Beyond the Headlines: Tracking Cyber Threats Against Thailand

August 24, 2025

Thailand has increasingly become a consistent target in the global cybercrime economy. Government institutions, private enterprises, and ordinary citizens alike are being drawn into the crosshairs of malicious actors operating across the dark and deep web. The threat picture is not defined by a single attack type or incident but rather by a persistent pattern: opportunistic defacements, disruptive ransomware campaigns, and massive data leaks all converging to expose the country on multiple fronts.

StealthMole’s country-level monitoring illustrates this persistence over time. Government portals and academic institutions have faced waves of defacement, a tactic often dismissed as symbolic but which highlights weak security thresholds across critical public-facing infrastructure. At the same time, Thai enterprises in sectors such as energy, aviation, logistics, and food production have appeared on international ransomware leak sites, showing that global extortion groups actively exploit the nation’s economic assets. Beyond organizational victims, millions of Thai citizens are silently affected as their compromised credentials circulate in underground markets, fueling fraud, phishing, and account takeovers.

What makes Thailand’s landscape notable is its breadth. The campaigns are not isolated or opportunistic one-offs; instead, they form a continuum of activity stretching over years. From lone defacers chasing recognition to structured ransomware gangs pursuing financial gain, actors consistently return to Thai targets. The overlap of low-level noise and high-value attacks demonstrates that Thailand is deeply entangled in the underground economy, treated as both a proving ground and a profitable hunting zone.

This report begins by outlining those broad national trends before moving into a focused examination of one ransomware group, showing in detail how such actors operate and the methods they use to exploit Thai organizations.

Cyber Threat Landscape in Thailand

StealthMole’s multi-source monitoring makes it clear that Thailand has faced sustained pressure across three major fronts: website defacements, ransomware campaigns, and compromised credentials. Each category reveals a different layer of exposure, together forming a picture of a nation under persistent digital assault.

Between January 2023 and July 2025, StealthMole’s Defacement Alert recorded over 1,200 incidents targeting Thai websites. Victims spanned government ministries, provincial agencies, universities, and private businesses. While defacement is often regarded as low-level disruption, its frequency against Thai domains underscores weak defenses across public-facing infrastructure. Many of the groups behind these attacks appeared to be motivated less by profit than by visibility, leaving digital graffiti as a way of establishing a presence in the underground scene. For Thailand, the sheer volume of these incidents signals an enduring vulnerability to opportunistic intrusion.

In parallel, more calculated campaigns have played out in the form of ransomware. A query of StealthMole’s Ransomware Monitoring tool showed 139 claimed Thai victims between June 2020 and August 2025. Unlike the scattered pattern of defacements, ransomware actors have deliberately selected high-value sectors: aviation, energy, food production, logistics, and education. The diversity of groups involved, from established names like Qilin and PLAY to smaller outfits such as Lynx or D4RK 4RMY, reflects both international syndicates and regional players exploiting the same territory. For organizations like MJets in aviation or CK Power in energy, the consequences of these breaches extend far beyond reputation, threatening critical national operations.

The threat extends to ordinary citizens as well. StealthMole’s Compromised Data Set indexed more than 49 million Thai credentials, complete with usernames, passwords, IP addresses, and endpoint identifiers. Such information is a valuable commodity in underground markets, fueling credential stuffing attacks, SIM swap fraud, and identity theft. Unlike defacements or ransomware, which announce themselves loudly, these leaks represent a quieter, ongoing exposure that leaves individuals perpetually at risk.

Taken together, these three layers of activity: defacements, ransomware, and credential leaks, show that Thailand’s exposure is neither accidental nor temporary. The nation is treated by underground actors as a reliable hunting ground, one where low-level attackers test exploits, organized groups extort enterprises, and data brokers siphon the digital identities of millions.

Case Spotlight: BlackLock and the Ubon University Breach

Among the ransomware groups observed targeting Thailand, BlackLock (also operating under the alias “Eldorado”) stands out for both its persistence and its evolving infrastructure. One of the group’s most notable victims in the country was Ubon Ratchathani University (ubu.ac.th), a major academic institution whose compromise illustrates how ransomware operators blend technical exploitation with psychological pressure.

The breach was first claimed on BlackLock’s leak site in mid-2025, where stolen university data was listed alongside other international victims. What appeared at first as a straightforward leak soon revealed the group’s deeper tradecraft. A closer examination of BlackLock’s infrastructure through StealthMole’s Ransomware Monitoring and Darkweb Tracker exposed an ecosystem of onion domains, encrypted communication channels, and malware signatures that tie the Ubon incident to a wider operational pattern.

