A new cybercrime group called Pink is targeting corporate data for financial extortion. Palo Alto Networks’ research division, Unit 42, first exposed this threat, believed to be linked with the broader Com network.
The researchers tracked the group under the cluster code CL-CRI-1147, and reported that Pink launched a dedicated data leak site on 31 May 2026, listing several initial victims.
Building on Unit 42’s data, security analytics firm Gurucul released a follow-up analysis on 4 June 2026 to help companies spot the group’s footprint inside corporate networks.
Initial Entry and Cloud Theft
Unit 42’s research reveals that Pink avoids traditional malware payloads. Instead, the threat actors rely on voice phishing, or vishing, to target corporate users. By impersonating internal IT personnel over the phone, the hackers manipulate employees into visiting credential stealing domains like passkeyaddcom or passkeydeploy.com.
When an employee falls for the scam and enters their details, the hackers steal their active log-in session. This lets them bypass multi-factor authentication defences. Now, they can access the company’s Microsoft 365 system, and using Microsoft’s own automated tools, they sweep through cloud storage, drain sensitive files from OneDrive and SharePoint folders in just minutes.
With the data secured, the extortion begins. Pink actually uses the compromised employee accounts to email co-workers and send internal Microsoft Teams messages demanding payment, giving executives a tight 72-hour deadline to respond.
Detecting the Hidden Footprint
Following Unit 42’s disclosure, Gurucul analysed how Pink operates on local workstations after initial access. In an advisory published on 4 June 2026, Gurucul noted that Pink uses fileless methods to stay hidden. Instead of downloading a massive, obvious virus onto a hard drive, the hackers deploy tiny code commands that hide inside legitimate system paths.
The software builds its main code directly within the computer’s temporary memory cache, making it completely invisible to standard antivirus folder scanners. Gurucul also found that the code checks the computer environment first; if it spots a sandbox or an analysis laboratory used by security teams, it hides its behaviour.
How to Stop the Attack
Because Pink uses legitimate cloud tools and authentic account access, standard firewalls struggle to spot them. Experts recommend training employees to verify unexpected IT phone calls independently.
Those responsible for network security must also look for unusual automated scripts in their logs, block the group’s known web domains, and use behavioural monitoring to catch massive, sudden file downloads before the data leaves the company.
