--[ Anomaly #3 ]--

–[ Anomaly #3 Overflowing leaks and new experiment ]–

Hello 💚

In recent months, databases associated with Latin American institutions have begun to appear more frequently in leak forums and access markets. State entities, universities, hospitals, energy companies, public services. Complete records, institutional credentials or access to internal systems that begin to circulate in the same spaces where initial access and database dumps are traded.

It is not always easy to know what really happened in each case. Sometimes data samples, screenshots of internal panels or accesses to systems published by those who claim to have made the intrusion appear. Other times institutions do not speak out or deny leaks.

It’s not the first time we’ve seen something like this. In previous editions we had already observed massive data exposures in the region, such as the case of the database with personal information of millions of people in Chile or Mexico. Now in Colombia we continue to see incidents such as the leak associated with the Public Employment Service —which we mentioned in a previous edition— and now the exposure of data from the National Tax and Customs Directorate DIAN. We address some of these cases later in this edition.

What’s interesting is not just each individual incident, but how quickly they stop being exceptional. The leak appears, it circulates for a few days, there are statements, entities that deny, others that say nothing… and meanwhile the databases continue to move from forum to forum.

This data ends up fueling other things: phishing campaigns, fraud, impersonation or initial accesses resold in the same markets where the leaks appeared. Part of this dynamic can also be seen in the infrastructure that we have been observing at ZOLIM, where several active instances end up associated with remote access frameworks and tools used in malware campaigns.

Some of that also appears in the post we published a few days ago. In the first part of The Blind Eagle Diaries we analyze one of the artifacts used in phishing campaigns in Colombia. Blind Eagle is a Colombian actor that has been impersonating state entities to distribute malware for years, and in several cases its campaigns take advantage of compromised institutional emails or credentials that have previously appeared in data breaches.

We leave the technical details in the write-up: Experiment 0x03: The Blind Eagle Diaries (part 1): Analyzing Malicious SVGs

–[Malware ]–

PromptSpy — Android malware uses generative AI in campaigns aimed at Argentina

ESET researchers analyzed PromptSpy, a family of Android malware that incorporates the use of generative artificial intelligence models as part of its operation. The implant allows collecting information from the compromised device —messages, contacts, files, location— while using AI tools to generate automated responses or content tailored to the victim’s context.

The campaign appears to be primarily focused on Argentina, where operators distribute malicious applications posing as legitimate tools. Once installed, the app establishes communication with your C2 infrastructure and begins to exfiltrate that information.

The interesting thing about the implant is the use of generative models within the flow of the operation. More than a “new” capability of the malware, it seems like an attempt to automate parts of the interaction with the victim or generate dynamic content within social engineering campaigns.

Pirated streaming apps continue to be a gateway for malware on Android

Pirated streaming applications for Android —such as MagisTV or XuperTV— continue to circulate massively in the region through informal repositories, links shared on social networks or Telegram groups. These apps promise free access to TV channels and premium content, but several versions include modules designed to collect device information or abuse its resources once installed.

Beyond the specific malware that may appear in some versions, the pattern is quite well known: applications distributed outside of official stores that ask for excessive permissions and end up turning the device into another node within remotely controlled infrastructures —whether for data collection, advertising abusive or use within proxy networks.

–[Surveillance/InfoOps/PsyOps ]–-

Deepfakes and spyware — harassment campaigns against women activists

Campaigns targeting women activists and human rights defenders are combining digital surveillance, commercial spyware, and content manipulated using artificial intelligence. In some cases, deepfakes of a sexual nature circulate aimed at publicly discrediting victims and isolating them politically.

The case is part of dynamics of transnational repression where tools such as Pegasus or data analysis platforms appear in operations directed against defenders in different countries. Beyond individual cases, the phenomenon reflects how digital surveillance and information manipulation capabilities are beginning to converge in campaigns specifically directed against women activists.

Mexico — CJNG propaganda and narrative war around “The Mencho”

The figure of “El Mencho”, leader of the Jalisco New Generation Cartel (CJNG), is also disputed on the internet. Videos, statements and messages circulating on social networks attempt to shape the narrative around the cartel and its leadership, amplifying versions favorable or responding to political and military pressure against the group.

