Guacamaya Group

Executive Summary

The Guacamaya group is a fairly new hacktivist group based in Latin America.

The group was first seen around March 2022 as they released sensitive data of several companies based in Chile, Ecuador, Brazil and Colombia.

As mentioned, the group is mainly focusing on LATAM but dabbles every now and then with campaigns in Russia.

The group is defined as a data leakage threat group, which means they do not encrypt but only leak the stolen data, often they do it for free.


As mentioned, Guacamaya is a hacktivist group, and like other hacktivist groups, they are focusing their attention on both conflict-based regions or driven by another agenda such as environmental issues.

As mentioned, the group emerged on March 2022, and although some speculations claimed that the group might be connected in any way to Lapaus, it was quickly denied by the group and its followers.


When it comes to specific sectors, the group is focusing on two main sectors: government-related and manufacturing sectors. Recently, the group also targeted a mining company

these two sectors are the prey for most hacktivists groups and in our case, it is no different. Guacamaya targets any government and military entity throughout LATAM that they believe is involved in corruption activity, and manufacturing companies that they accuse of being responsible for pollution or not obeying environmental regulations.

Communication Channels

The group doesn’t operate any Twitter accounts like a lot of hacktivists groups but there is a supporters commentary Twitter account that publishes their campaigns and acts as their voice. In addition, the group uses the two popular leak repositories sites “DDoS Secrets” and “Enlace Hacktivista” which is where they share their stollen data (Figure 1).

Guacamaya’s post of the secretary of defense of Mexico leak on DDoS Secrets site.
Figure 1: Guacamaya’s post of the secretary of defense of Mexico leak on DDoS Secrets site.

Course of Action

Observing the group’s data leakage content it seems that the group is always looking to compromise E-Mail servers within an organization, mostly by vulnerability exploitation.

Another type of content that the group often looks at on their victims’ infrastructure is internal personnel information and deals’ documentation that might put the victim in a bad light.

Currently, Cyberint Research Team did not find any malware that is related to the group.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start