• Home
  • cyber
  • Nvidia, Okta, Microsoft and AT&T: Pink is the latest goon squad to use fake helpdesk calls to steal creds
cyber Cyber Attack

Nvidia, Okta, Microsoft and AT&T: Pink is the latest goon squad to use fake helpdesk calls to steal creds

May 31, 2026 3 min read
Nvidia, Okta, Microsoft and AT&T: Pink is the latest goon squad to use fake helpdesk calls to steal creds

New Extortion Group "Pink" Targets Organizations with Vishing and Cloud Data Theft

A recently identified extortion group, tracked as Pink, is leveraging voice phishing (vishing) and fake IT help-desk calls to infiltrate corporate networks, steal sensitive data, and demand ransom payments. First detected by Palo Alto Networks’ Unit 42, the group classified as cluster CL-CRI-1147 launched its data-leak site on May 31, 2026.

Pink’s tactics mirror those of other cybercriminal collectives, including Lapsus$, Scattered Spider, and ShinyHunters, which have previously targeted high-profile organizations like Nvidia, Microsoft, Okta, MGM Resorts, and AT&T. These groups typically impersonate IT staff or employees to phish credentials and bypass multi-factor authentication (MFA), then exfiltrate data from cloud storage platforms such as SharePoint and OneDrive.

Unit 42 analysts linked Pink to The Com, a loosely organized network of hackers, SIM swappers, and extortionists, some of whom have ties to violent crime. After monitoring multiple extortion attacks, researchers observed Pink’s operators re-engaging with a victim on June 1, 2026, via a free webmail account, providing a new qTox ID and a leak site under the Pink brand. The group sets a 72-hour deadline for ransom negotiations before leaking stolen data.

Once inside a victim’s environment, Pink exfiltrates files and uses compromised accounts to send internal extortion messages via Microsoft Teams. The group reuses second-level domains for phishing, tailoring third-level domains to specific targets. Indicators of compromise include the domains passkeyadd[.]com, passkeydeploy[.]com, and deploypasskey[.]com, as well as IP addresses 185[.]178.208[.]153, 172[.]93.100[.]252, and 96[.]232.20[.]66. Observed user-agent strings during data exfiltration include Microsoft.Graph.Client/5.62.0 and python-requests/2.28.1.

Source: https://www.theregister.com/cyber-crime/2026/06/04/pink-is-the-latest-goon-squad-to-use-fake-helpdesk-calls-to-steal-creds/5251434

Okta cybersecurity rating report: https://www.rankiteo.com/company/okta-inc-

Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security

AT&T cybersecurity rating report: https://www.rankiteo.com/company/att

NVIDIA cybersecurity rating report: https://www.rankiteo.com/company/nvidia

"id": "OKTMICATTNVI1780611852",
"linkid": "okta-inc-, microsoft-security, att, nvidia",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'Organizations (high-profile targets)'}],
 'attack_vector': 'Voice phishing (vishing), fake IT help-desk calls, phishing '
                  'credentials, MFA bypass',
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information likely)',
                 'type_of_data_compromised': 'Sensitive data, cloud storage '
                                             'files'},
 'date_detected': '2026-05-31',
 'date_publicly_disclosed': '2026-05-31',
 'description': 'A recently identified extortion group, tracked as *Pink*, is '
                'leveraging voice phishing (vishing) and fake IT help-desk '
                'calls to infiltrate corporate networks, steal sensitive data, '
                'and demand ransom payments. The group sets a 72-hour deadline '
                'for ransom negotiations before leaking stolen data. Once '
                'inside a victim’s environment, Pink exfiltrates files and '
                'uses compromised accounts to send internal extortion messages '
                'via Microsoft Teams.',
 'impact': {'data_compromised': 'Sensitive data, cloud storage files '
                                '(SharePoint, OneDrive)',
            'identity_theft_risk': 'High (due to data exfiltration)',
            'operational_impact': 'Internal extortion messages via Microsoft '
                                  'Teams, data exfiltration',
            'systems_affected': 'Corporate networks, cloud storage platforms'},
 'initial_access_broker': {'entry_point': 'Voice phishing (vishing), fake IT '
                                          'help-desk calls'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain, data extortion',
 'post_incident_analysis': {'root_causes': 'Phishing, MFA bypass, credential '
                                           'theft'},
 'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
 'references': [{'date_accessed': '2026-06-01',
                 'source': 'Palo Alto Networks’ Unit 42'}],
 'response': {'third_party_assistance': 'Palo Alto Networks’ Unit 42'},
 'threat_actor': 'Pink (cluster CL-CRI-1147), The Com',
 'title': "New Extortion Group 'Pink' Targets Organizations with Vishing and "
          'Cloud Data Theft',
 'type': 'Extortion, Data Theft, Vishing'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.