NyxarGroup is a threat actor observed claiming data theft and sale activity targeting Latin American government entities, specifically in Chile and Colombia. In the provided reporting, the actor is linked to alleged breaches or leaks involving Chile’s Ley del Lobby transparency portal, Chile’s Servicio Civil campus platform, and Colombia’s Department of Huila government extranet. The activity described centers on theft, public leaking, and sale of government-related datasets on the open web, with contact via private message and SimpleX in at least some cases. Reported targeting includes Chilean government platforms holding lobbying records and civil service training data, as well as Colombian regional government infrastructure. Claimed exposed data includes government employee names, internal user IDs, titles, phone numbers, email addresses, agency and unit assignments, office locations, lobbying hearing records, Chilean RUT numbers, passport details, contact information, represented-party names, and meeting schedules and locations. One report states NyxarGroup offered approximately 250GB of Ley del Lobby data for $2,000; another states the actor published 110,000 Servicio Civil records for free; another states the actor offered Department of Huila data for $150. The content describes NyxarGroup as continuing to target Latin American government infrastructure and notes collaboration in one Colombia-related listing with ArcRaidersPlayer, Petro_Escobar, and CryptoDead. ATT&CK mappings in the reporting include T1190 (Exploit Public-Facing Application), T1213 (Data from Information Repositories), T1567 (Exfiltration Over Web Service), T1589.003 (Gather Victim Identity: Employee Names), and, for the Ley del Lobby reporting, T1005 (Data from Local System), T1560 (Archive Collected Data), and T1589.001. No nation-state attribution is stated in the provided content. Known alias in the content: nyxargroup.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Selling exfiltrated Colombian government data from the Huila Department extranet as part of a collaborative campaign targeting Latin American government infrastructure.
Claimed sale of allegedly stolen data from Chile's Ley del Lobby government transparency platform, including lobbying records, personal identifiers, contact information, meeting schedules, and details involving senior government and military officials.
Conducting data leak activity against Chilean government platforms, including Servicio Civil and previously Ley del Lobby, and publicly releasing stolen records.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.