3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
CiberinteligenciaSV

CiberinteligenciaSV

ID: 7c6fdbeb0c4000a8064f5b96205e7b7499732
Hacktivist Group Hacktivism
Threat types: Hacktivism
El Salvador SLV
Updated: 2026-04-11
Created: 2026-04-10
Progress: 94% Completeness: 92% Freshness: 100%
Operation zone: El Salvador
Aliases Limited alias preview
CERTAINTELLIGENCE SV Ciber Inteligencia SV Ci***** Gu********
Gu**********
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

CiberinteligenciaSV is a Salvadoran breach-and-leak cluster focused on public exposure of government-linked and citizen-linked datasets. The actor is strongly associated with national-scale data leaks, anti-government messaging, Telegram/X amplification, and publication on BreachForums rather than with publicly documented bespoke malware.


Technique Technique name Tactics Evidence
T1213 Data from Information Repositories TA0009
  • 2024-05-06 — Public reporting describes the exposure of over 5 million Salvadoran records, including HD photos and identity-linked data, consistent with collection from institutional information repositories. · ref
  • 2024-05-31 — Judicial-system reporting links the actor to leaked lawyer data and judicial resolutions, also consistent with repository-focused collection. · ref
T1005 Data from Local System TA0009
  • 2024-04-23 — INFERENCE (confidence: medium): the alleged release of Chivo Wallet source code and VPN-related material suggests data collection from compromised local systems or attached internal storage. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-04-23 — INFERENCE (confidence: medium): public reporting that the actor released VPN access associated with Chivo Wallet is consistent with the use, theft, or acquisition of valid accounts. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-05-31 — INFERENCE (confidence: medium): repeated compromise of public-sector digital systems suggests exploitation of public-facing services is a plausible initial-access pathway in at least part of the actor's operations. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2024-11-14 — INFERENCE (confidence: low): the actor's use of public distribution channels, search bots, and leak publication ecosystems suggests staged transfer and publication over web services after collection. · ref
T1589 Gather Victim Identity Information TA0043
  • 2024-09-06 — The actor publicly exposed highly detailed citizen and employee identity information, demonstrating strong relevance to identity-focused data targeting. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-11T22:03:44+00:00

CiberinteligenciaSV / GuacamayalSV

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE | Source grading in this section: predominantly B2–C3 OSINT; no HUMINT corroboration identified.

Category: Cybercrime / Politically charged data-leak and anti-government breach cluster — Origin: El Salvador

Author: iQBlack CTI Team


Executive Summary

CiberinteligenciaSV is best assessed as a Salvadoran breach-and-leak cluster rather than a conventional malware-centric intrusion set. Its public footprint centers on Telegram, X, and criminal forum publication, with repeated exposure of sensitive government and citizen data, especially during 2024. The group also operated under, or publicly promoted, the aliases “Guacamayal” and “GuacamayalSV,” but the supposed linkage to the original regional Guacamaya hacktivist collective remains unverified and is treated here as branding rather than confirmed organizational continuity.


Publicly attributed activity indicates a pattern of mass data leakage, selective publication of politically resonant records, public taunting of government institutions, and repeated promises to release databases “for free.” The cluster was publicly associated with the leak of more than five million Salvadoran records, the exposure of alleged Chivo Wallet source code and VPN access, disclosures tied to the Supreme Court’s electronic notifications environment, payroll and contractor-related leaks, and additional releases affecting Salvadoran state institutions.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — CiberinteligenciaSV

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — CiberinteligenciaSV


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-11T22:07:32+00:00

IOC Appendix — CiberinteligenciaSV

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-11T22:07:49+00:00

OSINT Library — CiberinteligenciaSV


2024-05-06 — Resecurity — “Massive Dump of Hacked Salvadorean Headshots and PII Highlights Growing Threat-Actor Interest in Biometric Data”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/10
Address Verification SOCMINT
x.com/gua********* Restricted Not integrated
twitter.com/Cib************ Restricted Not integrated
Address Verification SOCMINT
t.me/gua******* Restricted Not integrated
t.me/zxx********* Restricted Not integrated
t.me/Cib******************* Restricted Not integrated
t.me/cib**************** Restricted Not integrated
t.me/jud*********** Restricted Not integrated
t.me/cib***************** Restricted Not integrated
t.me/cib********* Restricted Not integrated
t.me/gua*********** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
X account Free Preview
X account
Logo / Avatar Free Preview
Logo / Avatar