Menu
Browse

Cyber Threat Actor: IRoX Team

Actor Type Location Known Incidents
 Icon
Hacker
1 incident
Profile

The threat actor known as IRoX Team operates under that alias in public reporting. No alternative names have been attributed to the group in the sources examined. The actor first came to attention through a cyber incident affecting Brazilian municipal administrations in October 2023. Publicly available information does not provide further detail on the group's origins, structure, or founding date. All references to IRoX Team in open sources stem from the same municipal attack incident.

IRoX Team's observed activity targets local government entities, specifically municipal administrations in Brazil. The October 2023 incident struck the municipal administration of Araguari and nine additional municipalities within the same region. The attack resulted in the deletion of critical data, including population registries, and caused disruption of inter‑departmental communications and accounting systems. No evidence of data exfiltration was reported in the aftermath. The affected municipalities share a service provider that is coordinating restoration efforts.

The sources describing the Araguari incident do not specify the malware families, initial access vectors, or tooling employed by IRoX Team. Consequently, no particular TTPs such as phishing, ransomware, or specific exploit kits can be attributed to the group based on the available material. Recovery efforts were described as requiring up to ten days, with the shared service provider working to restore operations. In response, Araguari announced plans to improve data protection through cloud backups and redundant systems, while local authorities opened an investigation into the attack. No public statement has been issued by IRoX Team claiming responsibility or detailing motives.

The Araguari operation represents the most detailed publicly reported campaign linked to IRoX Team to date. No further campaigns or historical operations have been documented in the sources provided. The incident demonstrates that the actor can affect multiple municipal networks simultaneously, resulting in service disruption and data loss. As a result, the profile of IRoX Team remains limited to this single incident, and any broader assessment of frequency, scale, or affiliation would require additional information beyond what is currently available. Continued monitoring of open‑source reporting would be necessary to determine whether the actor remains active.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources