{
	"id": "6b5f5407-c316-4d0d-8f27-b1b1d4cc6d06",
	"created_at": "2026-04-06T00:08:35.250083Z",
	"updated_at": "2026-04-10T13:12:48.715697Z",
	"deleted_at": null,
	"sha1_hash": "2f57317f46ac518f2f477131ae106c955066372e",
	"title": "Threat Group ‘Desorden’ Actively Targeting Asian Conglomerates | Threat Intelligence | CloudSEK",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102386,
	"plain_text": "Threat Group ‘Desorden’ Actively Targeting Asian Conglomerates\r\n| Threat Intelligence | CloudSEK\r\nArchived: 2026-04-05 13:07:27 UTC\r\nA confidential source has shared previously unknown details about the newly emerging threat actor group\r\nDesorden.\r\nTLP: GREEN\r\nAbout Desorden\r\nIn September 2021, a financially motivated threat actor group dubbed ‘Desorden’ started breaching Asian\r\ncompanies and sharing the breached data on a popular English language cybercrime forum.\r\nThe group's first post on the forum was published on 30 September 2021. The post advertised the database\r\nof the Malaysian subsidiary of a global logistics company based in Hong Kong. The post included sample\r\ndata, as proof of the group’s claims and credibility.\r\nSince the first post, the group has consistently advertised the data of various Asian companies. As of\r\nJanuary 2022 i.e. 4 months, since the group became active, they have shared the data of 10 companies.       \r\n                                                                                                          \r\nhttps://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/\r\nPage 1 of 4\n\n[caption id=\"attachment_19021\" align=\"aligncenter\" width=\"618\"]\r\nDesorden victim profile[/caption]\r\nDesorden Modus Operandi\r\nA confidential source, directly in contact with the Desorden group, has shared information about the groups\r\nmotives and their preferred Tactics, Techniques, and Procedures (TTPs).\r\nMotives and Collaborations\r\nCurrently, the group has no interest in breaching former USSR or European countries.\r\nThe group carefully plans and selects their victims, which are primarily conglomerates in Asia that have\r\nhigh revenues.\r\nThey claim to be a ‘for-hire’ hacking group and do not identify as a ransomware group, despite operating\r\nlike one.\r\nThe group is looking to recruit hackers who can exploit an organization's vulnerabilities and build new\r\nscripts.\r\nDesorden is engaged in deals with various ransomware groups that don’t focus on Asia. In what seems like\r\nan agreement to divide and conquer, Desorden sells vulnerabilities and accesses, to companies in Europe\r\nand North America, to ransomware groups that focus on those regions.\r\nTactics, Techniques, and Procedures (TTPs)\r\nhttps://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/\r\nPage 2 of 4\n\nThe group initiates an attack by first performing reconnaissance of the infrastructure and technologies used\r\nby the target organization.\r\nBased on the recon, they develop custom Advanced Package Tool (APT) scripts to infiltrate the\r\norganization. The group also uses Python, PowerShell, and C#, based on their requirements.\r\nThe group doesn’t crypto-lock a victim’s data, like ransomware groups do. Instead, they exfiltrate sensitive\r\ninformation from the victim, and threaten to publicize the data if the company does not heed to their\r\nransom demands.\r\nThe group purportedly works discreetly with the victims to collect the ransom.\r\nIf a victim pays the demanded ransom, they do not advertise the breach or the company’s data.\r\nIf a victim is initially unresponsive, they publicize the breach, without releasing their data, in an\r\nattempt to pressure the victim into paying the ransom.\r\nHowever, if a company refuses to pay the ransom even after these attempts, they dump or sell their\r\ndata on cybercrime forums.\r\nDesorden’s Victim Profile\r\nSince September 2021, Desorden has shared or advertised the databases of 10 high-revenue organizations\r\noperating or headquartered in Asia.\r\nCountry\r\nNo. of\r\nVictims\r\nVictim Profile\r\nSingapore 3\r\nRecruitment Firm\r\nDepartment Store\r\nCinema Chain\r\n:\r\n:\r\n:\r\nPII and login credentials\r\nPII, NRIC details, login credentials\r\nNot Available\r\nMalaysia 2\r\nLogistics Company\r\nCarrier Service\r\n:\r\n:\r\n200 GB customer and partner data\r\nCustomer database\r\nThailand 2\r\nHotel Chain\r\nRestaurant Group\r\n:\r\n:\r\n400 GB of PII, financial and corporate\r\ndata\r\n80 GB of PII, financial and transaction\r\ndata\r\nTaiwan 1 Electronics Corp : Employee info, list of vulnerable servers\r\nhttps://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/\r\nPage 3 of 4\n\nPhilippines 1\r\nSupermarket\r\nChain\r\n: 300 GB database\r\nIndia 1 Electronics Corp : 60 GB of customer and corporate data\r\nSource: https://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/\r\nhttps://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/\r\nPage 4 of 4\n\ndata, as Since the proof of the first post, group’s claims the group and credibility. has consistently advertised the data of various Asian companies. As of\nJanuary 2022 i.e. 4 months, since the group became active, they have shared the data of 10 companies.\n    Page 1 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/"
	],
	"report_names": [
		"threat-group-desorden-actively-targeting-asian-conglomerates"
	],
	"threat_actors": [
		{
			"id": "e5ccc758-f2a5-417b-ba5c-70edf39bc048",
			"created_at": "2022-10-25T16:07:24.481513Z",
			"updated_at": "2026-04-10T02:00:05.005021Z",
			"deleted_at": null,
			"main_name": "Desorden",
			"aliases": [],
			"source_name": "ETDA:Desorden",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a69a32c-82d0-431b-b5ab-34a070bf8d94",
			"created_at": "2023-11-08T02:00:07.154393Z",
			"updated_at": "2026-04-10T02:00:03.428568Z",
			"deleted_at": null,
			"main_name": "Desorden Group",
			"aliases": [],
			"source_name": "MISPGALAXY:Desorden Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434115,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f57317f46ac518f2f477131ae106c955066372e.pdf",
		"text": "https://archive.orkl.eu/2f57317f46ac518f2f477131ae106c955066372e.txt",
		"img": "https://archive.orkl.eu/2f57317f46ac518f2f477131ae106c955066372e.jpg"
	}
}