When victims failed to comply, the attacker would escalate tactics by reporting breaches to data protection regulators and announcing the sale of compromised data on dark web forums, further exploiting the situation for profit. The individual, who operated under four distinct aliases, ALTDOS, DESORDEN, GHOSTR, and Omid16B targeted companies primarily in Asia before expanding globally, creating a trail of digital destruction motivated purely by financial gain. Using SQL injection tools such as sqlmap for reconnaissance, the threat actor would identify and exploit vulnerabilities to gain unauthorized access to sensitive data. Evidence of this setup appeared in leaked screenshots where stolen data was consistently stored in identical folder structures (/media/sf_E_DRIVE/) across all four aliases. The cybercriminal was finally apprehended on February 26, 2025, by the Royal Thai Police following years of investigation by Group-IB’s Threat Intelligence and High-Tech Crime Investigation teams based in Thailand and Singapore. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. After compromising these servers, the attacker would exfiltrate the victim’s data and, in some cases, encrypt it on the compromised servers. The cybercriminal utilized VirtualBox running Kali Linux for operations, deploying a cracked version of CobaltStrike to maintain control over compromised servers. Communication with victims followed recognizable patterns, with ransom notes beginning with “Today is ” followed by “This is ” – a signature pattern maintained across all aliases. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A lone cybercriminal masquerading as a hacker group has been unmasked as the entity behind more than 90 data breaches worldwide over a four-year period. Their investigation revealed that despite changing identities, the threat actor consistently left behind fingerprints that enabled investigators to connect the dots between the seemingly separate entities. Instead, the focus remained on efficient data exfiltration to rented cloud servers for subsequent extortion attempts. The cybercriminal’s ultimate goal was extortion—demanding ransoms from victims to prevent public exposure of their data. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The attacker’s modus operandi involved targeting internet-facing Windows servers, specifically searching for databases containing personal information. Group-IB analysts identified distinctive patterns linking all four aliases through extensive digital forensics.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 24 Mar 2025 09:35:04 +0000