R4úl 𝕏

🚨 CYBER INTELLIGENCE ALERT: WEB EXPLOIT INJECTION AND NEOLINK DECONFIGURATION — GUATEMALA 🇬🇹 [STATUS: UNDER SUPERVISION] The threat actor, fully identified under the alias NemorisHacking, has perpetrated a web exploit injection attack. The actor indicates that they compromised and visually defaced transactional instances of the NeoLink/NeoNet payment gateway infrastructure in Guatemala (.gt). The incident directly affects active transactional links, exposing critical weaknesses in the sanitization of website entry points. According to the evidence collected, the attack replaced the legitimate card payment form with a custom panel titled "The Mirror of Your Shadow," with explicit text attributing the compromise to the attacker. 🏢 Affected Entity: Infrastructure associated with NeoLink/NeoNet Guatemala (Payment Gateway) 👤 Threat Actor: NemorisHacking ⚔️ Attack Vector: Web Exploit Injection / Active Link Defacement ⚠️ CRITICAL RISK ANALYSIS AND EXPOSED FIELDS The presence of code injections on payment processing platforms represents an imminent risk of large-scale financial fraud: 💳 Phishing and Formjacking Risk: The attacker demonstrates the ability to inject HTML elements into high-trust domains (https://t.co/Kki7MNatVe). This facilitates the cloning of critical fields such as "Card Number", "MM/YY", and "CVV" for the silent exfiltration of banking data (Magecart style) before redirecting the user. 🛑 Payment Chain Disruption: By altering the legitimate transaction interface, secure fund collection for affiliated merchants that rely on that link ID is completely disabled. 🛡️ MITIGATION AND PREVENTIVE TECHNICAL RECOMMENDATIONS 🚫 Link Isolation and Deactivation: NeoLink platform administrators are urged to immediately revoke and disable the token/ID of the compromised link to stop the deployment of malicious code. 💻 Code Injection Audit (Web App Audit): Thoroughly review server-side variable validation mechanisms in payment link generation routes to block the injection of HTML/JS payloads. 📊 MONITORING AND EVALUATION Intelligence System: https://t.co/wk9bZJ2Nli Quickly assess your website's security with: https://t.co/QZhWp0kFrO #CyberSecurity #Guatemala #NeoNet #NeoLink #WebExploit #Defacement #NemorisHacking #FinancialThreats #ThreatIntelligence #CyberAlert #VECERT #Infosec

1/2‼️🇬🇹 Guatemalan Ministry of Finance allegedly breached: 130,000 RGAE registrations and 235,000 sensitive PDFs (324.5GB) exposed via IDOR and unauthenticated APIs A threat actor claims to have compromised the Registro General de Adquisiciones del Estado (RGAE) system operated by the Guatemalan Ministry of Finance (Ministerio de Finanzas Públicas), the official state procurement registry. The actor describes the breach as part of an ongoing "digital siege" against Guatemala, citing critical IDOR/BOLA vulnerabilities at /api/Solicitud/ObtenerSecciones and two open APIs without any security, including one connected to the Superintendencia de Administración Tributaria (SAT) at /api/sat/email. The actor states that despite Cloudflare and a WAF being in place, the extraction was performed by simulating real traffic from ordinary web users to avoid alerting the system, allowing 130,000 registration records from 2020 to 2026 to be extracted, alongside 235,000 sensitive PDF documents totalling 324.5 GB. A proof-of-concept 5,000-row CSV sample and a 200-PDF preview have been published. ▸ Actor: GordonFreeman (VIP), branded "LAT4MFUCK3RS" ▸ Sector: Government / Public Procurement / Finance ▸ Type: Data Breach (IDOR/BOLA, unauthenticated APIs) ▸ Records: 130,000 registrations + 235,000 PDFs (324.5 GB) ▸ Country: Guatemala ▸ Date: 14/05/2026 Compromised data: Registration records (130,000 rows, 2020-2026): ▪ ID ▪ NIT (Guatemalan tax identification number) ▪ CUI (Código Único de Identificación) ▪ Nombre (full name) ▪ Direccion (address) ▪ Telefono (phone number) ▪ Correo (email address) ▪ Tipo_Org (organization type, Individual or Juridica) PDF documents (235,000 files, 324.5 GB): ▪ University degrees and diplomas ▪ Ministry of Education teaching titles ▪ SAT invoices (Facturas) ▪ Negotiation minutes and articles of incorporation ▪ Sports minutes (actas) ▪ Simple agreements ▪ Notarial acts (Protocolos with Diez Quetzales registry stamps) ▪ Balance sheets ▪ Bank certifications ▪ Administrative contracts ▪ Signed affidavits ▪ Tax solvency certificates ▪ Commercial patents ▪ Scanned DPIs ▪ Constitution of Sociedad Anónima documents Vulnerability details: ▪ IDOR/BOLA ▪ Unauthenticated SAT API ▪ Second unauthenticated API hosting all persons registered in RGAE ▪ Cloudflare and WAF in place but bypassed via traffic simulation Stop guessing what's redacted. Subscribers see everything → https://t.co/281Qjc6p2J

