `python-requests/2.28.1`
* `python-requests/2.33.1`
* **Communication:** qTox.
## Implications
Pink represents the sustained evolution of "The Com" and its affiliates, proving that social engineering and vishing remain highly effective against modern enterprise defenses. By focusing on cloud productivity suites rather than traditional ransomware encryption, the group can move faster and avoid the technical hurdles of deploying lockers, focusing purely on the leverage gained from sensitive data exfiltration.
## Mitigations
* **Vishing Awareness:** Conduct specialized training for help-desk staff to verify identities of callers claiming to be employees or support staff.
* **MFA Hardening:** Transition to FIDO2-compliant hardware security keys to mitigate MFA bypass via phishing/vishing.
* **Cloud Monitoring:** Implement detection for anomalous data access patterns in SharePoint and OneDrive, particularly using Python-based User-Agents or the Microsoft Graph Client.
* **Alerting:** Monitor for the creation of new subdomains or atypical access from residential proxy ranges.
* **Internal Communication Security:** Verify the authenticity of internal Teams messages that request sensitive information or discuss "emergency" security updates.