F

🚨 🇨🇱 CYBER INTELLIGENCE ALERT: MASSIVE CAMPAIGN AGAINST DIGITAL INFRASTRUCTURE IN CHILE ⚠️ MORE THAN 120 DOMAINS COMPROMISED The Pharaoh's Team threat group has published a massive list of more than 120 compromised targets, almost all belonging to the Chilean domain name space (.cl). The attackers are offering for sale direct access to control panels (cPanel) and WordPress admin privileges (WP-admin), granting them complete control over the websites and their associated databases. 🎯 Affected Sectors: Government, Education, Legal, Transportation, and Commercial in Chile. 👤 Threat Actor: Pharaoh's Team 🛠️ Access Vectors: cPanel and WordPress Admin Credentials. 📅 Detection Date: May 2026 📊 ANALYSIS OF COMPROMISED ENTITIES 🕵️‍♂️ THREAT SUMMARY The Pharaoh's Team threat group has published a massive inventory of compromised access points targeting almost exclusively Chilean digital infrastructure. The attackers gain complete control through cPanel and WP-admin credentials, allowing them to manipulate files, databases, and institutional emails. These are the entities with the greatest institutional and social impact: 🏛️ Government and Municipal Sector Municipality of Palmilla: data.munipalmilla.cl. The compromise of municipal data subdomains represents a critical risk to citizens' privacy and the integrity of local public services. 🎓 Education Sector (Institutions and Schools) San Viator School of Macul: sanviatormacul.cl Hispano Americano School: hispanoamericanocolegio.cl Portales School: colegioportales.cl La Igualdad High School: liceolaigualdad.cl GRC High School: liceogrc.cl Prince of Asturias School (Valdivia): principedeasturiasvaldivia.cl ⚖️ Notary and Legal Sector (Public Faith Services) Julio Abuyeres Notary Office: notariajulioabuyeres.cl Renata González Notary Office: notariarenatagonzalez.cl Villalobos Notary Office: notariavillalobos.cl CEP Abogados: cepabogados.cl IP Abogados: ipabogados.cl 🚌 Transportation, Unions, and Health Narbus: narbus.cl (Intercity bus company). Starbucks Union: sindicatostarbucks.cl. Arrayán Mental Health: saludmentalarrayan.cl. 💼 Unions and Associations: sindicatostarbucks.cl (Starbucks Chile Workers' Union). [RISK ANALYSIS]: By gaining access to cPanel, the attacker not only controls the website's visible content (via WP-admin), but also has the ability to intercept institutional emails, load phishing emails, deploy malware to infect visitors, and access databases containing Personally Identifiable Information (PII) of citizens and clients. 🛡️ MITIGATION AND RECOMMENDATIONS 🛑 Credential Reset: Administrators of the listed domains are urged to immediately change passwords at all levels (cPanel, Database, FTP, and WordPress Users). ⚠️ File Audit: Review the root directory for recently uploaded suspicious .php files (Webshells) that could allow the attacker to persist. 🔒 MFA Implementation: Mandatory Multi-Factor Authentication (2FA) must be enabled for access to control panels and content management. 💻 Plugin Audit: Update all WordPress components, as the exploit often stems from vulnerabilities in unpatched plugins. ⚡ MONITORING 🌐 Monitoring System: analyzer.vecert.io #Cybersecurity #Chile #DataBreach #cPanel #WordPress #PharaohsTeam #CriticalInfrastructure #VECERT #CyberAlert #InfosecChile

⚠️Desentrañando "Rutify": la plataforma hacker que expuso datos médicos y hoy es investigada por la PDI biobiochile.cl/especial/bbcl-… vía @biobio