🚨 CRITICAL CYBERINTEL ALERT: MASSIVE STUDENT DATA EXFILTRATION – UNIVERSIDAD DA VINCI (GUATEMALA) 🇬🇹🎓📂🔓 A massive data leak has been detected affecting the Universidad Da Vinci de Guatemala (UDV). Threat actor "Dianna" claims to have compromised the university's systems, citing severe deficiencies in its Web Application Firewall (WAF) security. 🏢 Affected Entity: Universidad Da Vinci de Guatemala (https://t.co/DBCuBWr2dk). 👤 Threat Actor: Dianna. 📂 Leak Volume: 98,099 JSON files containing student information. 16,000 student photographs. 🛠️ Exposure Vector: APIs exposed on the university's virtual campus subdomain (https://t.co/q0tUNXsDQn). 📅 Publication Date: May 2026. 📊 Breach Scope (PII and Biometrics) The exfiltrated information enables comprehensive and detailed profiling of the student body: Identity and Legal: First names, surnames, ID numbers, tax ID numbers (CIF), and marital status. Biographical Data: Date and place of birth. Geolocation: Full residential address, department, municipality, and zone. Direct Contact: Mobile phone numbers, landline numbers, alternative contact numbers, and email addresses. Visual Identification: 16,000 photographs linked to student profiles. 🛡️ Immediate Response Recommendations 🔒 API Shutdown: Universidad Da Vinci must immediately identify and restrict access to the APIs on https://t.co/q0tUNXsDQn that are serving data without authentication. 🔑 WAF Audit: Review and harden Web Application Firewall rules to prevent the mass scraping of JSON and multimedia files. 👁️ Community Notification: Inform students about the data leak so they may exercise extreme caution regarding suspicious phone calls or emails. Monitor: https://t.co/wk9bZJ2Nli #CyberSecurity #Guatemala #UniversidadDaVinci #UDV #DataBreach #HigherEducation #PII #VECERT #InfoSec #Unverified 🇬🇹🛡️⚠️🚨🎓

🚨 CRITICAL CYBER THREAT ALERT: HEALTHCARE INFRASTRUCTURE COMPROMISE – INE GUATEMALA 🇬🇹⚕️📊 [STATUS: UNCONFIRMED] A post has been detected from the threat actor NemorisHacking, claiming to have breached the data portal of Guatemala's National Institute of Statistics (INE). The actor asserts that they have exfiltrated sensitive information related to health records and personal data. 🏢 Affected Entity: National Institute of Statistics (INE), Guatemala. 👤 Threat Actor: NemorisHacking. 🛠️ Compromised Asset (Alleged): Data portal (https://t.co/kIrqkydWxA) and the https://t.co/sl0shQS912 epidemiological management platform. 📂 Breach Volume: Over 10,000 individual records. 📅 Date of Detection: May 1, 2026. ⚠️ Status: UNCONFIRMED. 📊 Visual Evidence Analysis [The evidence] shows access to an instance of the https://t.co/sl0shQS912 platform (a WHO tool for outbreak investigation): Sensitive Data: The dashboard displays sections for "Cases," "Contacts," "Laboratory Results," and "Events." Geographic Context: A notification regarding active outbreaks in Guatemala and El Progreso—specifically related to COVID-19—is visible. System Administration: The actor demonstrates access to data visualization and referral management features, suggesting a compromise at the user or administrator privilege level. 🛡️ Immediate Response Recommendations 🔒 https://t.co/sl0shQS912 Forensic Audit: The INE and the Ministry of Health of Guatemala are urged to review access logs for the https://t.co/sl0shQS912 platform and identify the point of compromise. 🔑 Session Termination and MFA: Force the termination of all active sessions on the data portal and mandate multi-factor authentication (MFA) for all technical personnel. #CyberSecurity #Guatemala #INE #SaludPublica #DataBreach #NemorisHacking #GoData #VECERT #InfoSec #SinConfirmar 🇬🇹🛡️⚠️🚨⚕️

