3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Elite 6-27

Elite 6-27

ID: a4c885a02ab843a844d87c46d54d76d669946
Hacktivist Group Hacktivism
Threat types: Hacktivism, INtrusion, Data Leak
Mexico
Updated: 2026-03-29
Created: 2026-03-26
Progress: 89% Completeness: 88% Freshness: 90%
Operation zone:
Aliases Limited alias preview
Dintece Elite 6-26 El*************** El********
Showing 2 of 4 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Emerging Mexico-linked hacktivist / criminal exposure cluster associated with defacement, data-leak claims, and public-sector/education targeting.


Technique Technique name Tactics Evidence
T1583 Acquire Infrastructure TA0042
  • 2026-03-28 — Public branding references a dedicated site and public organizational accounts. · ref
T1491.001 Internal Defacement TA0040
  • 2025-07-18 — Cluster publicly associated with website defacement and exposure operations in Mexican reporting. · ref
T1530 Data from Cloud Storage TA0009
  • 2025-07-18 — Incident reporting centers on exposure of sensitive child/student records. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2025-07-18 — Public leak/publication behavior is central to observed impact pattern. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-03-28 — INFERENCE: opportunistic access likely benefits from weak or valid credentials in exposed public-sector systems. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T01:35:30+00:00
Elite 6-27

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE


Executive Summary

Elite 6-27 is best assessed as an emerging Mexico-linked hacktivist / criminal exposure cluster whose observable activity centers on website defacement, unauthorized access, and public leakage of sensitive institutional data. Publicly available traces do not support treatment of the group as a mature advanced intrusion actor; instead, the cluster appears to prioritize psychologically resonant targets, public embarrassment, and exposure of poorly secured records. Recent public reporting tied the group to the exposure of sensitive records relating to schoolchildren in Sonora, while the group maintains public branding on X and a GitHub presence that blends ideological messaging, notoriety-seeking, and low-end offensive tooling references.

Observed material suggests a fluid, brand-centric structure rather than a disciplined, hierarchical team. Public reporting and social-media traces associate the actor ecosystem with the alias “Marssepe,” while the group’s own online branding references “Elite 6-27” as an organization with overt propaganda styling. The messaging posture appears closer to performative cyber aggression, coercive signaling, and criminal notoriety than to a coherent political doctrine.

The cluster’s choice of victims indicates a preference for government, public-sector, education, and citizen-data environments where compromises generate reputational shock and media attention. This victimology aligns with low-cost, high-visibility operations: compromise or access claims, data dumping, and public humiliation of institutions seen as weak, negligent, or politically symbolic.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Elite 6-27What / Who: Elite 6-27 is an emerging Mexico-linked cyber cluster associated with public leak claims, defacement activity, and exposure of sensitive institutional data.Why it matters: The actor targets organizations whose compromise produces immediate public embarrassment and citizen harm, particularly education and public-sector entities.Current risk posture: The operational threat is medium for organizations with exposed portals, wea

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Elite 6-27Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITEAnalytical positioning: Elite 6-27 is best tracked as a noisy intrusion-and-exposure cluster associated with website defacement, public data-leak claims, and opportunistic compromise of public-facing services. Public reporting and observed claims suggest a practical emphasis on weakly protected web applications, administrative portals, exposed credentials, and sensitive public-sector

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T01:52:44+00:00


This appendix summarizes a curated defensive snapshot of indicators, public identifiers, and pseudo-IOCs associated with Elite 6-27. For this actor, the indicator picture is thin and uneven: public branding, communication channels, and behavioral patterns are more reliable than file hashes or stable network infrastructure. As a result, defenders should treat this appendix as a hunting and enrichment aid, not as a broad blocking list.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T01:39:48+00:00

OSINT Library — Elite 6-27

[2025-07-18 — Dossier Político — "Interpone SEC denuncia por filtración de datos personales"]

https://dossierpolitico.com/2025/07/18/interpone-sec-denuncia-por-filtracion-de-datos-personales-hackers-filtraron-informacion-de-ninos/

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/13
Address Verification SOCMINT
x.com/eli****** Restricted Not integrated
x.com/ELI******* Restricted Not integrated
Address Verification SOCMINT
www.youtube.com/@el******* Restricted Not integrated
www.instagram.com/eli****** Restricted Not integrated
www.tiktok.com/@el******* Restricted Not integrated
Address Verification SOCMINT
su*****@elite6-27.org Restricted Not integrated
Address Verification SOCMINT
elite6-27.me Restricted Not integrated
www.patreon.com/eli****** Restricted Not integrated
ko-fi.com/eli****** Restricted Not integrated
elite6-27.io Restricted Not integrated
elite6-27.cf Restricted Not integrated
Address Verification SOCMINT
github.com/Eli****** Restricted Not integrated
github.com/Din**** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Logo Free Preview
Logo
Logo Free Preview
Logo
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image