🇨🇳

GhostR

APT Group 10 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 2

Countries highlighted in red

Denmark United States

Sectors Targeted

Plastics Product Manufacturing 3261 Freight Transportation Arrangement 48851

Details

Origin 🇨🇳 CN

Last Updated 13 Apr 2026

MITRE ATT&CK 60

T1005 - Data from Local System T1008 - Fallback Channels T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1016.001 - Internet Connection Discovery T1027 - Obfuscated Files or Information T1036 - Masquerading T1041 - Exfiltration Over C2 Channel T1047 - Windows Management Instrumentation T1053.005 - Scheduled Task T1055 - Process Injection T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.003 T1069 - Permission Groups Discovery T1069.002 - Domain Groups T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1078.004 - Cloud Accounts T1083 - File and Directory Discovery T1102 - Web Service T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1113 - Screen Capture T1115 - Clipboard Data T1116 - Code Signing T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1189 - Drive-by Compromise T1190 T1195 - Supply Chain Compromise T1204 - User Execution T1218 - Signed Binary Proxy Execution T1456 - Drive-by Compromise T1480 - Execution Guardrails T1496 - Resource Hijacking T1546 - Event Triggered Execution T1547 - Boot or Logon Autostart Execution T1553 - Subvert Trust Controls T1553.002 - Code Signing T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1564 - Hide Artifacts T1566 - Phishing T1568 - Dynamic Resolution T1568.002 - Domain Generation Algorithms T1573 - Encrypted Channel T1574 - Hijack Execution Flow T1583 - Acquire Infrastructure T1583.001 - Domains T1583.004 - Server T1584.003 - Virtual Private Server T1584.005 - Botnet T1590 - Gather Victim Network Information T1598 - Phishing for Information

Related Zero-Days 10

CVE-2017-0199 CVE-2017-5638 CVE-2019-0708 CVE-2021-44228 CVE-2022-26134 CVE-2024-50302 CVE-2024-53104 CVE-2024-53197 CVE-2025-13223 CVE-2025-58034

Known Names 4 entries

ALTDOS self given

Desorden self given

GHOSTR elf given

0mid16B self given

Observed Target Countries 17

Based on ETDA data — countries highlighted in red

Australia Austria Cambodia Canada France India Indonesia Bangladesh Malaysia New Zealand Pakistan Philippines Singapore Taiwan Thailand UK USA

Description

(Group-IB) Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today that it has contributed to a joint operation of the Royal Thai Police and the Singapore Police Force which led to the arrest of an individual responsible for more than 90 instances of data leaks worldwide, including 65 across the Asia-Pacific region. It resulted in over 13TB of personal data which has been sold on the dark web. In some countries the government agencies were also attacked, compromising sensitive information on a large scale. Operating under aliases ALTDOS, DESORDEN, GHOSTR and 0mid16B, the arrested individual was one of the most active cybercriminals in the Asia-Pacific since 2021, targeting companies and businesses in Thailand, Singapore, Malaysia, Indonesia, India and many more.

Tools Used 1

Cobalt Strike

Operations 36

2020-12 “ALTDOS,” as they call themselves, contacted a number of news outlets in Thailand and online news sites to announce that they had attacked CGSEC on December 4. https://www.databreaches.net/thai-securities-trading-firm-goes-offline-after-cyberattack/

2021-01 The same hacking group that hit Country Group Securities (CGSEC) in Thailand has revealed a recent attack on Mono Next Public Company Limited, a media and content conglomerate in Thailand. https://www.databreaches.net/thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers/

2021-01 Hackers claim to have attacked major Bangladeshi conglomerate https://www.databreaches.net/hackers-claim-to-have-attacked-major-bangladeshi-conglomerate/

2021-03 Vhive, a popular retail furniture chain in Singapore, has posted a notice on their web site and Facebook page announcing a cyberattack that occurred on March 23. https://www.databreaches.net/sg-vhive-alerts-consumers-to-cyberattack/ https://www.databreaches.net/sg-vhive-attackers-escalate-take-control-of-furniture-retailers-email-server/

2021-05 Audio House customer data possibly stolen by hackers https://www.straitstimes.com/tech/tech-news/audio-house-customer-data-possibly-stolen-by-hackers

2021-06 ALTDOS claimed to have attacked Unispec Group Singapore, which operates in the marine industry, providing services in marine insurance, surveying, cargo, containers, and marine IT software. UniSpec has offices in Singapore, India, Thailand, Malaysia, Indonesia, South Korea and China. https://www.databreaches.net/asean-companies-still-targeted-by-altdos-threat-actors/

2021-08 Singapore-based OrangeTee appears to have suffered a massive hack and data exfiltration by ALTDOS threat actors. https://www.databreaches.net/singapore-real-estate-firm-breached-by-altdos/

2021-09 ALTDOS claims to have hacked one of Malaysia’s biggest conglomerates https://www.databreaches.net/altdos-claims-to-have-hacked-one-of-malaysias-biggest-conglomerates/