🚨 CRITICAL CYBERINTELLIGENCE ALERT: MASSIVE COMPROMISE OF EDUCATIONAL INFRASTRUCTURE – MINISTRY OF EDUCATION (GUATEMALA) 🇬🇹🎓📄🔓 A massive, high-impact breach has been detected targeting the servers of the Ministry of Education of Guatemala. Threat actor "GordonFreeman"—a member of the group L4TAMFUCK3RS—claims to have infiltrated the institutional network, exfiltrating a massive volume of sensitive documents. 🏢 Affected Entity: Ministry of Education (MINEDUC), Guatemala. 👤 Threat Actor: GordonFreeman (L4TAMFUCK3RS). 📂 Leak Volume: 178 GB of total data. 150,000 exfiltrated PDF files. 📅 Publication Date: April 30, 2026. 📊 Breach Scope (PII and Sensitive Data) The attacker claims to possess access to highly sensitive information regarding every user within the Ministry: Personal Documentation: 150,000 PDF files containing administrative, personal, and educational records pertaining to students, teachers, and administrative staff. Network Persistence: The actor claims to maintain internal access to the institutional network, despite existing state security protocols. Proof of Concept (PoC): A sample of 2.4 GB (approximately 1,979 documents) has been released to validate the authenticity of the breach. 🛡️ Immediate Response Recommendations 🔒 File Server Isolation: The MINEDUC technical team is urged to isolate document repositories to halt any ongoing data exfiltration. 🔑 Privileged Account Audit: Review all access logs for the affected servers and revoke any suspicious sessions. Monitor: https://t.co/wk9bZJ2Nli #CyberSecurity #Guatemala #MINEDUC #DataBreach #L4TAMFUCK3RS #GordonFreeman #InfoSec #Privacy #VECERT #CyberAttack 🇬🇹🛡️⚠️🚨🎓

🚨 NATIONAL SECURITY ALERT: DIGITAL INFRASTRUCTURE COLLAPSE – GUATEMALA (RENAP & SAT) 🇬🇹🏛️🚗🔓 The most severe threat to Guatemala's digital sovereignty in its history has been detected. Threat actor GordonFreeman, in coordination with the group Team L4TAMFUCKERS, claims to have breached the entirety of the RENAP and SAT systems, exfiltrating the identity data of the entire population and the country's complete vehicle registry. 🏢 Affected Entities: RENAP: National Registry of Persons. SAT: Superintendence of Tax Administration. 👤 Threat Actors: GordonFreeman, Izanagi, cantpwn, and YoSoyGroot (Team L4TAMFUCKERS). 📊 Breach Volume: 18 Million Records (RENAP): Birth, marriage, and death certificates, as well as biometric and sensitive data for the entire nation. 5.6 Million Vehicle Records (SAT): Ownership data, Tax ID numbers (NIT), names, tax addresses, chassis numbers, engine numbers, license plates, and electronic ownership certificates. 📊 Breach Scope (Absolute Exposure) The leak grants total control over citizens' identities and property: Civil Identity: Access to the complete database of Guatemalan citizens, spanning from birth to death. Vehicle Information: Exhaustive details on every vehicle in the country, including Electronic Circulation Cards and Titles of Ownership. Persistence: The attackers claim to have established persistence within the infrastructure, meaning they maintain hidden access points even if attempts are made to close known vulnerabilities. 🛡️ Immediate Response Recommendations 🔒 Declaration of Digital Emergency: The Government of Guatemala must immediately activate its national security and cyber defense protocols. 🔑 Privileged Account Audit: It is imperative to conduct a threat hunt to locate the persistence points and web shells that the group claims to have installed. Monitor: https://t.co/wk9bZJ2Nli #CyberSecurity #Guatemala #RENAP #SAT #DataBreach #L4TAMFUCKERS #GordonFreeman #NationalEmergency #VECERT #InfoSec 🇬🇹🛡️⚠️🚨🏛️