This type of digital propaganda is not new to the organized crime ecosystem in Mexico, but it shows how criminal groups continue to use social networks and open platforms as part of their information strategy: building reputation, intimidating rivals or influencing public perception within and outside their territories.

–[Leaks ]–-

Colombia — data leak associated with the DIAN

Records associated with Colombian taxpayers began to appear in leak forums after an alleged violation of systems of the Directorate of National Taxes and Customs (DIAN). The samples circulating include personal information such as names, identification numbers and other data linked to tax procedures.

The entity confirmed that it is analyzing the incident and opened an investigation to determine the origin of the exposure. Meanwhile, fragments of the base have already begun to replicate in different spaces where this type of leaks usually circulate quickly.

Colombia — leak exposes medical records from the Medellín General Hospital

Records associated with patients from the Hospital General de Medellín began to circulate in leak forums after an actor claimed to have obtained access to systems linked to the institution. The published samples include medical information and personal data of patients. Until now there is no independent public confirmation about the scope of the incident or about the direct compromise of hospital systems, although the data has already begun to be replicated in different spaces where this type of bases usually circulate.

–[Security breaches ]–-

Peru — government denies intrusion into intelligence systems

The Peruvian government denied that the National Intelligence Directorate (DINI) has suffered a hack after reports circulated about alleged access to its systems. According to the Presidency of the Council of Ministers, internal reviews found no evidence of intrusion or information leakage. However, the person who published the claim of the attack (DeFace Peru) maintains the opposite and claims to have had access to the entity’s infrastructure, even after the official statement that ruled out the incident.

Chile — telecommunications intrusions, US sanctions and cables in between

In Chile, an investigation was opened for possible intrusions into telecommunications companies, while in parallel the United States announced visa restrictions against Chilean officials in relation to activities of foreign actors in the country’s digital infrastructure. The situation appears after warnings about suspicious operations in connectivity networks and suppliers in the sector.

The curious thing is that while Washington talks about intrusions attributed to foreign actors and applies sanctions, in Chile a local investigation is being opened into attacks on ISPs. All of this occurs amid discussions about new connectivity infrastructure —including undersea cables— and reports of high activity from Chinese players in networks in the region.

–[ Spyware ]–-

Coruna — exploit kit for iOS with multiple exploit chains

Google researchers analyzed Coruna, an exploit kit for iPhone that includes five full exploit chains and a total of 23 exploits targeting devices running iOS 13 through iOS 17.2.1. The framework identifies the iPhone model and the exact version of the system to load the appropriate WebKit string, followed by a Pointer Authentication Code (PAC) bypass and a loader that deploys the corresponding implant.

The kit first appeared in targeted operations associated with clients of a commercial surveillance provider, then in watering holes against users in Ukraine, and later in mass campaigns from fake financial sites operated by a Chinese criminal actor. The tool no longer works in the most recent versions of iOS, but its circulation between different actors shows something increasingly common: chains of advanced exploits reused between espionage and cybercrime, especially on devices that continue to run old versions of the system.

-–[ ZOLIM - This week’s snapshot ]–-

In the most recent snapshot of ZOLIM (our Latin American observatory of malicious infrastructure) we see a small jump in the region’s infrastructure: we went from 87 to 104 active IPs associated with 14 offensive frameworks, now distributed in 14 countries.

Some signs that caught our attention this week:

-> GoPhish remains the dominant species (60 nodes), with Brazil concentrating most of the infrastructure, although instances also appear in Mexico, Peru, Argentina and Chile. Many of these nodes continue to respond on port 3333, a fairly consistent pattern in phishing campaigns that we have been observing in the region.

-> Much more movement of Quasar RAT** appears (18 nodes), with infrastructure distributed mainly in Brazil but also with presence in Chile, Mexico, Peru, Colombia and —for the first time in our snapshots— Honduras.

-> Colombia maintains a presence of DCRat on mobile connectivity networks in Barranquilla, while some additional Quasar nodes begin to appear in the country.

The infrastructure continues to mix with commercial cloud providers and regional telecommunications: Oracle, Amazon, Microsoft, Hostinger and local operators continue to appear as frequent support for these nodes. In ZOLIM you can explore the complete snapshot and the table where we filter all active IPs by country if you want to delve deeper into the data :D https://zoquelabs.xyz/zolim