MalwareUsed by 2 actors

Kimera

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

PanchoVilla

The campaign is characterised by a proprietary distributed reconnaissance engine (Kimera) ... Maintains a proprietary distributed reconnaissance framework (Kimera) with parallelised enumeration and automated vulnerability-to-exploitation pipeline.

via cloudsekcloudsek.com

MexicanMafia

via cloudsekcloudsek.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

2 techniques

T1595.001Scanning IP BlocksEvidence1

High-velocity subdomain enumeration via subfinder, assetfinder, findomain and gobuster with 50 threads; dnsx with 200 threads; naabu port scanning at 5,000 pps against government and aviation targets.

T1595.002Vulnerability ScanningEvidence1

Nuclei fed all discovered URLs, scanning all CVE severity levels; dalfox automated XSS hunting; GeoServer WFS endpoint probing.

Resource Development

1 technique

T1587.001MalwareEvidence1

Custom Kimera V1/V2 distributed reconnaissance framework; Xortigate exploit variants; custom SMB protocol handlers ( mysmb.py ); ZipSlip webshell dropper ( mkzip34.py ).

Collection

1 technique

T1119Automated CollectionEvidence1

dump_batch.sh iterating through Oracle tables in 100,000-row increments; SAP XML bulk-credential extraction; Kimera automated pipeline from discovery to exploitation triage.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in apptoday

ip.v4●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cloudsekNews

Jun 17, 2026

Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions | CloudSEK

A custom distributed reconnaissance framework used to automate subdomain enumeration, port scanning, vulnerability scanning, XSS validation, screenshotting, JavaScript endpoint extraction, and triage from discovery to exploitation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.