Menu
Browse

Cyber Threat Actor: DESORDEN

Actor Type Location Known Incidents
 Icon
Crime Syndicate
China
11 incidents
Profile

DESORDEN is a cyber threat actor known by the alias DESORDEN and has been linked to operations originating from China. The group has conducted a series of data‑theft incidents primarily targeting organizations in Thailand, Indonesia, and Malaysia, with additional mentions of interest in entities across Southeast Asia and occasional references to potential activity in South Korea, Taiwan, Vietnam, and Japan. Their victims span multiple sectors, including insurance software vendors, toll road operators, restaurant chains, fitness equipment retailers, telecommunications providers, and retail distributors, indicating a broad opportunistic focus rather than a narrow industry specialization. DESORDEN has explicitly stated that financial gain is a primary motive, noting that they intend to sell or leak stolen data and that they estimate potential profits from data sales in the range of tens of thousands of dollars per incident. They also describe a ransom‑oriented approach in which they initiate contact without specifying a demand amount, wait for a victim response, and then set a ransom sum based on the victim’s size, although they have also indicated they will sell the data if no reply is received.

The group's tactics, techniques, and procedures consistently involve exploiting unpatched vulnerabilities to gain initial access, moving laterally by using compromised servers as bridges to reach mainframe or critical systems, and deleting databases from victim servers as proof of intrusion while acknowledging that backups likely exist. DESORDEN routinely publishes samples of exfiltrated data on hacking forums, offers the remainder for sale, and provides evidence such as screenshots, video recordings, and file listings to substantiate their claims. They have distributed ransomware builds on underground forums but have stated that they do not employ ransomware in most of their operations, noting that the builds they share have been submitted to VirusTotal to increase detection rates and reduce their effectiveness against basic antivirus protections. There is no publicly available evidence linking DESORDEN to a state sponsor or a larger criminal consortium; their activities are presented as those of an independent financially motivated group operating primarily for profit through data monetization. Representative campaigns include the 2022‑10‑02 breach of Thailand’s The Icon Group, the 2022‑09‑22 attack on Indonesian insurance software provider PT CARE TECHNOLOGIES, and the 2022‑07‑08 intrusion into Better Way Thailand Company Limited, which resulted in the theft of approximately 180 GB of data affecting over twenty million individuals. These incidents illustrate the actor’s pattern of prolonged network presence, data exfiltration, public leakage, and attempts to monetize the stolen information.

Incidents
Attributed incidents available to members
11 incidents
Sources
Sources available to members
9 sources