--[ Anomalía #9 - Zoque-Birthday, 1 year on the hunt ]--

Hello hello!

A year ago we started ZoqueLabs.

The truth is that we were not very clear about what was going to happen next. What we did have was a habit that remains intact: when something makes us curious, we try to take it apart and learn in the process. During this year we discovered that one question usually leads to another.

We start by wanting to understand a vulnerability in Android and end by writing a working exploit. It wasn’t enough for us to read about the vulnerability or run a proof of concept. We wanted to understand how it worked, how far we could take it, and what traces it would leave on a real device. The idea was simple: if we want to investigate attacks, we also have to understand how they are constructed.

Then Seeker appeared. What started as an excuse to learn how a phishing tool worked to geolocate ended up becoming an exercise in infrastructure hunting, fingerprint search, indicator generation and a workshop to share tracking methodologies using tools open. We wanted to find active instances. We ended up learning about OpSec, infrastructure, fingerprints, intelligence feeds, and ways to share findings so other people could reuse them.

Later came The Blind Eagle Diaries. We start with a chapter where we analyze an SVG file used in campaigns attributed to one of the most persistent actors in the region. As is often the case, the file ended up being a gateway to understanding tactics, infrastructure and a much more interesting chain of infection than it seemed at first glance.

At some point Anomaly also appeared. What began as the need to organize dispersed information on digital threats in Latin America ended up becoming a space where we try to do something that still seems necessary to us: talk about threat intelligence from our territories. Not because the rest of the world does not produce valuable analysis, but because many of the threats affecting activists, journalists, defenders, organizations and communities in the region rarely appear as a priority elsewhere.

And maybe there we start to notice a pattern.

Many of the questions we asked ourselves had something in common: we couldn’t find enough data to answer them.

We wanted to observe malicious infrastructure in Latin America and ended up building ZOLIM, an observatory designed to document command and control systems and associated tooling in the region. It was not born because we wanted to build an observatory. It was born because we wanted to know what was happening.

Something similar happened with Exfiltradaz. For months we saw leaks appear in forums, channels, marketplaces and spaces that rarely make the news. We wanted to keep track of them, understand what was circulating, where it appeared and how the information exposed in the region moved. What started as a need for observation ended up becoming another open experiment.

Looking back, we realize that almost everything we did this year was born the same way: someone told us something, an incident appeared, we found a sample, we watched a campaign, or we were obsessed with a question.

Then came the rest.

We continue to think that more technical research produced from the global south is needed. More open documentation. More data shared. More reproducible experiments. More people publishing processes instead of saving results. More spaces where threat intelligence can be built collectively.

We like to think that ZoqueLabs is just a small contribution to all that.

For now we continue doing the same thing as a year ago: follow questions as far as they take us.

And to those who read, contribute, comment, reuse, replicate or simply accompany this project: thank you for following the thread with us.

With love, The ZoqueLabs Team 💚

--[Threat Intelligence ]–

Argentina — unmasking the author of Valkyrie and Prysmax

In this second installment about Valkyrie Stealer, DeXpose shows how it went from technical analysis of the malware to the attribution of its alleged developer in Argentina. The research uses OSINT techniques and cross-referencing information from multiple sources to build a detailed profile of the operator behind Valkyrie and Prysmax. Beyond the details of the case, it is interesting as an example of an investigation that connects malware analysis with the identification of the people who develop and operate it.

Coruna appears in an npm package with thousands of downloads

The Coruna exploit kit, known to have been leaked from Trenchant (L3Harris) following the action of an employee, was discovered by SafeDep within compromised versions of art-template, a JavaScript library with more than 26,000 weekly downloads. According to the analysis, the chain deployed multiple exploits for iOS and ended up installing payloads aimed at cryptocurrency theft. The case dismantles one of the commercial surveillance industry’s recurring arguments: that these capabilities can be kept under control and limited to specific uses. Once tools of this level are leaked, they cease to belong to specific governments, contractors or clients and become part of the arsenal available to other actors.This time they appeared in a supply chain compromise campaign; next time they could appear anywhere else. Those who end up assuming the risk are, as always, the users and organizations that are exposed to these capabilities.

Iran / LATAM — Seedworm expands espionage operations in several regions

Researchers reported a new campaign attributed to Seedworm (aka MuddyWater), an actor historically linked to espionage operations aligned with Iranian interests. The activity observed during 2026 affected organizations in different sectors and countries, including some cases in Latin America, and used techniques such as DLL sideloading using legitimate signed software to execute malicious payloads and maintain access within compromised networks. The mix of affected sectors, countries and regions reveals an operation with the capacity to maintain active campaigns on geographically distributed objectives.

--[Surveillance and espionage]–

Brazil — New revelations demonstrate the attempted hacking of a journalist in the case of Daniel Vorcaro

The case of Daniel Vorcaro, which mixes accusations of financial fraud, political influence and clandestine operations, continues to add chapters. To the already known conversations about possible plans to physically intimidate journalist Lauro Jardim (O Globo), screenshots were recently added that show discussions about compromising their devices through some type of phishing. According to the messages, the plan was to send links disguised as invitations to interviews or journalistic contacts with the aim of obtaining access to the reporter’s information.The case illustrates how operations against journalists often combine digital and in-person tactics when investigations affect high-profile economic or political interests.

