Latest goon squad to use fake helpdesk calls to steal creds
The Pink extortion group uses voice phishing and fake IT helpdesk impersonation to steal employee credentials, bypass multi-factor authentication, and exfiltrate data from cloud storage platforms such as SharePoint and OneDrive. They threaten to leak stolen data within 72 hours unless ransom demands are met. This campaign, active since May 31, 2026, leverages compromised accounts and internal Teams messages for extortion communications and reuses domains across multiple targets. Pink is linked to The Com, a network of English-speaking hackers and extortionists. The tactics resemble those used by groups like Lapsus$, Scattered Spider, and ShinyHunters.
AI Analysis
Technical Summary
Pink is a newly identified extortion group (cluster CL-CRI-1147) employing social engineering techniques including voice phishing (vishing) and fake IT helpdesk impersonation to compromise organizations. The group steals employee credentials and successfully bypasses multi-factor authentication controls. Using these credentials, Pink exfiltrates sensitive data from cloud storage services such as SharePoint and OneDrive. They then threaten victims with data leaks unless ransom demands are paid within a 72-hour deadline. The group operates a data-leak site launched on May 31, 2026, and is linked to The Com, a loosely connected network of English-speaking hackers and extortionists. Attackers also use compromised victim accounts and internal Microsoft Teams messages to communicate extortion demands. The campaign reuses domains and IP addresses across multiple victims, indicating a coordinated infrastructure.
Potential Impact
The campaign results in credential theft, multi-factor authentication bypass, unauthorized access to cloud storage data, and extortion through threats of data leakage. Organizations face potential data breaches, financial loss from ransom payments, and reputational damage. The use of compromised internal accounts and communication platforms like Teams increases the difficulty of detection and response.
Mitigation Recommendations
No official patch or fix applies as this is a social engineering campaign rather than a software vulnerability. Organizations should enhance user awareness training focused on vishing and helpdesk impersonation tactics. Implement strict verification procedures for helpdesk calls and credential requests. Monitor for suspicious internal communications and unusual access to cloud storage. Employ strong anomaly detection on account activities. Since the threat involves MFA bypass via social engineering, consider additional authentication safeguards and incident response readiness. The vendor advisory does not indicate 'no action required' or existing mitigation; therefore, proactive user education and verification controls are recommended.
Indicators of Compromise
- ip: 185.178.208.153
- domain: deploypasskey.com
- ip: 96.232.20.66
- domain: passkeyadd.com
- domain: passkeydeploy.com
Latest goon squad to use fake helpdesk calls to steal creds
Description
The Pink extortion group uses voice phishing and fake IT helpdesk impersonation to steal employee credentials, bypass multi-factor authentication, and exfiltrate data from cloud storage platforms such as SharePoint and OneDrive. They threaten to leak stolen data within 72 hours unless ransom demands are met. This campaign, active since May 31, 2026, leverages compromised accounts and internal Teams messages for extortion communications and reuses domains across multiple targets. Pink is linked to The Com, a network of English-speaking hackers and extortionists. The tactics resemble those used by groups like Lapsus$, Scattered Spider, and ShinyHunters.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Pink is a newly identified extortion group (cluster CL-CRI-1147) employing social engineering techniques including voice phishing (vishing) and fake IT helpdesk impersonation to compromise organizations. The group steals employee credentials and successfully bypasses multi-factor authentication controls. Using these credentials, Pink exfiltrates sensitive data from cloud storage services such as SharePoint and OneDrive. They then threaten victims with data leaks unless ransom demands are paid within a 72-hour deadline. The group operates a data-leak site launched on May 31, 2026, and is linked to The Com, a loosely connected network of English-speaking hackers and extortionists. Attackers also use compromised victim accounts and internal Microsoft Teams messages to communicate extortion demands. The campaign reuses domains and IP addresses across multiple victims, indicating a coordinated infrastructure.
Potential Impact
The campaign results in credential theft, multi-factor authentication bypass, unauthorized access to cloud storage data, and extortion through threats of data leakage. Organizations face potential data breaches, financial loss from ransom payments, and reputational damage. The use of compromised internal accounts and communication platforms like Teams increases the difficulty of detection and response.
Mitigation Recommendations
No official patch or fix applies as this is a social engineering campaign rather than a software vulnerability. Organizations should enhance user awareness training focused on vishing and helpdesk impersonation tactics. Implement strict verification procedures for helpdesk calls and credential requests. Monitor for suspicious internal communications and unusual access to cloud storage. Employ strong anomaly detection on account activities. Since the threat involves MFA bypass via social engineering, consider additional authentication safeguards and incident response readiness. The vendor advisory does not indicate 'no action required' or existing mitigation; therefore, proactive user education and verification controls are recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.theregister.com/cyber-crime/2026/06/04/pink-is-the-latest-goon-squad-to-use-fake-helpdesk-calls-to-steal-creds/5251434"]
- Adversary
- Pink
- Pulse Id
- 6a2201a2fe176ac0486f58e5
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.178.208.153 | — | |
ip96.232.20.66 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindeploypasskey.com | — | |
domainpasskeyadd.com | — | |
domainpasskeydeploy.com | — |
Threat ID: 6a226dc1e29bf47b503d4b1b
Added to database: 6/5/2026, 6:33:37 AM
Last enriched: 6/5/2026, 6:48:59 AM
Last updated: 6/5/2026, 2:52:55 PM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.