Fede Lopez - Rekon.sh

👤 CYBER INTELLIGENCE: PROFILING OF THE INFRASTRUCTURE THREAT ACTOR — URUGUAY 🇺🇾 💥 CRITICAL THREAT: DETAILED PROFILE AND TIMELINE OF LAPAMPALEAKS ATTACKS The CTI unit has consolidated the technical and operational profile of the threat actor LaPampaLeaks, an active group since April 2020 specializing in data leaks, doxing, and defacement. Analysis of its infrastructure reveals a highly organized ecosystem that uses decentralized networks and Tor exit nodes to evade attribution, primarily targeting government, healthcare, education, and telecommunications sectors in Uruguay. 🏢 Affected Entities: Critical infrastructure of the Uruguayan State, corporate, education, and healthcare sectors. 👤 Threat Actor: LaPampaLeaks / PampaLeaks ⚔️ Main Tactics and Vectors: Exploitation of public-facing applications, Web Shells, API scraping (abuse of unrestricted requests), and traffic redirection through subdomain takeover. 🔍 Status: Correlated historical activity from 2020 to the recent massive compromise of the DNIC (5.8M citizens) in May 2026. ⚠️ TECHNICAL CAPABILITIES AND TTPs ANALYSIS (MITRE ATT&CK) The LaPampaLeaks operational ecosystem demonstrates advanced persistence and impact capabilities: 🛡️ Defense Evasion and Persistence: Mandatory use of Tor routing and persistence based on backdoors and hidden Tor services. Additionally, they perform log clearing and session manipulation to escalate privileges. 📡 Command and Control (C2) Infrastructure: Redundant and heavily encrypted communication channels operated through Telegram and Tox, protecting their real identities by using the anonymous email service u**********@mail2tor.com. 🌐 INDICATORS OF COMPROMISE (IoCs) & ASSOCIATED INFRASTRUCTURE The map of domains and hosts used for distributing manifests and hosting the compromised databases has been identified: 🔗 Key Domains and Infrastructure: lapampaleaks(.)info (Seen since 2025-04-26) lapampaleaks(.)lol (Seen since 2025-04-24) lapampaleaks(.)pw (Seen since 2025-04-21) *.lapampaleaks.pages(.)dev / *.lapampaleaks.workers(.)dev (Use of Cloudflare Workers/Pages) 🛑 Compromised/Taken Subdomain: lapampaleaks.fiscalia.gub(.)uy (Registered in 2024-12-23) 📅 HISTORICAL TIMELINE AND PUBLICATIONS The history of posts on underground forums reveals the chronological evolution of their attacks: 🛡️ 2020-04-25 [First Appearance]: Official presentation of the actor on darkforums, releasing their first batch of databases and confidential documents (presentation: lapampaleaks [Databases] [Documents] [Leaks]). 🛍️ 2024-12-19: Publication and leak of the complete database and source code of the Las Piedras Shopping mall (uruguay: Las Piedras Shopping [Database] [Source Code]). 🏥 March 9, 2025: Exfiltration and release of COVID-19-related medical databases belonging to the State Health Services Administration (ASSE) (Uruguay: https://t.co/BqdRA3uymB [Database] [COVID-19]). ✈️ March 17, 2025: Visual alteration attack and leak of confidential documents from the National Directorate of Civil Aviation and Aeronautical Infrastructure (Uruguay: https://t.co/uu9XVSzqfr [defaced] [confidential documents]). ⚡ March 30, 2025: Defacement attack and data leak on the energy efficiency portal (Uruguay: https://t.co/lALAogNEFN [defaced] [Data Leak]). ⚖️ March 31, 2025: Defacement attack targeting the justice system of the Uruguayan Attorney General's Office (Uruguay: https://t.co/2BcQB942MD [defaced] [justice system]). 🎓 September 24, 2025 / April 3, 2026: Massive data leak of members of ORT Uruguay University, finally released for free (ORT University [Database] [Members] [FREE] [Uruguay]). 💻 September 30, 2025 / April 7, 2026: Consecutive attacks and leaks of citizen databases and device history of the Ceibal Plan (Uruguay: Plan Ceibal [Database] [Device history] [33k Sample] [Free]). 📋 April 3, 2026: Consolidated data breach involving multiple government entities, including cross-referenced data from the DNIC, ANEP, CEIBAL, SUCIVE fines, and IMV (Uruguay: Data breaches and services [DNIC] [ANEP] [CEIBAL] [SUCIVE fines] [IMV]). 📱 May 7, 2026: Leak of an 8GB batch of government data through the Antel TuID Digital mobile identity platform (Antel TuID Digital [8GB] [Data Leak] [Government]). 👥 May 18, 2026: Deployment of an active doxing service using government data of Uruguayan citizens (Uruguay: doxing service [Government data] [Citizens]). 🚨 2026-05-20 [Recent Incident]: Publication of the massive exploit against the DNIC, compromising the civil registry of 5.8 million Uruguayan citizens (Uruguay: DNIC [5.8M] Citizens). 📝 Historical tracing and infrastructure mapping confirm that LaPampaLeaks is not an opportunistic, entry-level attacker, but rather a persistent and highly focused threat actor with a sustained campaign spanning over six years, aimed at eroding Uruguay’s identity, healthcare, and justice systems. The use of combined techniques—ranging from classic web shell injection to advanced state subdomain hijacking and API abuse—demonstrates a meticulous reconnaissance methodology. Their latest action against the DNIC (compromising 5.8 million citizens) solidifies a critical and enduring risk of identity theft at the national level. Mitigation can no longer be reactive; it demands a fundamental redesign of trust in state portals and rigorous monitoring of exposed assets within government infrastructure. #CyberSecurity #Uruguay #LaPampaLeaks #ThreatIntelligence #DNIC #DataLeak #Doxing #Defacement #TorNetwork #SubdomainTakeover #VECERT #Infosec #CyberAlert

