{
	"id": "e59117e9-ecdd-42e0-8360-df66b69a9bbf",
	"created_at": "2026-04-06T00:06:58.998225Z",
	"updated_at": "2026-04-10T03:36:01.429801Z",
	"deleted_at": null,
	"sha1_hash": "c00f3ba314c0a856cc72c7fddaa53cd35c66bb1a",
	"title": "ALTDOS, Desorden - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96098,
	"plain_text": "ALTDOS, Desorden - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 18:18:57 UTC\r\nHome \u003e List all groups \u003e ALTDOS, Desorden\r\n Other threat group: ALTDOS, Desorden\r\nNames\r\nALTDOS (self given)\r\nDesorden (self given)\r\nGHOSTR (elf given)\r\n0mid16B (self given)\r\nCountry Singapore\r\nMotivation Financial gain\r\nFirst seen 2020\r\nDescription\r\n(Group-IB) Group-IB, a leading creator of cybersecurity technologies to investigate,\r\nprevent, and fight digital crime, announced today that it has contributed to a joint\r\noperation of the Royal Thai Police and the Singapore Police Force which led to the\r\narrest of an individual responsible for more than 90 instances of data leaks\r\nworldwide, including 65 across the Asia-Pacific region. It resulted in over 13TB of\r\npersonal data which has been sold on the dark web. In some countries the\r\ngovernment agencies were also attacked, compromising sensitive information on a\r\nlarge scale. Operating under aliases ALTDOS, DESORDEN, GHOSTR and\r\n0mid16B, the arrested individual was one of the most active cybercriminals in the\r\nAsia-Pacific since 2021, targeting companies and businesses in Thailand, Singapore,\r\nMalaysia, Indonesia, India and many more.\r\nObserved\r\nCountries: Australia, Austria, Cambodia, Canada, France, India, Indonesia,\r\nBangladesh, Malaysia, New Zealand, Pakistan, Philippines, Singapore, Taiwan,\r\nThailand, UK, USA.\r\nTools used Cobalt Strike.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21\r\nPage 1 of 6\n\nOperations performed\nDec 2020\n“ALTDOS,” as they call themselves, contacted a number of news\noutlets in Thailand and online news sites to announce that they had\nattacked CGSEC on December 4.\nJan 2021\nThe same hacking group that hit Country Group Securities (CGSEC)\nin Thailand has revealed a recent attack on Mono Next Public\nCompany Limited, a media and content conglomerate in Thailand.\nJan 2021\nHackers claim to have attacked major Bangladeshi conglomerate\nMar 2021\nVhive, a popular retail furniture chain in Singapore, has posted a\nnotice on their web site and Facebook page announcing a cyberattack\nthat occurred on March 23.\nMay 2021\nAudio House customer data possibly stolen by hackers\nJun 2021\nALTDOS claimed to have attacked Unispec Group Singapore, which\noperates in the marine industry, providing services in marine\ninsurance, surveying, cargo, containers, and marine IT software.\nUniSpec has offices in Singapore, India, Thailand, Malaysia,\nIndonesia, South Korea and China.\nAug 2021\nSingapore-based OrangeTee appears to have suffered a massive hack\nand data exfiltration by ALTDOS threat actors.\nSep 2021\nALTDOS claims to have hacked one of Malaysia’s biggest\nconglomerates\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21\nPage 2 of 6\n\nSep 2021\nDesorden Group claims to have stolen 200 GB of data from ABX\nExpress\nOct 2021\nAnother Malaysia carrier allegedly hacked and data exfiltrated —\nSkynet\nOct 2021\nAcer confirms second security breach this year\nOct 2021\nAcer under fire: Now hackers claim to have hit Acer Taiwan, too\nOct 2021\nCentral Restaurants Group in Thailand hit by Desorden\nOct 2021\nDesorden Group expands attack on Central Group after deal to pay\nthem allegedly fell through\nJul 2022\nDesorden is back, declares an attack on MISTINE Better Way\nThailand Company\nJul 2022\nThai entities continue to fall prey to cyberattacks and leaks\nAug 2022\nMajor Indonesia