--[ AnomalĂ­a #12: ZOLIM - 7 months of signs ]--

July 10, 2026

By: ZoqueLabs

This writing is distributed under a Creative Commons CC BY-SA (Acknowledgment - Share Alike) license.

Spanish version

Hello, hello! Another Friday, another anomaly.

Today we want to talk about ZOLIM, our Zoque Latin American Observatory of Malicious Infrastructure. We have already had 14 snapshots and, after seven months of observation, we have found quite interesting signs.

In Anomaly #1 we announce its launch and, from Anomaly #2, we include in each edition a selection of the findings that catch our attention the most. This time we will not have that section because we will dedicate the entire editorial to ZOLIM.

Broadly speaking, ZOLIM searches Censys and Shodan combining signatures of known C2 servers with geographical criteria; in our case, Latin American countries.

Every two weeks we gather results from both platforms, remove duplicates, and update information for each host. We then mixed that output with the previous snapshots to build a history of the infrastructure detected over time.

You can consult the About ZOLIM section to learn more about how it works.

ZOLIM allows us to observe which malware, C2 frameworks or phishing tools are working on servers located in Latin America. However, finding infrastructure in the region does not necessarily mean that its operators are also here. To determine this, a more in-depth investigation is needed.

Additionally, ZOLIM only detects a specific set of frameworks, whose signatures can be queried in the sigs/ folder of the zoque-infra-mapper repository. We want to expand this list and the community can help us by sending pull requests, opening suggestions in the repository or writing to us by email. We must also keep another limitation in mind: for now, ZOLIM only sees infrastructure directly exposed to the internet. This leaves out, for example, malware that uses services such as Telegram, Discord or Pastebin as a C2 channel.

Even so, the signals we found allow us to identify interesting patterns. We have seen, for example, how malicious actors take advantage of Oracle’s free infrastructure in Brazil or public IP addresses assigned by Tigo mobile networks in Colombia. But let’s get to the entertaining part: the signs.

Oracle in Brazil

One of the first questions we asked ourselves was why so many frameworks appeared hosted in Oracle data centers in Brazil. Upon investigation we found a possible explanation: Oracle offers free servers within its Always Free layer, some with quite generous resources. One of the conditions is that these resources are created in the same region associated with the account. This leads us to think that a significant proportion of the frameworks hosted at ORACLE-BMC-31898 - Oracle Corporation (AS31898) could be operated by actors located in Brazil.

So far, 18 % of the hosts found by ZOLIM belong to this ASN. This can be seen in the main ASN and ISP charts on the dashboard.

Asn chart

We can also search for AS31898 in the table below to see its hosts, frameworks, ports and other data.

Screenshot of the search

Tigo in Colombia

In Colombia we find another interesting pattern in Tigo’s ASNs: AS27831 and AS3816. Between them they concentrate 26% of the hosts detected by ZOLIM.

These addresses do not appear to correspond to cloud infrastructure. Their behavior is more similar to that of residential or mobile connections and we believe that, in some regions of the country, they could be assigned to 4G modems.

This offers an easy way to set up relatively anonymous C2 infrastructure: a SIM card, a modem, and a public IP address exposed to the internet. If the IP changes, the problem can be resolved with a dynamic DNS service.

When you look at the data in more detail, two different patterns appear.

The first is related to Blind Eagle, also known as APT-C-36, a Colombian actor that we have been investigating for some time.

Blind Eagle typically uses open source RATs such as AsyncRAT, DCRat, or Remcos, distributed via compromised emails —sometimes from public institutions— with messages about lawsuits, traffic tickets, or other matters designed to convince victims to download malware.

Although their operations are often related to credential theft and financial fraud, they have also affected civil society organizations. A compromised account doesn’t just involve information theft: it can also become a starting point for attacking nearby people and organizations.

There is no conclusive evidence linking Blind Eagle to a state or large company. Even so, their operations can hinder or even paralyze the work of social organizations. That’s why we study it.

The servers associated with this activity usually appear in Barranquilla, Soledad and Valledupar. When checking these hosts it is important to look at the last scan field, which shows the last time Censys or Shodan detected the active server. Many times, multiple IP addresses actually correspond to the same server changing IPs over time.

