New Data Extortion Group “Pink” Goes Big Game Hunting With Evasive Phishing Kits

Pink’s DLS Site (Unit42)

Pink’s Attack Playbook

Excerpt of Detection Mechanisms

Excerpt of Heartbeating

Phase 4: Advanced Subversion (MFA & Passkeys)

The most alarming capability of this kit is its built-in workflows designed to defeat modern authentication standards. Because the attacker operates a real-time C2 connection, they can dynamically push the target to specific modules based on what the authentic Microsoft login prompt requires.

• Authenticator Number Matching: To defeat push-based MFA, the kit features an “Approve sign in request” template. The backend dynamically injects the auth_code (e.g., a two-digit number) for the target to type into their mobile device, bridging the gap between the attacker’s proxy and the target’s phone.
• Passkey Subversion: Passkeys (FIDO2/WebAuthn) are notoriously resistant to adversary-in-the-middle (AiTM) attacks. To overcome this defense layer, the kit likely resorts to targeted social engineering. It attempts to trick targets into surrendering their passkey recovery words (via the /passkey/check/ route) or instructs them to register an attacker-controlled passkey on their device. While these frontend templates mention about passkey actions, we do not have the backend code required to see exactly how they are proxying the WebAuthn API calls, or if this relies purely on social engineering.

Phase 5: The “Success” Lure

When the target has successfully provided all requested authentication information, the backend sends a final redirect command to move the victim to the /auth_61858/done/ route. Rather than redirecting the victim to the real application (which might trigger secondary login prompts or errors) the kit renders a final, placating message:

• “Your account now meets organization requirements” > Your account has been verified and now meets your organization’s security requirements. No further action is needed. You can safely close this page.

A “success” message tied to a plausible corporate IT compliance pretext, ensures the victim feels a sense of completion without alerting their IT or Security department, buying the attackers critical time to utilize their access.

Phishing Kit 2: Gated Okta Impersonation Kit

We identified a second kit with striking architectural similarities to the Entra ID version, specifically tailored for Okta environments. Like the previous kit, this is not a static credential harvester. It is a dynamic, operator-controlled SPA that heavily relies on backend C2 to authorize the attack and exfiltrate credentials.

By analyzing the client-side JavaScript and HTML structure, we can map a similar sequence of events a target experiences when landing on this page.

Phase 1: Tracking & C2 Initialization

A script named client.jsisloaded early in the <head> of the DOM and it is responsible for a variety of tasks:

• Generating and globally exposing key components that the subsequent scripts rely upon:
  • window.__token: The target’s unique session ID.
  • window.__windowId: The ID distinguishing the specific browser tab.
  • window.getToken: The function used to retrieve the session ID.
  • window.getWindowId: The function used to retrieve the tab ID.
• Through the hostKey() function, scoping identifiers to the hostname (t:phishing_domain.com). This hints the same kit can be deployed across multiple hostnames simultaneously without session data from separate phishing campaigns conflicting.
• Generating a unique UUID (Token) and redundant Window IDs, and intentionally storing them in multiple browser databases with fallbacks. If an ID isn’t found in sessionStorage (scoped to the tab), it checks localStorage (persistent across tab closures and browser restarts). If it has to generate a new ID, it writes it to both locations immediately.
• As a third layer of persistence, immediately writing these identifiers to three separate cookies (token, okta_token, and window_id) with 24-hour expiration.
• Initiating two separate communication loops with the backend (/api_FyekIDWY.php):
  • Heartbeat: Executes hb() immediately and then every 5 seconds (setInterval(hb, 5000)). This loop pushes passive JSON telemetry to the operator: “Token X is alive on tab Y on page Z.”
  • Redirect Command: A second, independent loop of function cr() starts after a 2-second delay: setTimeout(cr, 2000) and performs a distinct GET request looking for the specific command: if (d && d.redirect). Crucially, within this channel, if the operator realizes the target needs to skip the current form or jump directly to a new harvesting stage they can ignore the gate approval (described next) and instead push a response to the client.jsloop: i.e. {“redirect”: “/sign-in/password/”}. The cr() function intercepts this and instantly forces the browser to the new page, bypassing the current visual logic entirely.