StealthMole linked the Ubon listing to BlackLock’s primary leak portal:

  • http://zd******************************************************yd.onion/

From there, pivots uncovered additional domains tied to the same operators, including:

  • http://vg6***************************************************id.onion/ (operating under the alias Global Group)
  • http://dataleak**********************************************id.onion/ (used for system-level leaks and branding updates)
  • http://gdb***************************************************yd.onion/ (infrastructure tied through malware hashes)

Despite differences in design and branding, one site presenting itself as “Global Group,” another rebranded as MamonaRIP, each reused identical secure identifiers. For example, Session Private Messenger ID 053*******************************************3c appeared across multiple portals, confirming operational overlap. This redundancy highlights a deliberate strategy: maintain multiple entry points for victims and affiliates while obscuring attribution through constant rebranding.

The technical footprint reinforces the connection. Across these domains, StealthMole identified nine unique ransomware malware hashes.

Malware Hashes Linked to BlackLock

From zd***************************************************yd.onion/:

  • 29*************************************************************9
  • c7*************************************************************0
  • de*************************************************************1
  • 57************************************************************1d
  • b8************************************************************0c

From vg6************************************************id.onion/:

  • 13*************************************************************a
  • a1************************************************************eb
  • 2c************************************************************1c
  • 23************************************************************5d

This persistence of malware identifiers, even as domains and Telegram handles rotate (from @G********k to M********P), demonstrates that the group’s underlying tools remain stable anchors for attribution.

What also emerged from the investigation was evidence of BlackLock’s Ransomware-as-a-Service (RaaS) model. A recruitment thread discovered on the RAMP underground forum described an 85/15 revenue split, custom affiliate panels, and a locker builder capable of targeting Windows, Linux, and ESXi systems. Affiliates were given dedicated storage for leaked files and the ability to manage victim chats directly via onion-based dashboards. The rules were familiar: no attacks on CIS countries or China, and restrictions against repeated targeting of the same entity. These details, when paired with Thai victimology, confirm that BlackLock is not an opportunistic lone actor but a structured syndicate with distributed affiliates.

What makes this case even more significant is that BlackLock’s leaks have not only targeted victims but rival groups themselves. On the http://dataleak*********************************lid.onion/ portal, StealthMole observed the publication of files attributed to the DragonForce ransomware group, including system-level artifacts such as /etc/passwd entries, .env configuration files, and branding imagery. By publicly leaking competitor data, BlackLock demonstrated a willingness to undermine other operators, either to discredit them in the underground market or to assert dominance over shared territory.

This inter-group hostility highlights BlackLock’s profile as more than just a profit-driven syndicate. It portrays a collective with both technical proficiency and an aggressive posture, willing to sabotage peers as part of its strategy. For Thailand, this means that the country is caught not just in the crossfire of ransomware extortion, but also in the proxy battles of competing cybercriminal groups that use its infrastructure and victims as staging grounds for wider rivalries.

Taken together, the Ubon case reveals why BlackLock is a compelling study in Thailand’s cyber threat landscape. It shows how a global ransomware group can anchor its operations in the country, exploit academic infrastructure, and at the same time run a sophisticated RaaS ecosystem that serves affiliates worldwide. Just as importantly, it demonstrates how StealthMole’s multi-layered tracking, linking onion domains, malware hashes, and communication IDs, can cut through the noise of rebranding to expose continuity and attribution in real time.

Indicators of BlackLock Infrastructure & Identity

The investigation into BlackLock/Eldorado revealed a sprawling infrastructure spanning multiple onion domains, encrypted communication channels, technical indicators, and even rival-targeting leaks. While the group frequently rotates branding and surface identifiers, StealthMole’s correlation across datasets highlights persistent anchors: Session IDs, malware hashes, and repeat contact handles, that confirm continuity.