🚨 CYBER THREAT INTELLIGENCE ALERT: SALE OF ACCESSES AND BACKDOORS ON MULTIPLE CHILEAN DOMAINS (.cl) 🇨🇱💻🚪🔓 [STATUS: ACTIVE THREAT] Threat intelligence collection engines have detected malicious activity within the "Pharaoh's Team" Telegram channel. The threat actor has published a sales catalog exposing the compromise of over a dozen websites in Chile, ranging from civil infrastructure to educational institutions. 📍 Affected Country: Chile (.cl) and Chilean organizations (.org). 👤 Threat Actor: Pharaoh's Team 🛠️ Compromised Asset: Web access (presumably Web Shells, Backdoors, or CMS credentials). 📅 Report Date: May 7, 2026. 🏢 List of Compromised Domains and Sectors The Pharaoh's Team catalog impacts various critical and commercial sectors: Civil and Corporate Infrastructure: autopistasdeantofagasta.cl (Road infrastructure/concessionaire). embalselaspalmas.cl (Water management/dams). Education and NGOs: colegiovirgendepompeya.cl (School). porunchilequelee.cl (Educational initiative). isf-chile.org (Presumed NGO). Commerce, Retail, and Entertainment: alercweb.cl, barbulnes.cl, boticadelalma.cl, carnalprime.cl, clubeve.cl, concursowistuba.cl, decotextil.cl, galeriaweb.cl, newtrans.cl. The presence of backdoors on portals such as autopistasdeantofagasta.cl poses a serious risk to the supply chain. Cybercriminals can utilize these legitimate domains to send highly convincing spear-phishing emails to Chilean government entities, construction suppliers, or citizens, facilitating the deployment of ransomware under the guise of Official Communications 🛡️ Remediation Recommendations 🔒 Threat Hunting: IT administrators for the listed domains must immediately isolate their web servers and conduct a forensic scan to search for anomalous PHP/ASP files (Web Shells) hidden within public directories (e.g., /wp-content/uploads/). 🔑 Access Revocation: Enforce password resets for all CMS administrator accounts (e.g., WordPress, Joomla), FTP/SFTP accounts, and database access credentials. Monitor: analyzer.vecert.io #CyberSecurity #Chile #WebShell #Backdoor #DataBreach #PharaohsTeam #ThreatIntelligence #VECERT #CyberAlert 🇨🇱🛡️⚠️🚨💻

🇨🇱 [INITIAL ACCESS SALE] ISP Control Panel + API Access (Chile) A threat actor is advertising access to an ISP environment allegedly based in Chile, including control panel, network API, and WordPress configs. Claimed access: • Provider control panel access • Network management API • WordPress configuration files • Payment gateway endpoints • Admin-related data (email/phone/login references) Data exposure: • “Thousands” of customer records – Names, contacts, addresses – Billing and payment history • Additional sensitive elements: – JWT tokens – Webhooks – Database configuration (localhost scope) 💰 Sale details: • Starting bid: $3,000 • Blitz price: $15,000 • Claimed business turnover: $150K/month ⚠️ Initial assessment: • This is not just a data leak — this is ACTIVE ACCESS being sold • Presence of: – API access – Control panel – Payment integrations → indicates high-impact compromise potential • JWT + webhook exposure suggests: – Possible session/token abuse – API abuse / service impersonation 🎯 Risk perspective: • Immediate threats: • Customer data exfiltration • Service disruption • Financial fraud via payment systems • Full infrastructure takeover • Long-term risk: • Persistent access / backdoor retention • Supply chain impact (if ISP clients affected) 🔐 Recommended actions: • Treat as critical incident if confirmed • Immediate: • Revoke API tokens / JWT secrets • Rotate all credentials • Audit control panel access logs • Investigate: • Unauthorized API usage • Webhook abuse patterns • Segment and isolate affected systems Current status: Unverified but HIGH RISK due to nature of access being sold #DDW #Intelligence #CyberThreat #InitialAccess #DarkWeb #OSINT

🚨#Chile🇨🇱: Shell app clientes denuncian sustracción de dinero y empresa restablece miles de cuentas-credenciales expuestas en Internet. #ciberseguridad #Shell @Shell reportea.cl/2026/05/04/fal… Fuente: @_reportea

🚨#Chile🇨🇱: Shell app clientes denuncian sustracción de dinero y empresa restablece miles de cuentas-credenciales expuestas en Internet. #ciberseguridad #Shell @Shell reportea.cl/2026/05/04/fal… Fuente: @_reportea