CloudSEK disclosed a coordinated intrusion campaign dubbed Operation Escaneo that targeted government, financial, and critical infrastructure organizations across Latin America, with Mexico as the primary focus and additional victim activity in Ecuador and Portugal. Researchers traced the operation after attackers accidentally exposed a staging server, revealing a mature toolchain that exploited internet-facing Fortinet FortiOS SSL-VPN, Ivanti Connect Secure, and Apache Tomcat systems, while also maintaining capabilities for EternalBlue, Zerologon, GhostCat, Log4Shell, and PwnKit. CloudSEK attributed the activity with medium confidence to MexicanMafia, also tracked as PanchoVilla, and said confirmed victim beacons and callbacks showed successful compromise of multiple organizations.
The attackers used a custom reconnaissance framework called Kimera, Neo-reGeorg web shells, Chisel reverse tunnels, and persistence on compromised Cisco routers through GRE tunnels to retain access and evade detection. Investigators said the campaign moved across Windows, Linux, SAP ERP, Oracle, PostgreSQL, and network infrastructure, using tools such as RDP, PsExec, and Impacket for lateral movement and privilege escalation. Reported theft included a 407 MB BloodHound Active Directory dataset, more than 1.3 million personal records, and SSL private keys, including material tied to tax authority infrastructure, indicating both financially motivated theft and possible intelligence collection.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
CloudSEK said it observed confirmed beacons or RCE callbacks from at least five victims and documented extensive exfiltration activity. Reported theft included a 407 MB BloodHound Active Directory dataset, more than 1.3 million extracted records, and SSL private keys.
Researchers uncovered the campaign after attackers accidentally exposed a staging server online, enabling analysis of the group's infrastructure, custom Kimera reconnaissance framework, exploit arsenal, and persistence mechanisms. Artifact analysis from the exposed server at 62.171.185.97 also revealed use of Neo-reGeorg, Chisel, and GRE tunnels on compromised Cisco routers.
CloudSEK reported that a multistage intrusion campaign dubbed Operation Escaneo targeted government, financial, and critical infrastructure organizations across Latin America during 2025 and 2026. Mexico was the primary focus, with additional activity in Ecuador and Portugal.
CloudSEK assessed with medium confidence that the campaign was linked to the threat actor MexicanMafia, also known as PanchoVilla. The reporting described the actor as mature, cross-platform capable, and blending financially motivated theft with possible intelligence collection.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cysecurity.news
Open sourceinfosecurity-magazine.com
Open sourcedarkreading.com
Open sourcecloudsek.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.