{
	"id": "d776d7b0-5d4c-40a8-84c5-5c4851d04789",
	"created_at": "2026-04-09T02:23:10.234212Z",
	"updated_at": "2026-04-10T13:11:58.783263Z",
	"deleted_at": null,
	"sha1_hash": "653622fa74580c274fae0a57da6e2ef01c81ac3b",
	"title": "Johnson Fitness and Wellness hit by DESORDEN Group - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 127577,
	"plain_text": "Johnson Fitness and Wellness hit by DESORDEN Group -\r\nDataBreaches.Net\r\nPublished: 2022-10-09 · Archived: 2026-04-09 02:20:03 UTC\r\nIn what has become a familiar event, DESORDEN Group announced yet another attack on a multinational\r\ncorporation. This time, their target was Johnson Fitness and Wellness, a subsidiary of Johnson Health Tech.\r\nCo., Ltd. Johnson Health Tech manufactures exercise training equipment and is listed on the Taiwan stock\r\nexchange; Johnson Fitness is headquartered in the U.S. and is an exercise equipment retailer.\r\nIn their post on a popular hacking forum, DESORDEN stated that the breach involved 71 GB of data and files\r\naffecting Johnson Fitness’s suppliers, dealers, customers, and employees. Files concerning their internal\r\noperations and financial records were also acquired.\r\nA screencap showing folders in one of the drives accessed on JohnsonFitness.com.\r\nDataBreaches.net has redacted the folder names.\r\nMost of the sample files did not contain personal information. Other sample data shared exclusively with\r\nDataBreaches included customers’ personal information such as name, address, phone number, and date of birth.\r\nOf note, a leaked “sysusers” file included employee names, email addresses,  usernames, and passwords in\r\nplaintext.  DESORDEN’s spokesperson commented that they were surprised that a big company left their\r\npasswords in plaintext, “which is really rare in our attacks against big companies.”\r\n“This Johnson hack took quite a lot of time too,” they added, explaining, “we breached into their\r\n[Johnson Health Tech’s] mainframe server, but they had AVs and firewall that prevent outgoing\r\nconnections — only allowed IPs of those within the network. So we have to find the other servers on\r\nthe same network, breach in and pray hard that the firewall config is allowed.\r\nhttps://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/\r\nPage 1 of 2\n\nAt the end of the day, we used another breached server to act as a bridge to the mainframe and stole the\r\ndata. So it took quite a bit of time.”\r\nDESORDEN’s spokesperson could not recall exactly when they first accessed Johnson but estimated that they\r\nwere in there for months. They still have access, they claim.\r\nAccording to their statement to DataBreaches, although Johnson read their emails, downloaded the data samples,\r\nand watched the video, they did not reply to any of their communications.\r\nDESORDEN explained that their initial communications to a victim do not specify a specific demand amount.\r\n“We will wait for victims to respond, then we will set the sum based on their size,” they tell DataBreaches. So\r\nbecause Johnson did not respond to DESORDEN, they do not know how much DESORDEN might be\r\ndemanding.\r\nThe total lack of response suggests that Johnson has no intention of paying any ransom demand. DESORDEN’s\r\nspokesperson told DataBreaches that they are neither surprised nor particularly upset by that because they believe\r\nthey will be able to quickly sell the corporate information and trade secrets they were able to exfiltrate.\r\nDataBreaches sent an email inquiry to Johnson Fitness about their response to the claimed attack. No reply has\r\nbeen received as of publication time.\r\nSource: https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/\r\nhttps://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/"
	],
	"report_names": [
		"johnson-fitness-and-wellness-hit-by-desorden-group"
	],
	"threat_actors": [
		{
			"id": "e5ccc758-f2a5-417b-ba5c-70edf39bc048",
			"created_at": "2022-10-25T16:07:24.481513Z",
			"updated_at": "2026-04-10T02:00:05.005021Z",
			"deleted_at": null,
			"main_name": "Desorden",
			"aliases": [],
			"source_name": "ETDA:Desorden",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a69a32c-82d0-431b-b5ab-34a070bf8d94",
			"created_at": "2023-11-08T02:00:07.154393Z",
			"updated_at": "2026-04-10T02:00:03.428568Z",
			"deleted_at": null,
			"main_name": "Desorden Group",
			"aliases": [],
			"source_name": "MISPGALAXY:Desorden Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775701390,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/653622fa74580c274fae0a57da6e2ef01c81ac3b.pdf",
		"text": "https://archive.orkl.eu/653622fa74580c274fae0a57da6e2ef01c81ac3b.txt",
		"img": "https://archive.orkl.eu/653622fa74580c274fae0a57da6e2ef01c81ac3b.jpg"
	}
}