Menu
Browse

Cyber Threat Actor: Gh0s7

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Activist
Thailand
3 incidents
Profile

The threat actoris known by the aliases Gh0s7, Shad0ws3c and Sc0rp10nGh0s7. Public reporting indicates the actor is based in Thailand. The actor has primarily targeted governmental and public‑sector organizations in India, Thailand, Mexico and Paraguay. Stated objectives include exposing security weaknesses in government systems and demonstrating the group’s resurgence. In some incidents the actor said the motive was retaliation against recent arrests of hacktivists and emphasized that the goal was to pressure authorities rather than harm individuals.

Initial access has been achieved by exploiting poor credential management, such as usernames and passwords stored in plaintext files. In other cases the actor leveraged a server vulnerability to obtain the main database containing personal information. After gaining access, the actor has exfiltrated data and released a portion via file‑sharing services like Mega to serve as proof of compromise. The actor has repeatedly mentioned keeping the specific flaws or tools used confidential and has not disclosed malware families or custom tooling in public statements. Representative operations include the 2017 breach of India’s National Aids Research Institute, the 2016 leak of Thailand’s National Statistical Office database, the 2016 intrusion into Mexico’s Instituto de la Función Registral del Estado and the earlier August 2016 compromise of Paraguay’s Secretary of National Emergency website.

The actor identifies itself as part of the Shad0w Security crew, also referred to as Shad0wS3C, with Gh0s7 described as a leader of the group. No public sources have linked the actor to a state sponsor or to a known criminal consortium; affiliations remain limited to the self‑described hacking collective. The group's public communications stress that attacks are chosen at random to avoid predictability and to stay out of defenders’ expectations. By combining credential theft, vulnerability exploitation and selective data leakage, the actor has demonstrated a repeatable pattern against public‑sector targets. This pattern underscores the actor’s focus on highlighting governmental security gaps rather than pursuing financial or espionage gains.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
5 sources