3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Nihil

Nihil

ID: 3392d773cfbfa772f04db672ec04db9274249
Cybercrime Cybercriminal Hacktivist
Threat types: Hacktivism, Defacement, Propaganda, Intrusion
Mexico ARG
Updated: 2026-03-30
Created: 2026-03-27
Progress: 87% Completeness: 85% Freshness: 90%
Operation zone: Argentina
Aliases Limited alias preview
ANDRES
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Nihil is a Chronus Team-linked actor handle associated with defacement and propaganda-oriented intrusion activity in Latin America. The strongest public anchor is the March 2026 defacement of the Open Data Portal of San Fernando del Valle de Catamarca, where Nihil was listed alongside other Chronus-linked handles. HUMINT additionally confirms the alias ANDRES.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-03-24 — The Catamarca open-data portal was observed in defaced state. Public-facing web compromise is consistent with Exploit Public-Facing Application or a closely related web access weakness. · ref
  • 2026-03-28 — Public reporting describes Chronus Team as opportunistically compromising weak or exposed institutions, supporting web-facing initial access patterns. INFERENCE (confidence: medium): actor-linked activity likely relies on exposed public services. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-01-30 — Official/media reporting on Chronus activity references the use of valid usernames and passwords in at least part of the broader cluster activity. INFERENCE (confidence: medium): valid account abuse is a plausible access path in Chronus-style operations. · ref
T1491.001 Internal Defacement TA0040
  • 2026-03-24 — The archived Catamarca page displays 'HACKED BY CHRONUS' and credits Nihil and other handles. This is direct evidence of internal defacement. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2026-03-24 — Public-facing site content was altered to replace normal portal content with actor-controlled messaging and imagery, fitting stored data manipulation. · ref
T1505.003 Web Shell TA0003
  • 2026-03-24 — INFERENCE (confidence: medium): web-shell-style persistence is plausible in a portal defacement case, but no direct actor-typed shell artifact is publicly available. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2026-03-28 — INFERENCE (confidence: medium): command or scripting interpreter use is consistent with the type of public web compromise and staging seen in Chronus-like incidents, though not directly evidenced for Nihil alone. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T15:23:44+00:00

NIHIL — Chronus Team member linked to defacement and propaganda activity

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Category: Cybercrime / Hacktivist-style intrusion and defacement activity - Origin: Mexico (cluster assessment); actor-level location unknown

Author: iQBlack CTI Team


Executive Summary

[OSINT | B2] Nihil is an actor handle publicly associated with the Chronus Team ecosystem and directly named in the defacement of the Argentina — Open Data Portal of San Fernando del Valle de Catamarca, where multiple handles were displayed together on the compromised page. Open reporting places Nihil among the operators or visible participants tied to concrete Chronus incidents.


[HUMINT | A2] The alias ANDRES is confirmed as an additional handle used by the actor. This should be treated as a source-derived alias rather than a public civil identity.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Nihil

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Nihil / Chronus Team-linked activity


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T15:26:45+00:00

IOC Appendix — Nihil

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T15:29:37+00:00

OSINT Library — Nihil


2026-03-27 — iQBlack — “Chronus Team: an emerging intrusion-and-leak actor focused on Mexico, with signs of expansion toward Argentina”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
t.me/nih** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Actor en underground forum Free Preview
Actor en underground forum