--[Anomalía #1]--

–[Anomalía #1 ]–

  Hello 💚

This first edition comes with everything. We started with the launch of ZOLIM, the Latin American Observatory of Malicious Infrastructure of Zoque.

ZOLIM is a space where we are beginning to map command and control (C2) infrastructure and malicious tooling hosted in Latin America, to better understand how possible active campaigns operate to and from our region.

It is intended as an observational and longitudinal system, so it does not do active scanning or real-time monitoring. We work with periodic and comparable snapshots over time, built from Internet intelligence platforms, filtered by region and crossed against known malicious tooling firms. Each snapshot is published as a reproducible artifact, with technical reports and open datasets. We see it as a place to look at patterns, connections and infrastructure movements in the region

In the launch snapshot we already found interesting things: DcRat servers in Barranquilla (Colombia), Cobalt Strike instances in infrastructure associated with Venezuelan government servers, and Sliver consistently appearing as one of the most used tools.

If you go to ZOLIM, below you will find a table with all the IPs that we have identified since the first snapshot. You can search by country, IP, ISP, last scan and other fields. If you see something that catches your attention, please tell us, we are interested in investigating together.

Anomalía continues to be our curatorial space: here we share leaks, spyware, active campaigns, surveillance, stalkerware, infrastructure outages and other movements of the digital ecosystem, read from a perspective located in human rights and the global south.

If you want to go deeper into the technical, you can directly review the observatory or consult our repository at GitHub, where we are publishing the snapshots and associated materials.

With love, The ZoqueLabs Team 💚

Now yes, Anomaly :D

–[ Security and privacy ]–

Phishing campaign via Signal

An investigation by netzpolitik.org documented a phishing campaign distributed through Signal, where attackers impersonate “support” the application and falsely alert about attempts to access the account, and then request verification codes and thus try to take control of the accounts. Journalists and people from civil society received these messages in different parts of the world, including Latin America. Our reading (for now): this does not necessarily indicate direct political targeting. Rather, it reflects that journalists, activists and organizations are the ones who use the app the most. Just in case, Signal never writes via chat as “support” and the app always warns when a profile is not verified.

Whatsapp activates reinforced mode

WhatsApp announced a new setting designed for people in higher-risk contexts, including automatic blocking of unknown contact files, silencing unsaved calls, controlling group invitations, and reducing link previews. It also reported internal changes (including use of Rust) to reduce memory errors in content management.

–[ State, surveillance and information operations]–

Bolivia - police report coordinated activity on networks during protests

A police report in Bolivia cited by El Diario attributes the amplification of anti-government content on social networks during days of protest to automated activity and coordinated publication, including what authorities describe as “bot farms”, framing part of that circulation as misinformation. The accusation comes from state analysis: until now there is no independent public technical verification that confirms the origin or intention of this activity.

Argentina - reform of the intelligence system

Human rights organizations and sectors of civil society expressed concern about a reform of the Argentine intelligence system (Decree 941/2025), since it expands the powers of the State Intelligence Secretariat, enabling cyber patrol tasks, greater exchange and centralization of personal data between agencies, and operational support with security forces, without clear external controls or prior legislative debate. The reform was challenged via habeas corpus but the federal Justice rejected the action considering that it does not violate constitutional guarantees.

–[Leaks ]–

Colombia - Information presented by the Public Employment Service

As reported by MuchoHacker,, private information of nearly 14 million people was exposed after unauthorized access to systems of the Public Employment Service in Colombia, with samples published in leak forums. Apparently the material includes personal data and records associated with labor intermediation processes with public entities.

Colombia - Massive data leak in the Ministry of Health

MuchoHacker reports a leak of data associated with the Bogotá Health Secretariat that exposed private information of 64,826 people, including 1,876 minors, with records ranging from personal data to medical history. Evidence shared in networks and technical spaces suggests that information became accessible without protection.

Mexico — hacking of UNAM systems

In a rebound of cybersecurity incidents in Mexico in recent weeks, several agencies have seen unauthorized access and exposure of sensitive information. UNAM confirmed an intrusion into at least five of its systems, where an unidentified actor would have accessed student and staff accounts, including institutional emails and credentials (although there is no official confirmation on the use of that information).

Mexico — Chronus announces leaks while the government discards them

The Chronus group claimed to have accessed systems of several Mexican public institutions and leaked personal data, according to SDP Noticias, while the federal government first denied a breach and maintained that the information shown corresponded to old records. Days later, authorities recognized access to “obsolete” systems operated by contractors and the use of valid credentials, although they insisted that this does not imply a direct violation of the main infrastructure, according to El Informador. The case is marked by contradictory messages: from “there was no hack” to “there was access”,without public clarity about the real scope of the data involved.

ShinyHunters claims access to internal dating app data

The ShinyHunters group published that obtained internal documents and millions of records linked to Bumble and Match Group (including services like Hinge and OkCupid). Several of these apps are highly used in Latin American countries. The companies confirmed incidents involving contractor accounts compromised by phishing and noted that they have no evidence of direct access to passwords or private messages. Researchers reviewed samples that include profile data and internal documentation.

Massive credential leak: ~149 million accounts exposed

An ExpressVPN report documents the exposure of millions of credentials associated with services such as Gmail and Facebook, Instagram, TikTok, OnlyFans, Netflix, iCloud and others, coming from an unprotected and unencrypted public database, which was removed after the discovery. Everything indicates that these are credentials collected by infostealer-type malware installed on people’s devices.

–[Threats ]–

Automated crawlers track WordPress plugins

GreyNoise documented bot activity scouring the internet listing WordPress plugins to detect exposed installations and prioritize attacks against sites with weak configurations or outdated components. We know that WordPress is used by many organizations and groups, so we also leave this guide from the Karisma Foundation with good practices for securing WordPress sites.

Peru - Financial fraud through a phishing campaign

Group-IB documents an active campaign in Peru posing as “digital loan” offers to collect bank card and PIN data. The operation uses targeted ads on social networks that redirect to fake sites that imitate financial institution portals, where victims enter personal and financial information. The report identifies at least 16 domains that impersonate a local bank and more than 370 domains linked to the campaign infrastructure, showing a fairly clean flow: acquisition via advertising, fraudulent forms and subsequent monetization of credentials. A clear example of how financial fraud in the region combines classic phishing with paid distribution and rapid domain rotation.The report also indicates that this same pattern of fraud already appears replicated in other countries in the region.

–[Technical analysis]–

Iran - Campaign linked to Iran targets human rights NGOs and activists

Harfarlab presents a detailed analysis of an infection vector used against civil society in Iran, which uses .xlsm (Excel) files with macros to install an implant on the affected person’s computer. These files are distributed as email attachments, posing as lists of victims of the protests in recent months against the regime. In addition to the initial vector, the report analyzes the implant in depth and shows particularly interesting communication mechanisms with the command and control servers. To do this, they rely on services such as Telegram, GitHub and Google Drive, from where commands and configurations are coordinated, in some cases through the use of steganography and small “Easter eggs” aimed at researchers. Highly recommended.