{ "id": "b376f09a-1824-4881-8847-35d66d236ba2", "created_at": "2026-04-09T02:23:37.000026Z", "updated_at": "2026-04-10T13:13:01.992325Z", "deleted_at": null, "sha1_hash": "4165bd0b14414b1c4cdee2382c23a646bab169c7", "title": "Advisories are published, but are enough entities reading them and taking precautions? - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38681, "plain_text": "Advisories are published, but are enough entities reading them and\r\ntaking precautions? - DataBreaches.Net\r\nPublished: 2021-08-25 · Archived: 2026-04-09 02:06:09 UTC\r\nThree advisories have been released this week about threat actor groups. One involves ALTDOS,  one involves\r\nHIVE, and one involves the “OnePercent Group,” whose name may not sound familiar to many.\r\nALTDOS  (Joint Advisory)\r\nIt appears that ALTDOS is getting some serious attention from Singapore’s CSA and other agencies in Singapore. \r\nThese threat actors who target ASEAN entities have not gotten much coverage here in the U.S. other than\r\nDataBreaches.net’s coverage, and they don’t seem to have gotten a great deal of coverage anywhere — perhaps\r\ndue to cultural differences in disclosing and reporting on breaches.  This week, Singapore authorities issued a joint\r\nadvisory that is the result of a collaborative effort between the Cyber Security Agency of Singapore (CSA), the\r\nPersonal Data Protection Commission (PDPC) and the Singapore Police Force (SPF).\r\nInterestingly (to me, anyway), the advisory says that ALTDOS uses ransomware, but that the ransomware variant\r\nis currently unknown. In the past, when DataBreaches.net had asked ALTDOS what type of ransomware they\r\nused, they had answered me:\r\nDuring the event of ransomware attacks, there are many cases in which data or files are rendered\r\ncorrupted even after decryption. Hence, we do not favor the usage of ransomware and we usually do not\r\nemploy ransomware techniques on targets. Our methodology is to break into systems, steal the data and\r\nbackup copies of their databases locally with AES-256 encryption.\r\nIf I hear from them again, I will ask them if that’s still the case. Or perhaps it was never the case, but a lot of the\r\nclaims they have made to this site did check out.\r\nThe advisory provides some detection and prevention strategies, but are most ASEAN entities reading this\r\nadvisory or taking it to heart?\r\nHIVE (Alert Number MC-000150-MW)\r\nThe FBI has issued a  Flash Alert about HIVE ransomware. The  alert contains indicators of compromise for a\r\ngroup that first appeared in June of this year as “Hive.” Unlike some other groups, they do not seem to seek media\r\ncoverage, have not published any “press releases,” and do not have any email or other contact information on their\r\nonion leak site.\r\nONEPERCENT GROUP (Alert Number\r\nCU-000149-MW)\r\nhttps://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/\r\nPage 1 of 2\n\nThe FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who\r\nhave used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020.\r\nOnePercent Group actors compromise victims through a phishing email in which an attachment is\r\nopened by the user. The attachment’s macros infect the system with the IcedID  banking trojan. IcedID\r\ndownloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network,\r\nprimarily with PowerShell remoting.\r\nAs of the time of the alert, the onionsite was offline and has remained offline.\r\nSource: https://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/\r\nhttps://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/" ], "report_names": [ "advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions" ], "threat_actors": [ { "id": "348b092b-f28a-41d0-a7f2-4c399f2f973f", "created_at": "2024-06-25T02:00:05.046536Z", "updated_at": "2026-04-10T02:00:03.664032Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [], "source_name": "MISPGALAXY:ALTDOS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad", "created_at": "2022-10-25T16:07:24.444096Z", "updated_at": "2026-04-10T02:00:04.994412Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [ "0mid16B", "ALTDOS", "Desorden", "GHOSTR" ], "source_name": "ETDA:ALTDOS", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701417, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4165bd0b14414b1c4cdee2382c23a646bab169c7.pdf", "text": "https://archive.orkl.eu/4165bd0b14414b1c4cdee2382c23a646bab169c7.txt", "img": "https://archive.orkl.eu/4165bd0b14414b1c4cdee2382c23a646bab169c7.jpg" } }