Menu
Browse

Cyber Threat Actor: DESORDEN

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
China
10 incidents
Profile

DESORDENGroup, also tracked as Desorden Group, is a threat actor that has been linked to a series of data‑theft and extortion incidents across Asia. The group identifies itself as originating from China, according to the location information provided in the threat‑actor context. Their activity has been observed in sectors such as fitness equipment retail, financial services, telecommunications, hospitality, logistics, insurance, and food‑service industries. In public statements they have described their goals as either monetising stolen data through sale or extortion, or, in some cases, demonstrating perceived security shortcomings by asserting they did not seek a ransom but wanted to highlight neglected defenses.

The group's tactics frequently involve gaining an initial foothold through a front‑facing server, then moving laterally by pivoting to additional internal systems and using a compromised server as a bridge to reach deeper network segments. They maintain persistent access for weeks or months, often describing themselves as having continued presence inside victim networks. Data exfiltration is carried out before any destructive action, and they have provided proof of compromise via video recordings, screenshots, and CSV file samples. While they have distributed ransomware builders such as CHAOS and Yashma, they have stated that they do not employ ransomware in most of their operations and that the offered builds are intended for defensive testing. They also exploit unpatched vulnerabilities and have noted that the same flaw can be used to access client‑hosted versions of software.

Regarding attribution, DESORDEN has claimed a former association with the hacking collective known as Chaos or ChaosCC, explaining that the name Desorden stands for Chaos & Disorder and that they have since severed ties with ChaosCC.

Representative operations include the 2022 breach of Johnson Fitness and Wellness where approximately 71 GB of supplier, dealer, customer and employee data were taken and the group announced plans to sell the information after receiving no response from the victim. In late 2022 they targeted Malaysian telecom providers redONE and Redtone Digital, threatening to release or sell subscriber data unless the companies engaged with them. The 2021 intrusions into Acer’s India and Taiwan systems were framed as demonstrations of unpatched vulnerabilities, with the actors asserting they sought no payment but wanted to expose security gaps. Additionally, the group claimed responsibility for a 2021 attack on the Centara Hotels & Resorts chain in Thailand, stealing 400 GB of guest records and demanding a $900 000 ransom under threat of leaking the data. Another notable case is the 2022 compromise of the BOGA Group restaurant chain, from which they extracted over 31 GB of data and indicated that selling the stolen records could generate roughly twenty thousand dollars in revenue.

Incidents
Attributed incidents available to members
10 incidents
Sources
Sources available to members
13 sources