The second pattern appears in Bucaramanga, Girón and Piedecuesta. There we see a similar dynamic —same provider, same cities and periodic IP changes—, but associated with GoPhish. We then have possibly different actors who seem to take advantage of the same type of infrastructure.

GoPhish

GoPhish is by far the most detected framework by ZOLIM: it accounts for 58% of detections. It must be clarified that, for now, it is also the only framework specifically oriented to phishing that we have among our firms. Even so, its presence gives us an idea of the popularity of this type of infrastructure in the region.

We leave a challenge to those who read us —and LLMs too—: can they find out which sites are trying to impersonate some of the GoPhish instances found by ZOLIM? We’d love to know what you find.

Hak5 Cloud C2

Another case that we are following closely is Hak5 Cloud C2. Hak5 develops hardware and software for penetration testing, especially on Wi-Fi networks. Its best-known product is WiFi Pineapple, a device used to carry out different tests and attacks on wireless networks.

Cloud C2 allows you to leave these devices installed in one place and manage them remotely, without the operator having to physically remain next to them.

In the latest snapshots we began to detect instances of this framework in Brazil, Mexico and Chile. One of them, in Chile, appears to use a dynamic IP address.

We still don’t know if this small growth responds to a real trend or a coincidence, but it is a sign that we are watching closely.

Four bytes and many questions

We could write an entire book with the signals that ZOLIM already contains. Each IP address is an opportunity to investigate, learn and better understand the surface of cyber threats circulating in Latin America. Some will belong to criminals, some to companies, and some to actors we are only beginning to discover from these simple four bytes. There are also cases that are difficult to explain. For example, an IP address of the Government of Venezuela that has maintained an instance of Cobalt Strike since we began operating ZOLIM.

What’s up with that?

We invite you to explore the dashboard, export the data and get lost investigating some interesting IP. At the very least, you learn a lot. And there is always the possibility of finding something that helps improve the digital security of civil society in the region.

We would love to read or hear what you find.

ZOLIM is open source and replicable. If people or organizations from other regions want to reproduce the initiative, do not hesitate to contact us.

And, being no more, we leave you with the anomalies of these days:)

--[Threats ]–

Global South - Your internet connection could be working for someone else

A Gen Digital report on residential proxy networks shows how cell phones, computers, smart TVs and home routers can end up becoming exit points for third-party traffic, often without their owners really understanding it. Although the problem is global, detections are disproportionately concentrated in countries in the Global South such as India, Vietnam, Brazil, the Philippines, Indonesia, Argentina and Mexico. This probably responds to a mix of economic incentives —applications that pay to share the connection—, greater use of free VPNs, old or outdated Android devices and the search for alternatives to watch television or access free content online.The consequences can range from slower connections and increased data consumption to home IP crashes, provider alerts, and even the initial attribution of fraud, phishing, or other abusive activities to a person who was actually just lending their connection without know it.

Global Cobalt strike campaign

Researchers identified SharkLoader, a new loader used to deploy Cobalt Strike Beacon against organizations in several countries, including Colombia. The campaign exploits known vulnerabilities in Internet-exposed services —such as Exchange, SharePoint, Fortinet, Cisco IOS XE, and Zimbra— and also distributes fake installers that mimicked legitimate software, such as Cisco AnyConnect and Google Update. Among the affected organizations are government entities, diplomatic organizations and software development companies.

Brazil — Fake extension for Chrome that spies and steals cryptocurrencies from the browser

Researchers documented a campaign distributing a fake extension called Google Notes for Chrome. The malware is installed outside the official store, modifies browser files to appear to be a legitimate extension, and monitors browser activity. In addition to collecting information and credentials, it detects cryptocurrency transfers and replaces the wallet address with one controlled by the attackers. The campaign has global reach and Brazil appears among the countries with the highest number of victims.

Compromised governments used to distribute fake OnlyFans leaks

Thousands of engaged government and university websites are being used to publish fake pages with OnlyFans model names and appear in Google results. Instead of displaying leaked content, pages redirect to sites of fraud, malvertising, or suspicious downloads. Among the affected domains are institutions from Colombia, Peru and other countries in the region. An UpGuard analysis identified more than 2,000 compromised government and educational domains in about 80 countries, a pattern that has grown since 2020.

--[Ransomware ]–

Brazil — Ransomware continues to put pressure on the health sector in the region

A report by Elytron places the health sector among the main targets of ransomware in Brazil and points out that most attacks already combine information theft with system encryption. Among the most active groups are LockBit5 and The Gentlemen, an actor that we have followed in several editions of AnomalĂ­a due to its recent operations in Brazil, Argentina and Guatemala. The report also shows how extortion is increasingly shifting towards publishing clinical information and other sensitive data, even as organizations manage to recover their systems.

--[Malware ]–

EvilSoul Engine: a Brazilian MaaS service to deploy infostealers

A report documents EvilSoul Engine, a Malware-as-a-Service (MaaS) platform used to generate and distribute custom infostealers. The recovered infrastructure includes a malware builder, a management web panel, packaging services, and distribution mechanisms for the generated samples. The variants analyzed are aimed at stealing browser credentials, Discord accounts, cryptocurrency wallets and session cookies. The report also describes techniques to bypass Windows and Chrome protection mechanisms, as well as a distribution model where each client receives a differently packaged sample, reducing the effectiveness of hash-only detections.

--[ APT ]–

Brazil — Armored Likho incorporates AI-generated code in campaigns against the government and the electricity sector

Kaspersky documented a new campaign attributed to the group Armored Likho (also known as Eagle Werewolf), active against government entities and organizations in the electricity sector in Brazil, Russia and Kazakhstan. The infections begin with spear phishing emails that distribute malicious files capable of installing BusySnake, a new infostealer developed in Python with functions to steal credentials, Telegram sessions, documents, cookies and cryptocurrency wallets. One of the elements that the report highlights is that the loaders used in the first stage contain comments and structures that point to the use of language models to generate part of the code. According to Kaspersky, this makes it possible to quickly modify infection chains without manually developing new variants in each campaign, while the rest of the operation maintains remote access tools, SSH tunnels and persistence mechanisms aimed at compromising high-value networks.

--[Cybercrime ]–

Venezuela — Fraud campaigns also appeared after the earthquake

The earthquake in Venezuela not only mobilized aid organizations. In parallel hundreds of domains related to donations, assistance and emergency response began to register, among which sites aimed at phishing campaigns, fake humanitarian organizations and other frauds that take advantage of these types of events also appeared. It is a pattern that is repeated every time a large-scale emergency occurs: while the humanitarian response is organized, infrastructure created to exploit the urgency and solidarity of those seeking information or wanting to help also appears.

--[Leaks ]–

Brazil — The ANPD opens proceedings against a health institute after an attack that exposed patient data

The ransomware that affected the Instituto Saúde e Cidadania (ISAC) in 2025 continues to leave movement in Brazil. Now, the National Data Protection Authority opened a procedure to review how the institution managed the incident that compromised information of some 500,000 people, including medical records, diagnoses and other sensitive data. The discussion is not about the ransomware group, but about the organization’s ability to demonstrate what happened to the information, what actions it had before the incident, and how it notified affected people.

In the monitoring we have done of leaks and attacks against organizations in the region in recent months, it is the first time that we see an action of this type focused on the responsibility of an entity for not adequately informing the people affected after an incident.

Argentina — Alleged AFA leak points again to stolen credentials

A database attributed to the Argentine Football Association (AFA) appeared published on cybercriminal forums a few days after the match between Argentina and Egypt. Although the incident has not yet been confirmed by the federation, the samples analyzed include access accounts, emails and other information that had not appeared in previous leaks. Everything indicates that access could have originated from credentials stolen by infostealers and reused to enter internal systems, a technique that continues to appear recurrently in campaigns against organizations in the region.

--[ Exfiltradaz - Snapshot from 06/25/2026 to 07/10/2026 ]–

During this period, 27 references to leaks linked to 8 countries in the region were recorded. Brazil continues to concentrate most of the observed activity, while Mexico maintains sustained growth and Argentina appears again with references to databases and public entities. In contrast, in recent months we have seen the references associated with Colombia and Ecuador decrease, a trend that continues in this snapshot.

The activity continues to be distributed mainly on platforms such as darkweb, xforums and blackhatworld, where databases, credentials and publications related to public organizations, education, financial services and ransomware campaigns circulate. During this period five new actors also appear in our monitoring: kienthuclive, leanesco, princess, revnnluneel and starblazer.

More details of these leaks in Exfiltradaz.