Signal — Phishing campaigns target conversation backups

Researchers reported phishing campaigns designed to gain access to Signal backups via fake pages that mimic legitimate account migration or recovery processes. Unlike other attacks directed against messaging applications, the operation focuses on backup mechanisms and not on platform vulnerabilities. Among the identified objectives are profiles linked to journalism, activism and political affairs.

--[Privacy and Anonymity]–

Tails removes Thunderbird from the base installation

Tails version 7.8 removes Thunderbird from the default installation. The decision responds to a maintenance problem: due to the way the Firefox, Thunderbird and Tails publishing cycles coincide, the email client frequently remained distributed for several weeks with already known vulnerabilities. From now on, those who need Thunderbird will be able to install it as additional software from persistent storage, allowing them to receive newer versions without waiting for a new Tails release. It’s a small but interesting change: less pre-installed software and fewer exposure windows for those who rely on Tails in sensitive contexts.

--[Technical analysis]–

Linux - Four years of OrBit

An Intezer historical analysis shows how OrBit, a rootkit for Linux observed since 2022, evolved from a seemingly single sample to an ecosystem of variants used by multiple actors. The investigation concludes that OrBit derives from the open Medusa project and has been repurposed by ransomware operators, criminal campaigns and spy groups. More than a new malware family, the case illustrates how the same codebase can remain in place for years through minor modifications, configuration changes, and new deployment methods.

Brazil - Banana RAT and the value of studying common cybercrime

Trend Micro published a very comprehensive analysis of Banana RAT, a banking Trojan focused exclusively on Brazil that combines remote device control, screenshot, keylogging, overlaying fake banking windows, and Pix transaction manipulation. The most interesting thing about the report is that the researchers had access to both the operators’ infrastructure and compromised systems, allowing the entire attack chain to be reconstructed, from the generation of polymorphic loads to in-memory execution and remote control of the victims. Although this type of malware does not typically target civil society organizations directly, research like this is valuable because it exposes infection, evasion, and techniquespersistence and operation that end up being reused by other actors and in other contexts.

--[Leaks ]–

Guatemala — application for migrants exposed sensitive data of more than 38 thousand people

An audit in Guatemala revealed that ConsulApp, an application created to provide assistance to Guatemalan migrants in the United States, exposed sensitive information of more than 38 thousand people. The platform, developed by a US company hired by the Ministry of Foreign Affairs, was later disabled following the findings of the Comptroller’s Office. Beyond the exposure of data, the case is especially sensitive because it affects a population that already faces risks associated with immigration processes, detention and access to rights outside their country of origin.

Mexico — Leak of educational data attributed to hacktivist group

Within the constant flow of leaks that are recorded in Latin America, some stand out for deviating from the usual model of extortion or access sales. In this case, databases of the Isthmus Technological Institute were published without restrictions or apparent financial demands by the actors Z3r00 and MagoSpeak, which operate under the name SpeakTeam. The incident also reflects a trend we have been seeing in Exfiltradaz: actors who previously published findings individually are beginning to group together under collective identities to announce intrusions and leaks.

Latin America — LATAM government databases are being looted.

It’s no secret that over the last year data breaches in Latin America have increased significantly. Although the phenomenon is not limited to the public sector, the number of incidents involving government databases and the emergence of groups apparently specialized in the exfiltration and commercialization of personal information is striking. While motivations are often presented as economic, it is not always evident where cybercrime ends and other agendas begin, whether hacktivist, political, or even linked to state actors. Also interesting is that many of these groups appear to have abandoned the classic ransomware model: instead of encrypting systems,they go directly to extortion based on the publication of data or its sale in specialized forums. And not all leaks are what they appear to be. In some cases, data announced as a result of an intrusion is actually collections of previously exposed or publicly available information, used to amplify media impact or generate reputational damage against affected organizations.used to amplify the media impact or generate reputational damage against affected organizations.used to amplify the media impact or generate reputational damage against affected organizations.

--[ ZOLIM - This week’s snapshot (05/29/2026) ]–

ZOLIM reports 11 new IPs, highlights:

• GoPhish we registered several new instances in this snapshot, we especially highlight the rotation of IPs in Girón, Santander in Colombia.
• Mexico is growing in GoPhish instances and this week we registered a new instance of Havoc in a Mexican province.
• A new instance of Sliver in Brazil confirms the growth in the use of this post-exploitation tool in this country.

You can consult all the information and explore by country, IP, city, threat and other filters in the ZOLIM. dashboard

--[ Exfiltradaz - Snapshot from 05/15/2026 to 05/29/2026 ]–

During this period, 16 references to leaks linked to 7 countries in the region were recorded. Brazil concentrates, as always, most of the observed activity, while Argentina maintains a constant presence for the second consecutive report. More references associated with government entities also appear, particularly in Argentina, Ecuador and Mexico.

The activity continues to be distributed mainly on platforms such as darkweb, xforums and shadowcarders, where databases, credentials and access associated with sectors such as government, health, banking, telecommunications and education circulate. Three new actors also appear during this period: omartaha, peps33 and server1172.

More details of these leaks in Exfiltradaz.