spanish
ZoqueLabs

--[ Anomaly #11: The supply chain: the weakest link ]--

June 26, 2026

By: ZoqueLabs

This writing is distributed under a Creative Commons CC BY-SA (Acknowledgment - Share Alike) license.

Spanish version

Hello, hello!

In software (and also in hardware), the supply chain (software supply chain) is made up of all those components that make it possible for a program to work: libraries, dependencies, compilation tools, packages and files that Normally we don’t write. Anyone who has ever programmed knows that even the smallest script ends up depending on a previously installed library, compiler, or utility. And those dependencies, in turn, depend on others. So on.

The result is that controlling all the code that ends up running on a machine is virtually impossible. If a malicious actor manages to compromise a single one of these links, they can infect not one machine, but thousands at a time, or access a system by first attacking one of the components on which it depends.

There is no shortage of examples. The best known is probably SolarWinds. Instead of directly attacking customers, the attackers compromised the company’s software distribution process and introduced a backdoor in official updates. When customers installed those updates, privileged access arrived on its own to some of the most sensitive networks in the world.

Another case that continues to give a lot to talk about is XZ Utils. This small utility for compressing and decompressing files is present in practically all Unix systems and is part of the chain of dependencies of projects as important as OpenSSH. For years it was maintained by a single person. Taking advantage of this wear and tear, an attacker managed to gain the trust of the maintainer until he gained access to the project. The result was a backdoor carefully hidden within the compilation process using seemingly innocent binaries, capable of opening the door to remote code execution on systems using OpenSSH.

Last week we saw a different case, but just as interesting. More than 1,600 abandoned packages from AUR, the community repository of Arch Linux, were claimed by malicious actors. The packages were modified to download malicious NPM dependencies, such as atomic-lockfile and ** js-digest, and, where possible, install an **eBPF-based rootkit capable of hiding processes, files, and network connections, greatly complicating their detection.

As a community that works on digital security for civil society, these types of incidents deserve special attention. We know that many people in our community use Arch Linux or derived distributions, and an incident like this can directly affect their computers without the need to exploit a new vulnerability. It is worth checking the installed packages and verifying that everything is still in order.

The lesson is the same as always: use official repositories whenever possible, be wary of poorly maintained dependencies, keep up with these types of incidents, and compartmentalize work environments. It’s uncomfortable, yes. But it is also part of the job. ̄\_(ツ)_/ ̄

And without further ado, we leave you with the Anomalies of these days.

--[Cyberespionage ]–

Mexico — An exposed server exposed a campaign against the government and the financial sector

CloudSEK reconstructed an operation targeting government, financial, transportation, and telecommunications entities in Mexico after finding the server from which the attackers operated exposed. The infrastructure contained everything from its own recognition and exploitation tools to webshells, tunnels, exploits for Fortinet, Ivanti, Cisco and SAP, as well as evidence of theft of credentials, databases and cryptographic material. The investigation attributes the operation with medium confidence to the Pancho Villa group (Mexican Mafia), an actor that had already been linked to multiple leaks against Mexican institutions in recent years. More than an isolated incident,the exposed server allowed us to observe how a complete campaign against critical infrastructure operates in the region.

--[Surveillance ]–

Cuba — DDoS attacks against the TOQUE during coverage of the Cuban peso

Cloudflare’s annual Project Galileo report documents a sustained increase in attacks against civil society organizations and independent media. Among the cases in Latin America is elTOQUE, a Cuban media that operates from exile and that suffered DDoS attacks while publishing information on the price of the Cuban peso against other currencies. According to the report, the attacks sought to affect access to that information at a time of high demand.Cloudflare also notes that the media remains the most targeted sector within Project Galileo and that civil society organizations face attempts to exploit vulnerabilities and phishing campaigns more frequently than the rest of their clients.

