Latest goon squad to use fake helpdesk calls to steal creds

Description

A new extortion group called Pink, tracked as cluster CL-CRI-1147, employs voice phishing and fake IT helpdesk impersonation to compromise organizations. The gang steals employee credentials, bypasses multi-factor authentication, and exfiltrates data from cloud storage platforms like SharePoint and OneDrive. Pink threatens to leak stolen information unless ransom demands are met, setting 72-hour deadlines. The group's data-leak site launched on May 31, 2026. This approach mirrors tactics popularized by Lapsus$, Scattered Spider, and ShinyHunters. Incident responders link Pink to The Com, a loosely connected network of English-speaking hackers and extortionists. Attackers use compromised victim accounts and internal Teams messages for extortion communications, reusing domains across multiple targets.