{
	"id": "8aed47ed-98ea-4c94-9323-7732add3bf2e",
	"created_at": "2026-04-09T02:23:38.546085Z",
	"updated_at": "2026-04-10T03:36:01.42315Z",
	"deleted_at": null,
	"sha1_hash": "a220c79d7e103dc2dc414a6609e8f3597118c5ba",
	"title": "Thai entities continue to fall prey to cyberattacks and leaks - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 156208,
	"plain_text": "Thai entities continue to fall prey to cyberattacks and leaks -\r\nDataBreaches.Net\r\nPublished: 2022-07-31 · Archived: 2026-04-09 02:07:27 UTC\r\nFor over one year, DataBreaches.net has highlighted some breaches of  ASEAN victims by groups such as ALTDOS and\r\nDESORDEN. In addition to those two groups, there are also numerous other leaks and breaches, as DataBreaches noted in\r\nour recent post about leaks and breaches in Indonesia.\r\nBut even while DataBreaches was researching and preparing the post on Indonesia, DESORDEN threat actors continued to\r\nannounce new victims in Thailand and further headaches for earlier Thai victims who had not paid their demands.\r\nAnd then it appeared things might get even worse.\r\nFour Breaches of Thai Entities DESORDEN Announced This Week\r\nThe first was Frasers Property Thailand Public Company Limited. DESORDEN provided DataBreaches with samples\r\nof the data and a video suggesting the scope of the breach. They also posted the breach on a popular hacking-related forum\r\nwith a free sample.  Their listing claims the breach involved “312,834 personal data information of their customers, along\r\nwith their HR, financial and corporate data.”\r\nDataBreaches has not spotted any media coverage or notice on Fraser’s website. A request sent to Fraser for a copy of any\r\nnotification or press release, and a question about who has been notified did not receive an immediate reply.\r\nThe second DESORDEN victim was Union Auction Public Company Limited. As with Fraser, DESORDEN made a\r\npublic claim on a hacking-related forum, offered free sample data, and made the rest available for purchase. In this case,\r\nthey claimed to have acquired 30,000+ personal data information of their victim’s members. Finding no notice on Union\r\nAuction’s website nor media coverage, DataBreaches sent an email inquiry requesting a copy of any notification and asking\r\nwho had been notified of this breach at this point. The email bounced back, undelivered, and an attempt to use their site\r\ncontact form failed.\r\nThe third DESORDEN victim is also a publicly listed firm: Srikrung Broker Co., Ltd., an insurance broker company.\r\nSrkikrung issued a statement acknowledging the breach. DESORDEN claims it stole more than 369 GB of data with\r\napproximately 3.28 million customer records and 462,980 agent records in its public listing on a hacking forum.\r\nThen just today, DESORDEN sent an update to DataBreaches, indicating that three days after breaching Srikrung Broker,\r\nthey breached another business under that  company: 724.co.th, an insurance marketplace. This latest breach, they claim,\r\ninvolved 1.75 TB of scanned ID copies and loan documents and has also been posted to a hacking forum. An attempt by\r\nDataBreaches to connect to 724’s website this morning timed out.\r\nhttps://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/\r\nPage 1 of 4\n\nDESORDEN listings on a hacking forum. Some listings are explicitly for sale. Others provide a sample and\r\ninvite people to contact them on TOX for purchase inquiries. With one exception, all of the entries color-coded red by DataBreaches.net are Thai entities.\r\nOther Listings Related to Data of Thai Entities\r\nDESORDEN isn’t the only source of leaks or breaches affecting Thai entities, of course, with ALTDOS having previously\r\nbeen a significant threat actor in the region. DataBreaches also found other listings by other vendors or threat actors over the\r\npast few months on a popular forum where people can sell or acquire data:\r\nAn April listing offering data from Pruksa Clinic claimed to have 48,303,229 records.\r\nAnother listing offered 5.9 million citizens’ data with their full name, date of birth, mobile telephone number, and\r\ncomplete address.\r\nA listing for “huge data of thailand citizen” claimed to have data from a Thai university with email, address, phone,\r\nfull name, and other files.\r\nA listing with data purportedly from the Royal Thai Police, knowledge management of police partrol platform\r\n(KMPPP). Using leaked credentials, someone was reportedly able to scrape data containing the information of 6793\r\ncyber villages across Thailand.\r\nA listing about the Thai Ministry of Public Health with a Covid database.\r\nhttps://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/\r\nPage 2 of 4\n\nSome data allegedly leaked from the Thailand Institute Of Nuclear Technology.\r\nNOTE: DataBreaches has not attempted to validate any of the claims in the postings described above, and not all of them\r\nare even still available. They are presented here merely to demonstrate an interest in the underground for data from\r\nThailand, and people are more than willing to profit by meeting that need.\r\nAnd Then Things Seemed to Be About to Get Worse\r\nImage: Dreamstime\r\nIn the past few days, DESORDEN started making ransomware builds freely available to members of a hacking-related\r\nforum. Because DataBreaches was unaware of any incidents in which DESORDEN had used ransomware in its attacks on\r\nentities, DataBreaches asked them whether they had used it and whether their offer of free ransomware builds by others to\r\nforum members signaled that they would also be using ransomware more often in their activities. DataBreaches also asked\r\nDESORDEN if they had considered that by making these builds freely available to all, some young and inexperienced\r\npeople might try to use them to attack hospitals or critical infrastructure.\r\nDESORDEN responded that they do not use ransomware in most of their attacks — not even during the Acer India attack.\r\nBut even when they deploy ransomware, they write, they would not use the types offered on the forum or any type or\r\nversion already hashed by VirusTotal because those are impossible to deploy on systems that have even basic antivirus\r\nprotection.\r\nAs to the two specific ransomware builds they offered freely on a forum, they note that CHAOS Ransomware Builder is a\r\nwiper, although it is advertised as ransomware, and it doesn’t work with any properly installed AV system. The other\r\noffering, Yashma Ransomware Builder, is an upgraded one that has not been detected often in the wild. And here’s where\r\ntheir answer became particularly interesting:\r\nWe have already submitted it to VirusTotal 12 days ago before we post it for free. In one way, we are helping\r\nothers to prevent attacks by Yashima  ransomware. You can see the data submission here:\r\nhttps://www.virustotal.com/gui/file/f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db/detection/f-f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db-1652338917\r\nThe Yashma was provided to us by a credible source for reverse engineering purposes. We have already submitted\r\nto VirusTotal which will be uploaded to majority AV detection. So it is almost impossible for young wannabes to\r\ndeploy it on basic AV protected systems, as basic as Windows Defender. Also, ransomware is not easily deployed\r\nas seen in movies or online news. Deploying it require skills in underlying systems.\r\nSo that was a bit of a  surprise: DESORDEN offered a free build of others’ ransomware but first uploaded it to\r\nvirustotal.com so that it will be detected by more systems and be less likely to succeed if entities use basic security hygiene\r\nhttps://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/\r\nPage 3 of 4\n\nlike updated antivirus protection.\r\nDataBreaches will continue to try to cover ASEAN breaches, and hopes that the country’s regulator will publish some\r\nguidance to entities there if they have not done so already.\r\nUPDATE: Hours after posting this, I heard from DESORDEN, who wrote that they were suspicious of the Pruksa Clinic\r\nlisting mentioned in the post because,  “A leak involving 48 million would be big, considering Thailand population of only\r\n70 million. Also, a clinic of this size is impossible to have such many customer records. So we went on to investigate on the\r\ntarget.”\r\nThat translated into they hacked in to the clinic, looked around, and reported that the clinic only had a few thousand\r\npatients.\r\nTo prove, we are in their system. We put a message for you on one of their page:\r\nAnd indeed they had. When I checked the url they provided, it took me to a page on Pruksa Clinic, and here is what I saw:\r\nSo now we know to be suspicious of that listing claiming 48 million. But as DESORDEN subsequently explained, their\r\nmotive wasn’t totally altruistic:\r\nWe were only concerned when we saw 48 million records in Thailand being leaked via a private company. As far\r\nas we know, Mistine hack is the largest heist in terms of 20 million customers and 10 million sales representatives\r\nfrom a private company in Thailand. And obviously we aim to continue holding the records, as long as we could.\r\n=)\r\nWhatever their motive, this is a useful reminder not to just believe whatever is posted in forums for sale or tokens.\r\nSource: https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/\r\nhttps://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/"
	],
	"report_names": [
		"thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks"
	],
	"threat_actors": [
		{
			"id": "e5ccc758-f2a5-417b-ba5c-70edf39bc048",
			"created_at": "2022-10-25T16:07:24.481513Z",
			"updated_at": "2026-04-10T02:00:05.005021Z",
			"deleted_at": null,
			"main_name": "Desorden",
			"aliases": [],
			"source_name": "ETDA:Desorden",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "348b092b-f28a-41d0-a7f2-4c399f2f973f",
			"created_at": "2024-06-25T02:00:05.046536Z",
			"updated_at": "2026-04-10T02:00:03.664032Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [],
			"source_name": "MISPGALAXY:ALTDOS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775701418,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a220c79d7e103dc2dc414a6609e8f3597118c5ba.pdf",
		"text": "https://archive.orkl.eu/a220c79d7e103dc2dc414a6609e8f3597118c5ba.txt",
		"img": "https://archive.orkl.eu/a220c79d7e103dc2dc414a6609e8f3597118c5ba.jpg"
	}
}