Ecuador — The #AudiosDeLaConspiración open questions about surveillance and political leaks

The so-called #AudiosDeLaConspiración dominated the political conversation in Ecuador in recent weeks. The recordings, obtained from the phone of a former police officer and incorporated into a judicial file, were released by the Government and show meetings between Rafael Correa and other leaders around the so-called Porsche case. Shortly after, new official complaints pointed to an alleged “mirror room” with privileged access to Guayaquil’s video surveillance system. Some independent analyzes raise the possibility of compromised devices or leaks from private communication channels, although for now there is no public technical evidence to confirm this scenario.

Link 1, Link 2, Link 3.

--[Leaks ]–

Brazil — SpaceBears publishes attack against an accounting firm

SpaceBears published Gerencial Contábil as a new victim, a Brazilian accounting and business advisory firm. According to information released by the group, the leak includes more than 600,000 files, including Brazilian digital certificates used to operate government portals, their passwords and customer data.

Argentina — The Gentlemen continues to grow

The Gentlemen reappeared in the region with the publication of a new victim in Argentina: the Cervantes Institution. At the same time, ESET published an analysis on GentleKiller, the set of tools the group develops to disable EDR solutions before ransomware deployment. Unlike other RaaS operations, The Gentlemen maintains and distributes these tools directly to its affiliates, also incorporating new methods to take advantage of vulnerable drivers a few days after they become public. Brazil and Argentina once again appear among the countries where the group maintains activity, confirming a constant presence in Latin America.

--[Cybercrime ]–

Bolivia — Government site used to host phishing campaign against users in the United Kingdom

Huntress documented a phishing campaign targeting people in the UK who used a previously compromised Bolivian government site to host the credential stuffing kit. The operation combined that infrastructure with a compromised server from which millions of emails were sent using Gammadyne Mailer, a legitimate mass sending tool.

Brazil/Mexico — WhatsApp campaign installs “legitimate tools” to take control of Windows

Kaspersky documented a campaign that uses previously compromised WhatsApp accounts to distribute VBScript files disguised as work documents. The samples, adapted to different languages, were observed in at least ten countries, including Brazil and Mexico. Instead of deploying a traditional RAT, the chain ends up installing ManageEngine Endpoint Central, a legitimate remote administration tool used to gain persistent control over compromised computers. The campaign also takes advantage of native Windows utilities to download and run the following components, reducing the need to incorporate its own tools.

Link in Portuguese.

--[ Infrastructure & Cybersecurity ]–

Brazil — One provider, multiple victims

The impact of the attack against C\&M Software, infrastructure provider for the Pix ecosystem in Brazil, continues to generate repercussions. An analysis of the cyber insurance market takes up the case to show how an intrusion into a single provider can become a problem for dozens of entities at the same time. The incident, which exposed nearly 392 GB of information and caused losses estimated at more than one billion reais, once again put the risks of relying on shared infrastructure on the table.

Colombia — Phishing against the Registry ended up becoming “proof” of electoral fraud

An investigation dismantled the technical analysis shared by Gustavo Petro on alleged vulnerabilities in the electoral system. The domains cited correspond to a phishing campaign that during 2025 imitated the portals of the Registry’s digital ID through almost identical domains, shared infrastructure and emails with counterfeit senders. The report also clarifies that kamtridit[.]cz, mentioned in the discussion, is a legitimate site of a Czech application and that its domain was only used as a fake sender using email spoofing, a known technique that does not involve compromising the site infrastructure.So far there is no technical evidence connecting that campaign to counting software or vote counting.

--[ ZOLIM - This week’s snapshot (06/26/2026) ]–

ZOLIM reports 12 new IPs. Interesting things in this snapshot:

There is much more to explore! You can consult all the information and explore by country, IP, city, threat and other filters in the ZOLIM. dashboard

--[ Exfiltradaz - Snapshot from 06/12/2026 to 06/25/2026 ]–

During this period, 28 leaks linked to 9 countries were identified. Brazil and Venezuela concentrate most of the observed records and we identify 6 new actors.

Costa Rica appears for the first time in a Exfiltradaz snapshot with a database associated with an educational institution.

In Venezuela there are attacks against government institutions and the decrease in leaks is noticeable in Colombia, curiously, after the presidential elections.

More details of these leaks in Exfiltradaz.