--[Anomalía #2]--

–[ Anomalía #2 When the laboratory encounters the real world ]–

  Hello 💚

A few months ago, at ZoqueLabs we got into the bowels of Android to understand and exploit CVE-2024-31317, a command injection in Zygote. Well, it was not a free exercise, at that time we wanted to understand what an exploit with real capabilities would look like: escalating privileges, impersonating applications, extracting data. But we also wanted to answer something bigger: what traces does it leave? Can we detect it from civil society (from the global south)?

To exploit it we needed physical access and adb. A scenario that is more reminiscent of a forensic tool than remote malware. Something Cellebrite type. Something that happens when the phone is already in the hands of whoever wants to examine it.

In parallel, on February 17th, Kaspersky published the analysis of an Android backdoor linked to a new iteration of Triada, injected into the supply chain. Compromised devices before reaching the user’s hands. Deep persistence. Modification of critical processes. Among them, code injection into the process responsible for booting applications: the same Zygote that we had been studying. A mechanism that defines which user executes which process and with what permissions.

Around the same time, Citizen Lab documented the use of Cellebrite mining tools against Kenyan activist Boniface Mwangi. There was no backdoor in the supply chain, but rather physical access and scaling capabilities to extract information from the device. Technically, the scenario is much more like what we explored in our experiment.

These cases —which we develop below— interest us not only because of the political or regional impact, but because they are not that far from our experiment. And that is precisely where our work gains strength: that from civil society in the global south we can also investigate at this level.

Welcome to Anomalía #2, come on!

–[Cybercrime ]–

Court case exposes spyware services by Colombian transnational criminal network

Court documents cited by CBC News indicate that Canadian Ryan Wedding would have paid for access to interception software on mobile devices to track a target’s phone in real time, in the context of an investigation into drug trafficking and homicide by commission with connections in Colombia. Researchers point out that the same spyware would have been used on multiple occasions in Canada and Mexico, showing how surveillance capabilities normally associated with state actors also circulate in organized crime environments through private intermediaries.

Colombia - IFMNoticias media reports denial of service attacks after the publication of investigations in the electoral context

The independent media IFMNoticias reported having been the victim of a computer attack that would have compromised its website and part of its digital infrastructure. Apparently, the incident could be related to recent journalistic investigations, although so far no public technical details have been presented to verify the scope, access vector or attribution of the attack.

They detect fake Spotify pages hosted on sites of compromised Latin American SMEs

ESET Latin America has identified phishing campaigns where attackers compromise vulnerable websites of small and medium-sized businesses to host fake pages that impersonate Spotify, with the aim of stealing access credentials and payment data. Documented cases in Chile and Argentina show how attackers exploit vulnerabilities in CMS or plugins to insert cloned forms and capture data.

–[State and surveillance]–

Kenya — Use of forensic extraction against activist

Citizen Lab documented the use of Cellebrite mining tools against Kenyan activist and politician Boniface Mwangi. Forensic analysis of the device revealed signs of physical access and use of advanced unlocking and data extraction capabilities. This is not remote spyware or a persistent infection, but direct exploitation of the device in custody, with techniques that allow escalating privileges and accessing the internal content of applications. The article not only focuses on identifying the use of Cellebrite on Mwangi’s phone, but questions how these tools are sold without real verifications on their end use, ending up in the hands of authorities who use them against defenders, activists or leaders. opposition - cases mentioned there such as Honduras against environmental defenders or in Venezuela against opponents -.

Argentina - they denounce coordinated digital attacks against journalists and organizations

During a hearing before the Inter-American Commission on Human Rights (IACHR), journalists and human rights organizations reported coordinated attacks including mass smear campaigns, threats, hacking attempts, identity theft and use of artificial intelligence to fabricate false content for intimidation purposes, as reported by PEN International. The IACHR warned of a persistent trend of stigmatization and threats against journalists and defenders, and expressed willingness to visit the country, in a context where organizations point to a sustained deterioration of the environment for freedom of expression while the government has denied restrictions or attacks. systematic.

–[ Malware / spyware / supply chain ]–

ZeroDayRAT — commercial mobile spyware platform for Android and iOS

iVerify describes a new spyware platform called ZeroDayRAT, openly distributed through Telegram channels with administration panel and builder to generate malicious payloads for Android and iOS. The infection mainly occurs through links sent by SMS or messaging that induce the installation of fake applications, after which the operator gains full remote access to the device, including messages, location, camera, microphone and notifications. The toolkit also incorporates a financial theft module that uses overlays to capture mobile banking credentials and digital wallets, combining surveillance and monetization from the same infrastructure.The distribution model —direct sales with support and updates— shows the consolidation of mobile spyware as a service accessible to actors without advanced technical capabilities.

Android — Backdoor Keenadu (Triad) integrated at the system level

Kaspersky analyzed Keenadu, a Triada-linked Android backdoor distributed through supply chain compromise. The implant was integrated into the system image, operating with elevated privileges from the first boot of the device. According to the report, the malware modified framework components and injected code into processes like Zygote, allowing it to execute additional payload every time applications were started and inherit their permissions. This level of integration gives you deep persistence and cross-access to the user environment. Brazil appears as one of the main affected markets.

–[Leaks ]–

Chile - Database exposes personal information of millions of people

WizCase researchers identified a publicly accessible database containing personal information of more than 14 million people in Chile, including identification records associated with the adult population, in a set of approximately 3 GB whose origin has not been confirmed. The base was hosted on third-party infrastructure and was exposed without access protection.

Tax software in Argentina exposes company databases

An Argentine provider of tax management software would have suffered a breach that exposed approximately 440 databases of client companies, along with about 4.7 GB of financial records and internal infrastructure components, according to reports published in criminal environments. The information would include financial records of companies and data associated with public organizations, including ministries and entities linked to the tax administration (AFIP). So far, there is no independent public confirmation of the incident.

Peru — exposure of citizen data linked to the municipality of Mejía

Actor claimed to have obtained and published information associated with the District Municipality of Mejía in Peru, including records from citizen forms with personal data such as names, contacts and addresses, according to reports compiled by DailyDarkWeb. The database exposes thousands of entries and would be circulating in different forums, although so far there is no independent public confirmation about the scope of the incident or about the direct commitment of municipal systems.

–[ Hacktivism/Stalkerware ]–

Exposure of more than 500 thousand payment records linked to a stalkerware provider

Hacktivista obtained more than half a million payment records associated with a telephone surveillance application provider, exploiting a web vulnerability that allowed access to transaction information and customer data. This action is part of a movement that is increasingly stronger and that seeks to publicly expose those who buy and use these tools. The set includes account and payment details linked to the use of commercial spy software.

–[Threats ]–

Zero-day in Chrome exploited in real life (CVE-2026-2441)

Google fixed a zero-day vulnerability in Chrome (CVE-2026-2441) that was being actively exploited. The flaw, a use-after-free in the CSS component, could allow remote code execution when the victim visits specially crafted web content, opening the door to system compromise. Google restricted technical details while distributing the patch in the stable version of the browser.

–[ ZOLIM - This week’s snapshot ]–

In the most recent snapshot of ZOLIM (our Latin American observatory of malicious infrastructure) we observed 87 active IPs associated with 14 offensive frameworks, with a presence in 13 countries in the region.

Some signs that caught our attention the most:

• GoPhish remains the dominant species (56 nodes). Brazil concentrates most of the infrastructure, but instances also appear in Colombia, Mexico and Peru.
• Colombia maintains a small but consistent concentration of DCRat, mainly in Barranquilla and on mobile connectivity networks.
• We observe infrastructure rotation towards new ASNs and providers (including commercial hosting and regional telecommunications). They do not seem like new actors but they do seem like moderate infrastructure mobility.
• The presence of post-exploitation frameworks such as Sliver, Havoc, Cobalt Strike, Quasar and Mythic is maintained.

Taken together, the data points to a scenario where phishing continues to be the main gateway, while offensive infrastructure increasingly coexists with legitimate commercial cloud services (Oracle, Microsoft, Amazon, Google).

In ZOLIM you find the complete snapshot and the table where you can filter all the active IPS by country so you can go deeper if you want :D