The Cybercriminal with Four Faces: Revealing Group-IB’s Investigation into ALTDOS, DESORDEN, GHOSTR and 0mid16B

This Group-IB investigation chronicles a multi-year data-extortion campaign by a single operator who rebranded across four aliases (ALTDOS, DESORDEN, GHOSTR, 0mid16B), targeting internet-facing Windows servers—using SQL injection, sqlmap, cracked Cobalt Strike, and rented cloud storage—to exfiltrate and sometimes encrypt data for ransom or sale on dark-web forums; the actor targeted primarily Asian companies (and later international victims), consistently left forensic fingerprints (VirtualBox/Kali shared-folder artifacts), and was arrested in Thailand on 26 February 2025.