3 malware familiesExploits CVEs in the wild

Mexican Mafia

Also known asMexican Mafia

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Energy

Where they target

Geographies tied to known operations.

🇲🇽 Mexico

MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics9 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595

Active Scanning

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0003

Persistence

1 technique

T1505

Server Software Component

T1505.003

Web Shell

TA0004

Privilege Escalation

1 technique

T1068

Exploitation for Privilege Escalation

TA0008

Lateral Movement

1 technique

T1021

Remote Services

TA0009

Collection

1 technique

T1213

Data from Information Repositories

TA0011

Command and Control

1 technique

T1090

Proxy

TA0010

Exfiltration

1 technique

T1048

Exfiltration Over Alternative Protocol

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

ChiselNeo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.1Jun 18, 2026

KimeraAll of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.1Jun 18, 2026

Neo-reGeorgNeo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.1Jun 18, 2026

WEAPONIZED

Associated vulnerabilities

8 CVEs this actor has used in observed campaigns. 8 of them exploited in the wild.

CVE-2017-0144EternalBlue SMBv1 Remote Code ExecutionIn the wildEvidence1

Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.

CVE-2020-1472Zerologon in Microsoft Netlogon Remote ProtocolIn the wildEvidence1

Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.

CVE-2021-44228Log4ShellIn the wildEvidence1

Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.

CVE-2022-42475FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCEIn the wildEvidence1

The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws, including CVE-2022-42475 and CVE-2024-21762, adapting public proof-of-concept (PoC) code so it would not crash the target.

CVE-2023-46805Authentication Bypass in Ivanti Connect Secure and Policy Secure Web ComponentIn the wildEvidence1

The group kept tuned exploits for ... Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.

3 more CVEs tied to this actor tracked in Mallory.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

infosecurity magazineNews

Jun 18, 2026

LATAM Infrastructure Hit by Fortinet and Ivanti Exploits - Infosecurity Magazine

A suspected hacktivist-linked group that allegedly claimed breaches against Mexican government, judicial, and energy targets and was attributed with medium confidence to Operation Escaneo.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs8

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.