Tekir APT Cyberattack Hits Guanajuato Attorney General’s Office

The Attorney General’s Office of the State of Guanajuato (FGEG) confirmed a cybersecurity incident following a ransomware attack attributed to the international group Tekir APT. The attackers claim to have exfiltrated more than 250GB of confidential information, including judicial files and internal databases.

“The FGEG is conducting a preventive review of its security controls and a technical verification of the damages,” the institution says in an official communication, without confirming the authorship of the attack or the payment of any ransom.

The incident occurred amid increasing cyber threats targeting public institutions in Mexico. According to the cybersecurity platform Hackmanac, Tekir APT allegedly encrypted all subdomains linked to the state, including those of the attorney general’s office, the police, and several municipal departments. This form of attack follows the “double extortion” model, combining encryption with the threat of public data release to pressure victims into payment.

Tekir APT operates in over 49 countries and has been linked to attacks on government entities and financial institutions. The group uses advanced server encryption, data theft, and cryptocurrency-based extortion techniques. This would be its second recorded incident in Mexico, highlighting the rise in cyberattacks targeting justice and security infrastructure in Latin America.

According to Verizon, Latin America experienced a 37% increase in ransomware attacks against government institutions over the last year. Mexico remains among the primary targets due to its rapid administrative digitalization and limited cyber defense capacity.

The attack disrupted FGEG’s digital systems, causing partial shutdowns and operational delays. Internal sources reported that several departments are operating manually due to system inaccessibility, resulting in delays in victim assistance, document processing, and administrative procedures.

Tekir APT released screenshots and access samples as evidence of the breach, stating that the stolen data will be published on Nov. 20, 2025, if an undisclosed ransom is not paid. The exfiltrated files reportedly include official identifications, internal communications, and classified judicial documents, posing potential risks to active investigations and personal privacy.

In an internal memo, the FGEG instructed its personnel to immediately disconnect all devices from the institutional network “to prevent virus propagation,” confirming the infection of operational servers. Although the public statement avoids labeling the incident as “ransomware,” cybersecurity experts indicate that the technical indicators correspond to that category of attack.

The FGEG has initiated coordination with national cybersecurity authorities for technical evaluation but has not confirmed whether the National Guard or the Ministry of Security and Citizen Protection (SSPC) will intervene. The institution has also not disclosed whether a criminal investigation has been opened.

If verified, the exposure of 250GB of information could affect ongoing judicial proceedings, witness protection protocols, and the handling of digital evidence. The potential disclosure of personal data belonging to victims and government personnel could also represent a violation of Mexico’s General Law on the Protection of Personal Data Held by Obligated Subjects (LGPDPPSO).