tollroad operator hacked by DESORDEN\nSep 2022\nTH: Major Cineplex and Major Development PCL hit by\nDESORDEN\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21\nPage 3 of 6\n\nSep 2022\nCustomer data from hundreds of Indonesian and Malaysian\nrestaurants hacked by DESORDEN\nSep 2022\nDESORDEN leaks more data from Indonesia; “Indo data is officially\nworthless”\nSep 2022\nMalaysian Telecom RedOne hit by DESORDEN\nOct 2022\nThailand’s THE ICON GROUP hacked by DESORDEN\nOct 2022\nRevenge telecom hacking by DESORDEN Group; third attack\nthreatened\nOct 2022\nJohnson Fitness and Wellness hit by DESORDEN Group\nJul 2023\nMajor Malaysian water utilities company hit by hackers; Ranhill\noffline; hackers claim databases and backups deleted\nMar 2024\nHackers are threatening to leak World-Check, a huge sanctions and\nfinancial crimes watchlist\nMay 2024\nCooler Master confirms customer info stolen in data breach\nMay 2024 Thailand’s Hatari Electric Faces Major Data Breach: GHOSTR\nClaims Possession of 617.3 GB of Sensitive Information\n\nmajor-data-breach-ghostr-claims-possession-of-617-3-gb-of-sensitive-information/\u003e\nJun 2024\nSingapore-Based Absolute Telecom Allegedly Hit by Cyberattack:\nOver 34GB of Data Compromised\nJun 2024\nVictorian Freight Specialists suffers alleged 800+GB data breach\nJul 2024\nAir India Investigating Data Breach Claims Stemming from Arabian\nTravel Agency Hack\nJul 2024\nThird-party breach resulted in Singapore Moneylenders Credit Bureau\nbeing leaked by GhostR\nNov 2024\nThai loyalty membership card data of 5 million customers put up for\nsale on hacking forum\nDec 2024\nToday’s insider threat: Ardyss edition\nDec 2024\nHacked on Christmas, DEphoto starts notifying customers, only to be\nattacked again\nJan 2025\nExclusive: Apex Custom Software hacked, threat actors threaten to\nleak the software\nCounter operations\nSep 2021\nALTDOS claims some of their servers were seized but they did not\nlose data\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21\nPage 5 of 6\n\nFeb 2025\nHacker responsible for international data breaches arrested in joint\nSingapore-Thailand operation\nInformation\nLast change to this card: 21 April 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21"
	],
	"report_names": [
		"showcard.cgi?u=0d49b800-c289-48a6-a2f9-c9cfba116e21"
	],
	"threat_actors": [
		{
			"id": "e5ccc758-f2a5-417b-ba5c-70edf39bc048",
			"created_at": "2022-10-25T16:07:24.481513Z",
			"updated_at": "2026-04-10T02:00:05.005021Z",
			"deleted_at": null,
			"main_name": "Desorden",
			"aliases": [],
			"source_name": "ETDA:Desorden",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a69a32c-82d0-431b-b5ab-34a070bf8d94",
			"created_at": "2023-11-08T02:00:07.154393Z",
			"updated_at": "2026-04-10T02:00:03.428568Z",
			"deleted_at": null,
			"main_name": "Desorden Group",
			"aliases": [],
			"source_name": "MISPGALAXY:Desorden Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e8effad-d9fb-4b49-bba4-9b4e5953356d",
			"created_at": "2024-04-23T02:00:04.243074Z",
			"updated_at": "2026-04-10T02:00:03.630533Z",
			"deleted_at": null,
			"main_name": "GhostR",
			"aliases": [],
			"source_name": "MISPGALAXY:GhostR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "348b092b-f28a-41d0-a7f2-4c399f2f973f",
			"created_at": "2024-06-25T02:00:05.046536Z",
			"updated_at": "2026-04-10T02:00:03.664032Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [],
			"source_name": "MISPGALAXY:ALTDOS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434018,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c00f3ba314c0a856cc72c7fddaa53cd35c66bb1a.pdf",
		"text": "https://archive.orkl.eu/c00f3ba314c0a856cc72c7fddaa53cd35c66bb1a.txt",
		"img": "https://archive.orkl.eu/c00f3ba314c0a856cc72c7fddaa53cd35c66bb1a.jpg"
	}
}