[TENGU] – Ransomware Victim: UniCursos, Brazil
NOTE: No files or stolen information are exfiltrated, downloaded, taken, hosted, seen, reposted, or disclosed by RedPacket Security. Any legal issues relating to the content should be directed at the attackers, not RedPacket Security. This blog is an editorial notice informing that a company has fallen victim to a ransomware attack. RedPacket Security is not affiliated with any ransomware threat actors or groups and will not host infringing content. The information on this page is automated and redacted whilst being scraped directly from the TENGU Onion Dark Web Tor Blog page.
AI Generated Summary of the Ransomware Leak Page
On October 23, 2025, a leak post attributed to the threat actor group tengu lists UniCursos, Brazil as a victim in the education sector. The page frames the incident as a data leak rather than an encryption event and describes UniCursos as a long‑standing provider of public sector exam preparation in São José dos Campos, São Paulo, founded in 1992. The description emphasizes a blend of in‑person and online training backed by a methodology focused on admissions success and student motivation, with tutors covering mathematics, logical reasoning, Portuguese, essay writing, current affairs, and information science for various public competitions. The leak post highlights a broad service portfolio—recorded distance courses (EAD), mock exams, practice lessons, study materials, and free introductory lectures on public careers—and states that full internal information will soon be published, including enrollment records, student files, financial transactions, tutor contracts, exam strategies, and more than 20,000 approval records. The leak page contains no screenshots or downloadable media and notes the presence of a claim URL, though the URL content is not shown in the excerpt.
From a threat‑intelligence perspective, the page clearly signals a data‑leak scenario associated with UniCursos, with no explicit ransom amount disclosed in the excerpt. The provided key_date corresponds to the leak post date (October 23, 2025), which is treated as the post date in the absence of a confirmed compromise date. The post emphasizes potential exposure of internal materials, such as enrollment records, student files, financial transactions, tutor contracts, exam strategies, and more than 20,000 approval records, but presents no verified media (no images or downloads) to corroborate the claim. A claim URL is indicated on the page (defanged), directing readers to the attackers’ data‑release channel, while no additional company names are referenced beyond UniCursos, Brazil.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
