3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
adrxx

adrxx

ID: 409f0a8f7265fac0caeec8fea0a61f2046997
Cybercrime Cybercriminal Hacktivist
Threat types: Hacktivism, Defacement, Intrusion, Data Leak
Mexico ARG, MEX
Updated: 2026-03-30
Created: 2026-03-27
Progress: 89% Completeness: 89% Freshness: 90%
Operation zone: Argentina, Mexico
Aliases Limited alias preview
Addrx
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

adrxx is a visible actor-persona associated with the Chronus Team ecosystem and repeatedly linked to website defacement, intrusion and data-leak activity affecting public-sector targets in Mexico and, more recently, Argentina. The available evidence supports treating adrxx as a cluster member rather than a standalone threat group.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-03-30 — Repeated targeting of public-facing government and public-service web portals is consistent with exploitation of exposed web applications. INFERENCE (confidence: high): this is a core initial-access path in adrxx-linked activity. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-11-24 — Leak activity against Declaranet and other administrative platforms suggests that valid or compromised accounts may be used in at least some incidents. INFERENCE (confidence: medium): credential abuse is plausible where structured records were accessed. · ref
T1505.003 Web Shell TA0003
  • 2026-03-30 — Observed website defacement behavior is consistent with server-side persistence or content-control mechanisms such as web shells in at least some cases. INFERENCE (confidence: medium). · ref
T1491.001 Internal Defacement TA0040
  • 2026-03-30 — Publicly visible modified web content signed by Chronus-linked aliases including Adrxx maps directly to defacement behavior. · ref
  • 2026-03-30 — HUMINT / internal reporting attributes adrxx to the defacement of the Open Data Portal of San Fernando del Valle de Catamarca together with Entropy, Nihil, Sh3llhunter and SoyCrypton. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-11-24 — Public reporting on leaked public-sector records suggests exfiltration from compromised environments prior to publication or claim issuance. INFERENCE (confidence: medium). · ref
T1589 Gather Victim Identity Information TA0043
  • 2025-11-24 — Leak reporting indicates access to citizen or employee identity-related records, which aligns with gathering victim identity information. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T16:20:07+00:00

adrxx - Highly active persona operating within the Chronus Team ecosystem

Classification: TLP:WHITE - Open Source Intelligence (OSINT) and selected HUMINT / internal reporting

Category: Cybercrime / Intrusion, data exposure and website defacement persona - Origin: Mexico (assessed, not confirmed)

Author: iQBlack CTI Team


Executive Summary

adrxx is assessed as a highly active persona operating within the Chronus Team ecosystem, a loose and publicity-aware cluster associated with defacements, opportunistic intrusions, data-leak claims and reputational pressure against public-sector and quasi-public targets in Mexico and, more recently, Argentina. Public reporting and operational signatures consistently place adrxx among the more visible names used to sign or promote incidents linked to the cluster.


Available information does not support treating adrxx as a standalone group. The stronger assessment is that adrxx functions as an exposed operator-facing alias inside a broader collective brand, alongside personas such as L0stex, SoftVoid, Blackout, Sh3llhunter, Entropy, Nihil and others. INFERENCE (confidence: high): this structure gives the cluster resilience, plausible deniability and flexible branding while allowing individuals such as adrxx to accumulate visibility and credibility.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — adrxx

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — adrxx / Chronus Team Persona


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T16:26:00+00:00

IOC Appendix — adrxx / Chronus Team Persona

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T16:27:56+00:00

OSINT Library — adrxx


2025-11-24 — El Ecuánime — “Hackean al gobierno de San Luis Potosí y filtran datos de más de 86 mil funcionarios”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
x.com/adr*********** Restricted Not integrated
Address Verification SOCMINT
t.me/adr**************** Restricted Not integrated
t.me/adr************ Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
Statement shared on X Free Preview
Statement shared on X
Propaganda Free Preview
Propaganda