También lo grave acá no es solo la venta, es la capacidad técnica que muestran: una API tipo FastAPI con endpoints /family y /familypro mapeando vínculos automáticamente. Eso no se arma scrapeando una tarde, implica acceso persistente real a infra estatal. El problema de fondo es que en UY se sigue tratando ciberseguridad como gasto y no como inversión crítica

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

What do Vercel, Rockstar Games, Anthropic, and Adobe have in common? They've all been breached in the last 19 days... Vercel was this morning. Someone is currently selling their source code on BreachForums for $2 million. The attackers got in through an AI tool Vercel had wired into its own internal systems. Let that sit for a second. An AI tool was the door. Two weeks before that, Mercor lost four terabytes of data. Mercor is the $10 billion company that trains the AI models at OpenAI, Anthropic, and Meta. So now someone, somewhere, has four terabytes of whatever that looks like. Anthropic's own source code leaked the week before. Drift Protocol lost $285 million to what was essentially an AI impersonating someone on their team well enough to trick a real employee into handing over access. And that's just the AI column. The full 19-day list also includes Rockstar Games (78 million records), the LAPD (unredacted police files, witness names, medical records), McGraw-Hill, Booking .com, Kraken, Basic-Fit's one million gym members, Kelp DAO for another $293 million, and a dozen smaller ones. Anthropic caught a group of state-backed hackers earlier this year using a jailbroken version of Claude to run an entire cyberattack campaign by itself. The AI did the recon, wrote the exploit code, broke into the systems, and pulled the data. A human checked in occasionally. Thirty targets. Thousands of requests per second. No human team can move at that speed. That was Claude, with every safety guardrail Anthropic could build into it. Mythos is out there now seeded quietly to a handful of entities and OpenAI has the same. What does cybersecurity look like with that level of power open to the world?

SOMEONE TURNED THE VIRAL "TEACH CLAUDE TO TALK LIKE A CAVEMAN TO SAVE TOKENS" STRATEGY INTO AN ACTUAL CLAUDE CODE SKILL one-line install and it cuts ~75% of tokens while keeping full technical accuracy they even benchmarked it with real token counts from the API: > explain React re-render bug: 1180 tokens → 159 tokens (87% saved) > fix auth middleware: 704 → 121 (83% saved) > set up PostgreSQL connection pool: 2347 → 380 (84% saved) > implement React error boundary: 3454 → 456 (87% saved) > debug PostgreSQL race condition: 1200 → 232 (81% saved) average across 10 tasks: 65% savings. range is 22-87% depending on the task. three intensity levels: > lite: drops filler, keeps grammar. professional but no fluff > full: drops articles, fragments, full grunt mode > ultra: maximum compression. telegraphic. abbreviates everything works as a skill for Claude Code and a plugin for Codex. this is PEAK

this was exactly what we expected and the reason they removed claude code from npm distribution and started rolling out versions with the cch headers to identify third party clients they "love open source" - yet they keep claude code exactly closed source cause they don't want anyone else to be able to use claude subscription outside of their products the saddest part is how they treat us like complete idiots who can't figure this out