Cyber Threat Actor: Shawdy Boy

ShawdyBoy is an alias used by a threat actor that has been observed operating from Brazil. The actor first came to public attention through a series of website defacements that bore the Shawdy Boy signature, with early activity linked to an incident affecting 245 municipal sites in the state of Santa Catarina. Public reporting identifies the actor’s location as Brazil, although no further detail about their exact base of operations or organizational structure has been disclosed. The group’s activities are limited to the information available in open sources, which describe them as responsible for a series of government‑focused defacement campaigns within the country.

The actor’s targeting has consistently focused on Brazilian government entities, including state data processing companies, municipal administrations, and departmental portals related to security, civil police, and infrastructure. Their strategic objective appears to be disruption through visible defacement rather than financial gain or espionage, as the affected organizations reported temporary service interruptions but no confirmed data breaches, structural alterations, or deletions. Observed tactics involve gaining privileged server access to replace web content with defacement screens, and the actor has used the Zone‑H platform to claim responsibility for additional defacements, such as those aimed at Piauí government domains. No specific malware families, initial‑access vectors, or custom tooling have been referenced in the publicly available reports concerning Shawdy Boy.

Notable campaigns attributed to Shawdy Boy include the January 20 2022 defacement of roughly twenty websites hosted by the state data processing company Prodeb in Bahia, which demonstrated privileged access and led to temporary disruptions before gradual restoration. This incident follows an earlier wave that impacted 245 municipal sites in Santa Catarina, establishing a pattern of repeated government‑sector targeting. The actor also claimed responsibility for further defacements of Piauí government domains via Zone‑H, prompting Bahia’s Security Secretariat to launch an investigation involving civil police and intelligence units. To date, no public attribution has linked Shawdy Boy to a state sponsor, criminal consortium, or any broader affiliations, and the actor’s size, sophistication, or financial motives remain unspecified in the available sources.