2021-09 Desorden Group claims to have stolen 200 GB of data from ABX Express https://www.databreaches.net/desorden-group-claims-to-have-stolen-200-gb-of-data-from-abx-express/

2021-10 Another Malaysia carrier allegedly hacked and data exfiltrated — Skynet https://www.databreaches.net/another-malaysia-carrier-allegedly-hacked-and-data-exfiltrated-skynet/

2021-10 Acer confirms second security breach this year https://therecord.media/acer-confirms-second-security-breach-this-year/

2021-10 Acer under fire: Now hackers claim to have hit Acer Taiwan, too https://www.databreaches.net/acer-under-fire-now-hackers-claim-to-have-hit-acer-taiwan-too/

2021-10 Central Restaurants Group in Thailand hit by Desorden https://www.databreaches.net/central-restaurants-group-in-thailand-hit-by-desorden/

2021-10 Desorden Group expands attack on Central Group after deal to pay them allegedly fell through https://www.databreaches.net/desorden-group-expands-attack-on-central-group-after-deal-to-pay-them-allegedly-fell-through/

2022-07 Desorden is back, declares an attack on MISTINE Better Way Thailand Company https://www.databreaches.net/desorden-is-back-declares-an-attack-on-mistine-better-way-thailand-company/

2022-07 Thai entities continue to fall prey to cyberattacks and leaks https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/

2022-08 Major Indonesia tollroad operator hacked by DESORDEN https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/

2022-09 TH: Major Cineplex and Major Development PCL hit by DESORDEN https://www.databreaches.net/th-major-cineplex-and-major-development-pcl-hit-by-desorden/

2022-09 Customer data from hundreds of Indonesian and Malaysian restaurants hacked by DESORDEN https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/

2022-09 DESORDEN leaks more data from Indonesia; “Indo data is officially worthless” https://www.databreaches.net/desorden-leaks-more-data-from-indonesia-indo-data-is-officially-worthless/

2022-09 Malaysian Telecom RedOne hit by DESORDEN https://www.databreaches.net/malaysian-telecom-redone-hit-by-desorden/

2022-10 Thailand’s THE ICON GROUP hacked by DESORDEN https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/

2022-10 Revenge telecom hacking by DESORDEN Group; third attack threatened https://www.databreaches.net/revenge-telecom-hacking-by-desorden-group-third-attack-threatened/

2022-10 Johnson Fitness and Wellness hit by DESORDEN Group https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/

2023-07 Major Malaysian water utilities company hit by hackers; Ranhill offline; hackers claim databases and backups deleted https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/

2024-03 Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist https://techcrunch.com/2024/04/18/world-check-database-leaked-sanctions-financial-crimes-watchlist/

2024-05 Cooler Master confirms customer info stolen in data breach https://www.bleepingcomputer.com/news/security/cooler-master-confirms-customer-info-stolen-in-data-breach/

2024-05 Thailand’s Hatari Electric Faces Major Data Breach: GHOSTR Claims Possession of 617.3 GB of Sensitive Information https://news.cloudsek.com/2024/05/thailands-hatari-electric-faces-major-data-breach-ghostr-claims-possession-of-617-3-gb-of-sensitive-information/

2024-06 Singapore-Based Absolute Telecom Allegedly Hit by Cyberattack: Over 34GB of Data Compromised https://thecyberexpress.com/alleged-absolute-telecom-data-breach/

2024-06 Victorian Freight Specialists suffers alleged 800+GB data breach https://www.cyberdaily.au/security/10667-victorian-freight-specialists-suffers-alleged-800-gigabyte-data-breach

2024-07 Air India Investigating Data Breach Claims Stemming from Arabian Travel Agency Hack https://thecyberexpress.com/arabian-travel-agency-data-breach-exposed-info/

2024-07 Third-party breach resulted in Singapore Moneylenders Credit Bureau being leaked by GhostR https://databreaches.net/2024/07/24/third-party-breach-resulted-in-singapore-moneylenders-credit-bureau-being-leaked-by-ghostr/

2024-11 Thai loyalty membership card data of 5 million customers put up for sale on hacking forum https://databreaches.net/2024/11/20/thai-loyalty-membership-card-data-of-5-million-customers-put-up-for-sale-on-hacking-forum/

2024-12 Today’s insider threat: Ardyss edition https://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/

2024-12 Hacked on Christmas, DEphoto starts notifying customers, only to be attacked again https://databreaches.net/2025/01/01/hacked-on-christmas-dephoto-starts-notifying-customers-only-to-be-attacked-again/

2025-01 Exclusive: Apex Custom Software hacked, threat actors threaten to leak the software https://databreaches.net/2025/01/30/exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software/

Reports & References 4

https://www.csa.gov.sg/singcert/-/media/Singcert/PDFs/Joint-Advisory-on-ALTDOS.pdf https://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/ https://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/ https://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/

ETDA Profile

ALTDOS, Desorden

Origin

Singapore

First Seen 2020

Motivation

Financial gain

View on ETDA APT Groups ↗