Pink new extortion brand within The Com
Threat Actor Meta
Summary
Hide ▲
Show ▼
A new Pink extortion brand has emerged within The Com, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple sectors. The operation relies on vishing and IT impersonation to collect credentials and MFA codes, then pressures victims with stolen-data publication. Its quick move to data exfiltration and ransom pressure raises risk for organizations targeted through helpdesk-style social engineering.
Related Happenings
Helix vishing and SharePoint data-extortion campaign
Campaign
H score38
First: 09.07.2026 20:08
Last: 09.07.2026 20:08
Sources 1
About this happening:
The **Helix** campaign is using **vishing**, **device-code phishing**, and **MFA abuse** to break into **SharePoint** environments and steal files, exposing victim organizations t...
Helix vishing and SharePoint data-extortion campaign
CampaignAbout this happening: The **Helix** campaign is using **vishing**, **device-code phishing**, and **MFA abuse** to break into **SharePoint** environments and steal files, exposing victim organizations t...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
How related:
The campaign has been running since April and involves calling targeted users and trying to convince them to register a new passkey under the attacker's control.
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignHow related: The campaign has been running since April and involves calling targeted users and trying to convince them to register a new passkey under the attacker's control.
About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Vidar-XMRig malvertising campaign targeting consumers and SMBs worldwide
Campaign
H score31
First: 08.07.2026 14:00
Last: 08.07.2026 14:00
Sources 1
About this happening:
A **malvertising campaign** is targeting **consumers and small and medium businesses worldwide** with archives that deploy **Vidar** and **XMRig**, creating both theft and cryptom...
Vidar-XMRig malvertising campaign targeting consumers and SMBs worldwide
CampaignAbout this happening: A **malvertising campaign** is targeting **consumers and small and medium businesses worldwide** with archives that deploy **Vidar** and **XMRig**, creating both theft and cryptom...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor Meta
H score43
First: 12.06.2026 11:52
Last: 12.06.2026 11:52
Sources 1
About this happening:
A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor MetaAbout this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Latest development: 15.06.2026 09:30
Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law Enforcement
H score45
First: 28.04.2026 18:39
Last: 28.04.2026 18:39
Sources 1
About this happening:
**Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law EnforcementAbout this happening: **Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
Timeline
-
08.07.2026 19:47 1 articles · 1d ago
Pink launches extortion site to publish stolen data samples
Campaign Scope UpdateThe Pink extortion group launched an extortion site on May 31 to publish samples of stolen data and pressure compromised victims into paying a ransom.
Show sources
- Entra passkey enrollment vishing targets Microsoft 365 users — www.bleepingcomputer.com — 08.07.2026 19:47
-
08.07.2026 19:47 2 articles · 1d ago
Okta attributes Microsoft Entra passkey vishing to O-UNC-066 and Pink
Initial DisclosureOkta attributes a Microsoft 365 vishing campaign to O-UNC-066, an actor it links to Pink and The Com, saying targeted employees across food and beverage, technology, healthcare, automotive, construction, and aviation sectors are called with fake security requests to enroll a Microsoft Entra passkey under attacker control. The phishing flow uses branded pages that mimic the real Entra passkey enrollment portal and an operator-controlled PHP panel that relays credentials and MFA responses in real time.
Show sources
- Entra passkey enrollment vishing targets Microsoft 365 users — www.bleepingcomputer.com — 08.07.2026 19:47
- Entra passkey enrollment vishing targets Microsoft 365 users — www.bleepingcomputer.com — 08.07.2026 19:47