Phase 2: The Preload & The “Bot Gate” Lockdown

Upon initial load, the kit aggressively preloads Okta-specific fonts, stylesheets (okta-sign-in.min.css), and icons. However, the DOM is immediately locked down by a script that injects a full-screen overlay (#rp-bot-gate) containing a loading spinner.

The HTML document is appended with a class (rp-gate-locked) that disables scrolling and interaction. The target sees nothing but a white screen with a spinning wheel. Both kits refuse to show the phishing lure until a backend server explicitly authorizes the session. This proves that threat actors are actively filtering incoming traffic to drop automated scanners, sandboxes, and security researchers. In contrast to the Entra ID kit, this one is surprisingly “quiet” on the client side, without any visitor fingerprinting mechanisms. This might suggest that the threat actors are doing their analysis server-side to hide their detection logic from researchers.

Phase 3: The Heartbeat and Operator Approval

While the target is staring at the spinner, the kit initiates a polling sequence. It calls the poll() function, which acts as a heartbeat, sending a payload containing a session token and window ID to the backend C2 script at /api_FyekIDWY.php.

The kit will remain locked until the backend responds with a specific JSON payload: {“approved”: true}.

• If approved: The hide() function executes, destroying the spinner and revealing the Okta login lure.
• If denied (or pending): The show() function keeps the gate locked, polling every 1.5 to 4 seconds.

Phase 4: The Okta Deception Interface

Once authorized, the target is presented with a pixel-perfect replica of the Okta login interface. The kit includes a custom app banner reading “Sign in with your account to access Okta Dashboard” to establish trust.

The credential harvesting is split into stages (Username, then Password). When the target enters their username and clicks “Next”, the handler(e) JavaScript function intercepts the submission, preventing the browser from actually submitting the form.

Phase 5: Exfiltration via Beacon API

Instead of a traditional form post, the kit uses a highly effective persistence technique for exfiltration: navigator.sendBeacon(‘/j.php’, …). The Beacon API is designed to send analytics data asynchronously to a web server even if the user immediately closes the tab or navigates away. If sendBeacon fails, it falls back to a standard synchronous XMLHttpRequest. After the data is sent, the victim is redirected to the next stage (/sign-in/password/ or /sign-in/processing/).

Infrastructure

The actors primarily hosted their phishing kits on Cloudflare and DDoS-Guard. As part of domain registrations, they heavily relied on Tucows and Nicenic.Their operational playbook included registering subdomains with their targets’ brand name. The following naming convention was followed by the threat actors:

• {target_brand}.{keyword}passkey.com OR {target_brand}.passkey{keyword}.com

This structure allowed us to expand and identify more of their infrastructure through searching for lookalike domains with this specific pattern through Validin. For additional validation we also checked for each domain their subdomains (if they include brand names), as well as to search them in scanners like URLScan, to check if they contain the phishing kits in the page’s DOM. Domains are included in the Indicators of Compromise section.

Targeting

By analyzing the subdomains of their infrastructure we could get insights into their targeting strategy. Targeting assessments are based on observed lure infrastructure and should not be interpreted as confirmed victimization. Based on automated analysis to map the targeted entities, the actors seem to likely favor industries that handle sensitive user data, financial transactions, or major corporate infrastructure. Healthcare, Technology, and Financial Services combine to make up over two thirds of all targeted entities.

Distribution of Pink Targets Per Sector

By evaluating the geographic footprint of the targeted entities it becomes clear that these campaigns are overwhelmingly focused on United States corporations, with intentional outliers in Europe and Asia.

• North America (United States): 69 subdomains (92.0%) The massive majority of companies targeted are based in the US, strongly leaning toward Silicon Valley tech icons, Wall Street investment firms, and major US hospital/medical supplier networks.
• Global / Multiregional (Outside US): 6 subdomains (8.0%)
  • Europe (UK / Ireland): 5 subdomains targeting brands like PLMR (UK-based PR/Lobbying) and Perrigo (American pharmaceutical company but legally registered in Ireland).
  • Asia (Japan): 1 subdomain targeting Astellas Pharma (Tokyo-headquartered multinational).