A newly identified cyber extortion operation is gaining attention among incident responders after security researchers uncovered a threat group using voice phishing, cloud data theft and aggressive extortion tactics to target organizations.
Researchers at Unit 42 have begun tracking the activity under the cluster designation CL-CRI-1147, while the threat actors themselves operate under the newly established “Pink” extortion brand. The group’s leak site reportedly became active on May 31, and already lists multiple victims, signaling an effort to establish an independent reputation within the cybercrime ecosystem.
A New Brand With Familiar Tactics
While Pink is a new name, its techniques are anything but.
Researchers assess that CL-CRI-1147 is likely affiliated with the broader “Com” cybercriminal ecosystem—a loosely used term for financially motivated actors linked to several high-profile extortion campaigns. The group’s tradecraft closely resembles that of cybercrime crews such as ShinyHunters and Blackfile, both known for targeting cloud environments and stealing corporate data for extortion purposes.
Also read: ShinyHunters, CL0P Return with New Claimed Victims
The emergence of Pink suggests that rather than a completely new threat actor entering the scene, an existing operator may be rebranding or spinning off under a new identity.
Voice Phishing Opens the Door
Unlike ransomware groups that rely on malware deployment, Pink appears focused on manipulating employees.
According to Unit 42, attacks begin with vishing—voice phishing calls in which attackers impersonate internal IT staff. During these conversations, victims are persuaded to visit phishing websites and enter their credentials.
Researchers identified several domains used in these campaigns, including:
- passkeyadd[.]com
- passkeydeploy[.]com
- deploypasskey[.]com
The domains mimic legitimate password and authentication workflows, helping attackers convince users that they are participating in a routine security process.
Once credentials are captured, the threat actors gain access to Microsoft 365 accounts, including multi-factor authentication sessions.
Cloud Data Theft Within Minutes
After compromising an account, the attackers move quickly.
Rather than deploying ransomware or attempting to establish long-term persistence, Pink appears focused on immediate data theft from cloud collaboration platforms such as SharePoint and OneDrive.
Researchers observed activity associated with tools and user-agent strings commonly used to automate cloud data collection, including:
- Microsoft.Graph.Client/5.62.0
- python-requests/2.28.1
- python-requests/2.33.1
The use of Microsoft Graph APIs suggests the actors are leveraging legitimate cloud functionality to identify and exfiltrate sensitive corporate files at scale while blending into normal administrative activity.
Using the Victim’s Own Accounts
One of the more notable aspects of Pink’s operations is how quickly attackers weaponize compromised accounts.
Shortly after stealing data, the actors reportedly use the victim’s Microsoft 365 account to distribute extortion messages internally. These communications are sent both via email and Microsoft Teams, creating immediate credibility and increasing pressure on the organization.
This tactic allows attackers to demonstrate access while amplifying confusion among employees and incident responders.
Infrastructure Reuse Points to Organized Operations
Researchers also identified infrastructure patterns that suggest a structured operation rather than opportunistic attacks.
Pink reportedly reuses second-level phishing domains across multiple campaigns while customizing third-level subdomains to match the targeted organization. The infrastructure has been observed leveraging services associated with DDoS-Guard hosting.
Among the indicators identified by researchers are:
- 185[.]178.208[.]153 (hosting phishing infrastructure)
- 172[.]93.100[.]252 (accessing compromised accounts)
- 96[.]232.20[.]66 (linked to extortion email creation via residential proxy services)
The reuse of infrastructure combined with consistent phishing themes indicates an operation designed for repeatable, scalable attacks.