Domains and Leak Sites

  • http://zd***************************************************gyd.onion/ (primary BlackLock portal)
  • http://vg****************************************************id.onion/ (Global Group alias)
  • http://dataleak**********************************************id.onion/ (system leaks, DragonForce exposure)
  • http://gd****************************************************yd.onion/ (linked through malware hashes)

Communication Channels

  • Session ID: 05*********************************************************************3c
  • qTox ID: 66*************************************************************************C
  • Email addresses:
  • b********@cy******ar.com
  • el*************k@tutamail.com
  • b******k_**@proton.me
  • b*****k_**@tutamail.com
  • Telegram handles:
  • @G**********k
  • @B**********l
  • M*******P
  • BlackLock Channel (generic title used on onion portal)

Technical Indicators

Malware Hashes (9 total):

  • 29*************************************************************9
  • b8************************************************************0c
  • 57************************************************************1d
  • de*************************************************************1
  • c7*************************************************************0
  • 13************************************************************ba
  • a1************************************************************eb
  • 2c************************************************************1c
  • 23************************************************************5d

Assessment

The value of the evidence collected against BlackLock lies in the way it reveals continuity beneath deliberate fragmentation. On the surface, the group appears scattered: different onion portals, shifting Telegram names, and even alternative branding as Global Group or MamonaRIP. Yet, when analyzed together, the infrastructure paints a coherent picture of a mature ransomware operation with reach well beyond its stated victims.

The malware hashes are the most decisive anchors. Unlike Telegram channels or domain names that can change overnight, binaries used in active campaigns leave durable forensic traces. By correlating nine distinct samples across multiple leak portals, StealthMole demonstrates that the same toolkit underpins BlackLock activity regardless of which alias or site is used. This ensures that attribution is grounded in technical reality rather than branding alone.

The communication layer further strengthens the case. While Telegram handles rotate frequently, the persistence of a single Session ID across portals, alongside the reuse of the same qTox identifier, shows that there is a stable operator core behind the façade. The discovery of multiple secure email accounts across Proton and TutaMail confirms that the group is deliberately building redundancy into its operations: victims and affiliates are always given a way back in, even if one channel is compromised.

The onion infrastructure itself shows a strategy of resilience. At least four active domains have been identified, each with slightly different functions: a primary leak site, a Global Group-branded portal, a malware-linked server, and the data leak domain that hosted counter-messaging and rival data. Rather than simple mirrors, these sites represent an ecosystem designed to withstand takedowns and expand the group’s influence.

Perhaps most revealing is the DragonForce leak. By publishing a competitor’s internal data, BlackLock signaled that it is not only in the business of extortion but also of reputation warfare. This willingness to undermine peers highlights a competitive underground economy where groups fight not just for victims, but also for dominance and visibility. For Thailand, this means its infrastructure is being drawn into conflicts that extend far beyond its borders.

In sum, the indicators gathered matter because they strip away the illusion of fragmentation. They show BlackLock for what it is: a structured ransomware-as-a-service (RaaS) enterprise with the capacity to target Thai institutions while simultaneously competing for supremacy within the underground. This understanding is critical not only for attributing past incidents but for anticipating how similar threats will evolve in the future.

Conclusion

Thailand’s cyber threat landscape is shaped by persistent and multi-layered targeting. Opportunistic defacements highlight weak spots in public-facing systems; ransomware groups strike high-value industries with financial extortion; and the mass compromise of credentials places millions of citizens at risk of fraud. This consistent pattern shows that the country is not only being targeted occasionally but has become embedded in the operational scope of global cybercriminal economies.

The case study of BlackLock (Eldorado) demonstrates how one actor exemplifies these broader dynamics. Through its attack on Ubon Ratchathani University, its multiple onion leak sites, and its evolving roster of communication channels, BlackLock shows the hallmarks of a professionalized ransomware-as-a-service operation. The group’s decision to leak competitor data, including files linked to DragonForce, further reveals how Thailand’s digital environment is entangled in both direct attacks and inter-group rivalries within the underground economy.

For organizations in Thailand, the message is clear: exposure comes from multiple directions at once. For investigators, StealthMole’s ability to correlate across domains, identifiers, and malware traces ensures that continuity can be established even where actors deliberately attempt to fragment their identity.

Editorial Note

As with all dark web investigations, attribution must be treated as probabilistic, not absolute. Ransomware groups operate under shifting names, recycled infrastructure, and fluid alliances. BlackLock’s ecosystem illustrates this perfectly: Telegram handles and onion domains may change from week to week, but persistent anchors such as Session IDs, qTox identifiers, and malware hashes provide the connective tissue that reveals continuity.

This case also underscores a larger reality: cybercrime is not static but competitive. Rivalries like the leak of DragonForce data show that underground groups are as willing to attack each other as they are external victims. Such dynamics complicate attribution but also generate additional intelligence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Labels:

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report