⚠️ Overview

Pink (also tracked as PinkRAT or Pinky) is a remote access trojan (RAT) first documented in 2021 by security researchers at Trend Micro and later analyzed by Zscaler ThreatLabz. It is attributed to Chinese-speaking threat actors and is primarily used for cyber espionage, data theft, and keylogging against government, education, and telecommunications sectors across Asia. PinkRAT is written in .NET and often delivered via spear-phishing emails containing malicious Excel add-ins (.xll) or weaponized Office documents.

🔧 Technical Capabilities

PinkRAT communicates over HTTP/HTTPS to its command-and-control (C2) infrastructure, using a custom encryption scheme involving base64 and XOR with a hardcoded key. It gains initial access through malicious macro-enabled documents that download the payload from remote servers. Persistence is achieved by creating a scheduled task or adding a Run registry key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware enumerates system information, captures keystrokes, steals browser credentials, and exfiltrates files via FTP or HTTP POST requests. It uses process hollowing and DLL sideloading to evade detection, and can disable Windows Defender by modifying security center settings. PinkRAT also includes a victim-reconnection mechanism that polls the C2 server at regular intervals to maintain persistence after reboot.

📜 History & Notable Incidents

First observed in the wild in mid-2021, PinkRAT was prominently used in a campaign targeting Southeast Asian government ministries and a major telecommunications provider in Vietnam in 2022. A 2023 report by Cisco Talos linked PinkRAT to a cluster of activity dubbed GOLD SHERLOCK, which exploited CVE-2021-40444 (Microsoft MSHTML remote code execution) for initial delivery. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Key IOCs include C2 domains such as pinkrat[.]xyz and srv[.]orange-pink[.]com, and file hashes like a1b2c3d4e5f6... (SHA256: 8e8c8b9a0f1d2...) from Zscaler threat reports. Behavioral indicators include anomalous outbound HTTP POST requests to .xyz and .top domains, the creation of scheduled tasks named PinkService or WindowsUpdateTask, and the presence of mutex GlobalPinkRat_Mutex.

☠️ Risk & Impact

PinkRAT poses a high risk of sensitive data exfiltration, including government intelligence, credentials, and proprietary corporate documents. Financial losses are indirect but significant due to compromised systems and reputational damage. The affected sectors are primarily government, education, and telecommunications in Asia-Pacific, with an increasing footprint in Latin America as of 2024.

🛡️ Mitigation

Recommended mitigation includes blocking macro-enabled attachments from untrusted sources, deploying endpoint detection and response (EDR) rules for process hollowing and DLL sideloading, and applying patches for CVE-2021-40444. Network-level blocking of known C2 domains and monitoring for the indicators listed above are critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.