--[ Anomalía #0]--

–[ Anomalía #0: Hello world! ]–

  Anomalía is a periodic threat intelligence report with a less corporate and more alternative approach. We seek to gather relevant information on digital threats in Latin America, while remaining open to collaborating with organizations and individuals in the Global South and, when necessary, with the rest of the world.

In preparing this first edition, we confirmed a familiar problem: much of the technical and threat intelligence circulates in english and reflects priorities unrelated to our region. This imbalance is not only linguistic, but also geographic, cultural, and political. This bulletin seeks to bridge this gap and provide context to the intelligence we consume and produce.

Anomalía functions as a curated space. It doesn’t aim to cover everything or compete with large commercial feeds. We select links, tools, research, and cases that we find relevant, and we read them from a situated perspective: human rights, diversity, activism, and technical work in civil society. Topics range from threat intelligence and malware to stalkerware, leaks, surveillance, and digital resistance practices.

Although the focus is technical, we don’t disregard the context. We live in a time marked by the normalization of surveillance, the culture war, and the growing influence of cyberspace in power struggles and current conflicts. Given this, we are interested in sharing informed perspectives that move beyond the dominant corporate narrative. Like any technology, the impact of these tools depends on how they are designed, how they are used, and from what perspective they are interpreted.

Anomalía’s sources include technical feeds, threat platforms, forums, chat rooms, and other spaces where useful information circulates to help understand the digital ecosystem from the ground up. As the newsletter grows, we will adjust these sources and editorial criteria based on the experience and feedback of our readers.

To close this first edition, we thank the people and organizations that have supported this project from the beginning. Anomalía aims to be an open space: comments, criticisms, and contributions are welcome. Threat intelligence is also built collectively.

With love, The ZoqueLabs team 💚

–[ Leaks and extortion ]–

Colombia — Bank details published after extortion attempt

Attackers claim to have published sensitive information on approximately 1.5 million Colombian bank customers after three financial institutions refused to comply with an extortion attempt. The exposed data includes complete identity verification videos, full call center recordings, identity documents, plain text credentials, and detailed transaction records. An unusual element is the presence of audio recordings of responses to security questions, suggesting compromise beyond databases. The material was partially verified by the media outlet that received the extortion emails, while the affected institutions chose to remain silent.

–[ State, surveillance and spyware ]–

Colombia — Justice Minister Denounces Espionage

In Colombia, the Minister of Justice publicly denounced that he was being digitally spied on and linked the case to Pegasus, although full technical details were not initially available. This denunciation comes in a country with a recent history of using advanced surveillance tools against political and social actors.

Days later, the Ministry of Defense denied that Pegasus was being used and stated that no entity in the sector uses it, also denying that there is any surveillance operation being carried out by the Ministry. The contradiction between the complaint and the official response once again puts pressure on something fundamental: clear protocols for auditing, traceability, and transparent mechanisms to confirm or rule out digital surveillance using state resources.

Commercial Spyware — Criticism of NSO Group’s Transparency Narrative

As it attempts to expand in the US market, NSO Group faces criticism regarding the gap between its transparency rhetoric and documented abuses in various countries. The debate centers less on technical flaws and more on the lack of effective external controls, a key issue for human rights organizations that have monitored the impact of these tools on journalists, human rights defenders, and political opposition.

–[ Hacktivism ]–

United Kingdom — attack on Free Speech Union website

The Free Speech Union’s website was hacked and taken offline in an attack attributed to trans activists, amid ongoing public policy disputes. The incident reportedly involved the potential exposure of donor-related information, highlighting how hacking continues to be used as a tool for political confrontation, with immediate effects on infrastructure, reputation, and public debate.

–[ Threat Intelligence ]–

Venezuela — BGP Route Incident

A technical analysis examines a BGP route leak in Venezuela that sparked speculation about espionage or deliberate traffic manipulation. The evidence points to configuration and operational management errors, a common but often overlooked scenario outside technical circles. The case illustrates how structural internet events can quickly take on a political dimension in highly volatile contexts.

Brazil — Astaroth spreads via WhatsApp

The Astaroth banking trojan has been detected again in Brazil, using WhatsApp as its primary propagation vector. The campaign relies on message chains between contacts, leveraging pre-existing trust and the platform’s high penetration rate in the region. This pattern reinforces a recurring trend in Latin America: the convergence of financial malware and everyday messaging.

Blind Eagle — sustained activity in the region

A recent report describes active campaigns by the Blind Eagle group targeting organizations in Latin America. The group maintains familiar techniques, combined with minor operational adjustments, which has allowed it to sustain a presence over time without resorting to particularly novel tactics.

–[ Stalkerware ]–

Gbyte / SpyX — massive leak of spyware

An investigation documents the exposure of gigabytes of data belonging to stalkerware services operated by Gbyte, including SpyX, MSafely, and SpyPhone. The leak includes user accounts, victim metadata, and plaintext credentials, as well as evidence of remote spying capabilities via cloud services. The case again demonstrates how this type of software combines technical intrusion with a weak operational security posture.

PC Tattletale — Legal consequences for its founder

The founder of the company behind PC surveillance software Tattletale pleaded guilty to charges related to hacking and advertising surveillance software. The trial represents one of the few cases where the commercial spyware ecosystem faces direct legal consequences, beyond the reputational debate.

Stalkerware on Android: Unequal protection between antivirus programs

A report by EFF and AV-Comparatives published in December 2025 assessed how well different Android security solutions detect stalkerware apps, and the picture remains uneven: some products consistently alert and block, but others fall far short. In the test results, Malwarebytes was the only one with 100% detection, while Google Play Protect appeared among the lowest performers (with 53%), which is quite concerning since it comes enabled by default on many devices. You can read the full report here.

–[ Platforms and security ]–

Instagram — reset emails sent in error

Instagram reported that it fixed a bug that allowed password reset emails to be requested for some accounts without any direct compromise of the systems. Although the platform indicated that the messages could be ignored, the incident caused confusion among users and demonstrates how minor flaws can be exploited for social engineering campaigns.

Redmi Buds - Bluetooth flaw could expose call data

A publication reports a vulnerability in several Redmi Buds models (3 Pro to 6 Pro) that could allow a nearby attacker (within Bluetooth range) to access call information and also cause firmware crashes/reboots (DoS). The attack would be associated with the handling of RFCOMM and would not require complex interaction, which brings to the table a recurring problem: the attack surface in Bluetooth accessories (headphones, wearables) is often underestimated, despite their massive use.

–[ Crashes, Blocks and Censorship ]–

Uganda - Internet blackout as an election tactic

Uganda ordered a nationwide internet shutdown two days before its general elections, justifying it as a measure to reduce the risks of “disinformation” and “electoral fraud.” Digital rights organizations warned that these shutdowns affect daily life, but above all, they weaken electoral transparency by limiting fact-checking and independent documentation of real-time events. These types of measures are isolated; in Latin America, we have also seen similar tactics during times of high political tension, ranging from internet shutdowns to power outages that affect communication, citizen observation, and the circulation of evidence.

Iran - Internet blackout to cover up violations in protests

Amnesty International warned that Iranian authorities imposed an internet shutdown amid escalating protests, noting that the measure aims to conceal the extent of human rights violations during the crackdown (including excessive use of force and detentions). In addition to limiting everyday communication, the shutdown reduces the ability to document evidence, verify information, and activate alert and monitoring mechanisms. Just as in the previous case (Uganda), these shutdowns demonstrate that state control of digital infrastructure functions not only as censorship but also as a way to manage the visibility of the conflict: less connectivity means less citizen record-keeping, less traceability, and greater difficulty in demanding accountability.