3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Lizard

Lizard

ID: 2f7569e00c4d97aef5f2c2b3a4d2213f03521
Cybercrime Cybercriminal Hacktivist
Threat types: Hacktivism, Defacement, Intrusion, Data Leak
Mexico MEX
Updated: 2026-04-10
Created: 2026-03-27
Progress: 89% Completeness: 88% Freshness: 90%
Operation zone: Mexico
Aliases Limited alias preview
Lizard001 The Lizard 001 Th**********
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Lizard is a Chronus Team-linked operator/persona associated with data-leak and public-pressure activity affecting Latin American public institutions. Available evidence supports treating the alias as part of a semi-decentralized collaborative ecosystem rather than as a standalone intrusion organization.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-03-28 — Public reporting on Chronus Team frames the ecosystem around compromise of exposed public-sector services and weak Internet-facing systems. INFERENCE (confidence: medium): Lizard likely benefits from the same public-facing access model. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-03-30 — INFERENCE (confidence: medium): some public-sector leak cases attributed to Lizard may involve valid-account abuse, weak access control, or reused credentials rather than direct exploitation alone. · ref
T1005 Data from Local System TA0009
  • 2026-03-30 — The Argentina-focused leak set attributed to Lizard implies collection of institutionally sensitive records from targeted systems or accessible attached storage. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2026-03-30 — INFERENCE (confidence: medium): release-oriented operations attributed to Lizard are consistent with exfiltration or transfer over web-based services prior to public dissemination. · ref
T1491.001 Internal Defacement TA0040
  • 2026-03-28 — Defacement is not the strongest current Lizard-specific anchor, but preserved Chronus-branded defacement artifacts show the alias in the wider ecosystem that uses visible website impact as part of its propaganda model. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T20:11:33+00:00

Lizard — Chronus Team-linked operator

Classification: Unclassified / Open Source Intelligence (OSINT) + Limited Human Intelligence (HUMINT) — TLP:WHITE

Category: Cybercrime / Hacktivism-adjacent intrusion and data-leak activity - Origin: Mexico (assessed, not confirmed)

Author: iQBlack CTI Team


Executive Summary

Lizard is assessed as a public-facing operator or participant associated with the broader Chronus Team ecosystem, a Latin American intrusion-and-leak cluster that has repeatedly targeted public-sector and quasi-public institutions for reputational pressure, data exposure, and propaganda value. Available reporting does not support treating Lizard as a standalone organization; rather, the alias is best placed inside a semi-decentralized brand environment in which multiple named participants claim or co-sign operations under the Chronus label.


Current confidence is medium regarding Lizard’s membership or active participation in Chronus Team operations, and medium-high regarding the actor’s role in a concentrated set of data-leak claims affecting Argentine institutions in late March 2026. Newly supplied internally collected reporting ties Lizard to a broad cluster of Argentine government, security, education, health, and financial-sector related releases, materially increasing the alias’s operational relevance inside the Chronus graph.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Lizard

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Lizard / Chronus Team-linked release activity


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T20:16:52+00:00

IOC Appendix — Lizard

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T20:20:51+00:00

OSINT Library — Lizard


2026-03-27 — iQBlack — “Chronus Team: an emerging intrusion-and-leak actor focused on Mexico, with signs of expansion toward Argentina”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
x.com/The********* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–5 of 5 images
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Showing 4 of 5 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.