3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Chronus Team

Chronus Team

ID: 010a3816cc2d6934b44f5afceeb1399b65273
Hacktivist Group Hacktivism
Threat types: Hacktivism, Defacement, Intrusion, Data Leak
Mexico ARG, BRA, MEX, VEN
Updated: 2026-04-13
Created: 2026-03-26
Progress: 95% Completeness: 96% Freshness: 100%
Operation zone: Argentina, Brazil, Mexico, Venezuela
Aliases Limited alias preview
Chronus Chronus Group Ch************* Ch***********
Ch*********** Ch****************** Ch********* Kr**********
Te********** Te********* Te**********
Showing 2 of 11 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Chronus Team is a Spanish-speaking hacktivist / doxing-oriented cluster linked in public reporting to Mexican public-sector data exposure, public leak threats, and at least one preserved defacement event in Argentina. The actor appears focused on government-facing targets and narrative amplification rather than on a clearly documented advanced malware-led intrusion platform.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2025-12-10 — Public reporting tied Chronus Team to threatened defacement activity against Mexican government sites, consistent with targeting public-facing web assets. · ref
  • 2026-03-24 — Preserved defacement of an Argentine municipal open-data portal indicates compromise of an internet-facing civic website. · ref
T1491.001 Internal Defacement TA0040
  • 2026-03-24 — The archived Catamarca municipal portal displayed 'HACKED BY CHRONUS' and hostile messaging, directly mapping to defacement. · ref
T1005 Data from Local System TA0009
  • 2025-12-12 — Reporting on the Hermosillo incident described a 738 MB package containing internal documents, personnel listings, and JSON files, consistent with collection from local or attached systems. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-12-31 — INFERENCE (confidence: medium): Mexican government reporting noted that investigations would consider all hypotheses, including misuse of access credentials, making valid-account abuse a plausible access path in at least some incidents. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2026-01-30 — INFERENCE (confidence: medium): Chronus Team’s public model relies on data publication and leak distribution, making exfiltration over web-facing services a plausible step between collection and public release. · ref
T1589.001 Credentials TA0043
  • 2025-12-12 — INFERENCE (confidence: low-medium): The reported exposure of personal and personnel-related records, including names and photos of police staff, is consistent with targeting and aggregation of identity-related victim information. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-13T13:00:26+00:00

CHRONUS TEAM — LATAM hacktivist / doxing-oriented cluster

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Hacktivism / Data-leak and defacement cluster — Origin: Assessed Mexico-linked / wider LATAM nexus (INFERENCE, confidence: medium)

Author: iQBlack CTI Team


Executive Summary

Chronus Team is an emerging Spanish-speaking hacktivist and data-exposure cluster publicly associated with threats, leaks, and defacement activity affecting public-sector entities in Mexico and, more recently, Argentina. Open reporting from late 2025 through March 2026 consistently links the name “Chronus Team” to public leak threats, publication of government-related datasets, and at least one preserved defacement page claiming responsibility for hostile activity against an Argentine municipal open-data portal.


The group’s operational pattern appears centered on publicity, humiliation, and doxing leverage rather than on stealthy long-term access. Public messaging and media coverage indicate a preference for announcing deadlines, threatening “mass leaks,” and amplifying the perceived weakness of government security controls. This is consistent with a hacktivist or notoriety-driven model in which the media effect is part of the operation, not a by-product.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Chronus Team

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Chronus Team


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-29T01:43:50+00:00

IOC Appendix — Chronus Team

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-01T13:13:51+00:00

OSINT Library — Chronus Team


2026-03-31 — iQBlack — “Chronus Team after the threat: leaks, signaling, and institutional pressure in Argentina”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/15
Address Verification SOCMINT
x.com/Tea********* Restricted Not integrated
Address Verification SOCMINT
t.me/Chr********* Restricted Not integrated
t.me/Chr*********** Restricted Not integrated
t.me/Cho*********** Restricted Not integrated
t.me/Cho************ Restricted Not integrated
t.me/Chr************ Restricted Not integrated
t.me/tea******** Restricted Not integrated
t.me/+hW************** Restricted Not integrated
t.me/+4A************** Restricted Not integrated
t.me/+lA************** Restricted Not integrated
t.me/+CQ************** Restricted Not integrated
t.me/+6f************** Restricted Not integrated
Address Verification SOCMINT
signal.group Restricted Not integrated
signal.group Restricted Not integrated
signal.group Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–8 of 8 images
Alliance with Mexican Mafia Hackers Team Free Preview
Alliance with Mexican Mafia Hackers Team
Logo Free Preview
Logo
Statement Free Preview
Statement
Propaganda Free Preview
Propaganda
Statement Free Preview
Statement
Statement Free Preview
Statement
Hacked website / Propaganda Free Preview
Hacked website / Propaganda
Hacked website Free Preview
Hacked website
Showing 4 of 8 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.