{
	"id": "b65cb451-33dc-43f6-8868-95e845a818a6",
	"created_at": "2026-04-09T02:23:05.42553Z",
	"updated_at": "2026-04-10T03:36:01.415151Z",
	"deleted_at": null,
	"sha1_hash": "c90d0ca180cc6ba0a63f17e46ac1236d2778d5ff",
	"title": "Thai media and content conglomerate Mono Next Public Company hit by ALTDOS hackers (UPDATE1) - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54010,
	"plain_text": "Thai media and content conglomerate Mono Next Public Company\r\nhit by ALTDOS hackers (UPDATE1) - DataBreaches.Net\r\nPublished: 2021-01-07 · Archived: 2026-04-09 02:04:46 UTC\r\nThe same hacking group that hit Country Group Securities (CGSEC) in Thailand has revealed a recent attack on\r\nMono Next Public Company Limited, a media and content conglomerate in Thailand.\r\nAbout MonoAs described by Thailand’s Securities and Exchange Commission, Mono Group divides its\r\nbusinesses into 5 business operations  MONO29 (Digital TV business),  MONOMAX (Video on Demand\r\nbusiness providing movies and series as well as being an international movie distributor under the name MONO\r\nStreaming3), MONOCyber (Online business on website MThai as well as providing strategic planning and\r\nHolistic Communications service for product brands),  Master Content Provider: Content acquisition and\r\nmarketing for Interactive TV business, and 29Shopping  (Home shopping business).\r\nAccording to Dun \u0026 Bradstreet, Mono Group generated $71.24 million (USD) in 2019.\r\nThreat actors calling themselves ALTDOS claim to have hacked 29shopping.com on January 6, mono29.com on\r\nJanuary 3, and mono.co.th on December 25. They also claim to have successfully completed other attacks across\r\nMono’s networks since November 2020 that resulted in the exfiltration of hundreds of gigabytes of data.\r\nAttempts to negotiate ransom demands with Mono were reportedly unsuccessful, a spokesperson informed\r\nDataBreaches.net, leading to them starting to dump data. The first small dump was customer data from\r\n29shopping.com from 2018 to this month.\r\nALTDOS had previously informed this site that they do not use ransomware, but they do exfiltrate data and then\r\ntry to get entities to pay them not to dump the data they acquired.\r\nIn addition to the .csv file with 1448 rows,  ALTDOS also  provided DataBreaches.net with screencaps showing\r\nthe scope of what else they could access.\r\nScrrenshot of folders with size of one folder\r\nScreencaps provided by ALTDOS showed folders containing 167 GB of data, with Mono29 sql was\r\nalmost 40 GB in size. Redacted by DataBreaches.net, who has not seen any of the contents of those\r\nhttps://www.databreaches.net/thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers/\r\nPage 1 of 3\n\nfolders. \r\nIn response to a question from this site as to how they gained access, the spokesperson for what was described as a\r\nteam replied:\r\nThere are many methods which we’ve used to gain initial access to their networks ranging from\r\nsniffing, brute force to code injections.\r\nTheir motives, the spokesperson wrote, are purely financial and not political at all:\r\nThere is nothing political about our attacks. It’s all about the money. ALTDOS main focus is in ASEAN\r\nand we attack many targets ranging from Bangladesh, Philippines, Malaysia to Thailand. Apparently,\r\nthis is our 2nd Thai attack and Thai companies are hard to negotiate. Perhaps, it is difficult to\r\ncommunicate with the victims due to language barrier?\r\nDataBreaches.net reached out to Mono to request a response to ALTDOS’s claims. No reply has been received as\r\nyet, but the time difference could contribute to that. This post will be updated if a reply is received.\r\nUPDATE:  DataBreaches.net has received a statement from MONO.  The English version of their statement\r\nbegins:\r\nIt is revealed that an attacker (hacker(s)) has claimed to access the company’s data causing data breach\r\nof employee’s personal information and extorted money by threatening to expose the information to the\r\npublic.\r\nDue to this unusual circumstance, Mono Next Public Company Limited and subsidiaries would like to\r\nannounce that the company has a security system to protect the personal information database of all\r\nemployees and clients. The data is kept on a system located in the Company’s computer center and\r\ncloud server with sufficient protection and security measures according to the rights protection\r\nenforcement. Moreover, the system has been regularly monitored.\r\nThe attacker (hacker(s)) has accessed some employee’s data, such as name, last name, and age, and\r\nsome online customer’s data were leaked. Nevertheless, credit card or financial information and copy of\r\nidentification card remain safe. As for financial report, the company has already disclosed the\r\ninformation to the public.\r\nTherefore, the extortion is considered a cybercrime that defamed the company for the advantage of the\r\nattacker (hacker(s)). The attacker also stated that if the company ignores the extortion, the information\r\nwill be revealed to the public. Consequently, the attacker (hacker(s)) will become recognized and\r\ncontinue to extort other companies, targeting all public companies in the Stock Exchange of Thailand.\r\nThe remainder of the statement is to basically ask news outlets NOT to report on the attack and any data dumps, as\r\nit will encourage further attacks and extortion attempts. It is an argument that we have heard many times before,\r\nand while there may be merit to the notion of not reinforcing or assisting criminals by reporting on them, this site\r\nhas always weighed that against the importance of notifying consumers and patients whose data has already been\r\nhttps://www.databreaches.net/thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers/\r\nPage 2 of 3\n\nstolen and may be being misused. MONO’s statement does not seem to state whether they are notifying any\r\nemployees or customers of data theft. DataBreaches.net has sent them a follow-up inquiry on that point.\r\nIn exchange for news outlets not reporting, it seems, MONO claims that “when the trial ends” (they seem to be\r\nassuming that the attackers will be caught and tried?), ” the company will be pleased to inform news agencies to\r\nreport the news as a case study in terms of preventive management. Because they have already been attacked and\r\ndata allegedly exfiltrated, it is not intuitively obvious what “preventive management” they would be describing.\r\nMONO’s statement also indicates that they are increasing their security.\r\nIf MONO responds to the inquiry about whether they are notifying everyone whose data has been stolen, this post\r\nwill be updated again.  In the interim, the attacker’s email account seems to have been killed off.\r\nSource: https://www.databreaches.net/thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers/\r\nhttps://www.databreaches.net/thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.databreaches.net/thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers/"
	],
	"report_names": [
		"thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "348b092b-f28a-41d0-a7f2-4c399f2f973f",
			"created_at": "2024-06-25T02:00:05.046536Z",
			"updated_at": "2026-04-10T02:00:03.664032Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [],
			"source_name": "MISPGALAXY:ALTDOS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775701385,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c90d0ca180cc6ba0a63f17e46ac1236d2778d5ff.pdf",
		"text": "https://archive.orkl.eu/c90d0ca180cc6ba0a63f17e46ac1236d2778d5ff.txt",
		"img": "https://archive.orkl.eu/c90d0ca180cc6ba0a63f17e46ac1236d2778d5ff.jpg"
	}
}