🚨 CYBERINTEL ALERT: MASSIVE DATA LEAK – UNIVERSIDAD RAFAEL LANDÍVAR (URL) 🇬🇹🎓🛡�� A critical privacy breach has been detected affecting the Universidad Rafael Landívar in Guatemala. Threat actor MrGoblinciano (the same individual linked to the recent USAC leak) has published a massive data package that compromises the visual and personal identities of the university community. 🏢 Affected Entity: Universidad Rafael Landívar (URL), Guatemala. 👤 Threat Actor: MrGoblinciano. 📂 Leak Volume: 84,620 photographs of students and faculty members. Database in JSON format (1.54 MB). Total package size: 20 GB. 📊 Breach Scope (PII and Facial Biometrics) The leak directly links personal images with academic and civil data: Identity Photographs: Images of 84,620 individuals, used for ID cards and official records. Academic Identification: The University ID number, which serves as an access key to internal services. Personal Information (PII): Full names and dates of birth (as observed in the sample for Vanessa Isabela Flores Hernández). Data Association: The structure of the leak allows for cross-referencing a photograph with the exact name and age of the student or professor. 🛡️ Immediate Response Recommendations 🔒 Credential Change: The entire Landivariana community is urged to change the passwords for their institutional email accounts and student/faculty portals. 🔑 Academic Security: The university should consider invalidating and reissuing the most sensitive ID numbers, or implement Multi-Factor Authentication (MFA) methods for service access. Monitor: https://t.co/wk9bZJ2Nli #CyberSecurity #Guatemala #URL #UniversidadRafaelLandivar #DataBreach #MrGoblinciano #PII #Privacy #InfoSec 🇬🇹🛡️⚠️🚨🎓

🚨 NATIONAL SECURITY ALERT: MASSIVE DATA LEAK FROM THE MINISTRY OF LABOR – GUATEMALA 🇬🇹🏛️🔓 A security compromise of extreme severity has been detected, affecting Guatemala’s Ministry of Labor and Social Welfare (MINTRABAJO). Threat actors Izanagi, GordonFreeman, and cantpwn claim to have breached the entire API of the government employment portal (https://t.co/80yrPFf0h4), exposing the identities and employment histories of hundreds of thousands of Guatemalans. 🏢 Affected Entity: Ministry of Labor and Social Welfare (Guatemala). 👤 Threat Actors: Izanagi, GordonFreeman, cantpwn (L4TAMFUCKERS). 📂 Leak Volume: +200,000 detailed user records. 40 GB of PDF files (original Curriculum Vitae). 📅 Publication Date: April 26, 2026. 📊 Scope of the Breach (PII and Employment Data) This leak is one of the most invasive recorded in the region, as it combines official identity data with socioeconomic profiles: Official Identity: Full names and DPI (Personal Identification Document) numbers. Contact and Location: Phone numbers (multiple lines), email addresses, and residential addresses (categorized by department and municipality). Socioeconomic Profile: Date of birth, last reported salary, employment status, ethnicity, and linguistic community. Academic and Professional History: Educational levels, universities attended, degrees obtained, and languages ​​spoken. Attached Documentation: Direct access to the 40 GB of PDF CVs, which contain photos, personal references, and complete employment histories. 🛡️ Immediate Response Recommendations 🔒 Urgent API Shutdown: The Government of Guatemala must immediately deactivate the API for https://t.co/80yrPFf0h4 to halt the ongoing data exfiltration. 🔑 DPI Monitoring: Guatemalan citizens are advised to watch for any unusual activity or transactions involving the SAT or banking institutions. Monitor: https://t.co/wk9bZJ2Nli #CyberSecurity #Guatemala #MINTRABAJO #DataBreach #DPI #L4TAMFUCKERS #TuEmpleo #VECERT #InfoSec #CyberCrime 🇬🇹🛡️⚠️🚨