INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Operation Escaneo Signals Shift in LATAM Threat Landscape

| 2026-06-18 19:09 HIGH HIGH
JSON
Executive Summary AI-generated
MexicanMafia's recent campaign has shown a sophisticated approach to targeting critical infrastructure in Latin America, particularly Mexico. The group has demonstrated opportunistic monetization running parallel to intelligence collection without central coordination between the two objectives. Their toolset is "sophisticated," featuring automated reconnaissance and data exfiltration capabilities. Researchers have identified this as a new cyber intrusion campaign that signals a shift in the region's threat landscape, with a financially motivated attacker demonstrating advanced tactics, techniques, and procedures.
Technical Mitigations AI-generated
* Implement a secure remote access protocol (e.g. SSH, VPN) to prevent attackers from exploiting vulnerabilities like RDP and PsExec. * Regularly update and patch operating systems, applications, and software to ensure that known vulnerabilities are addressed before they can be exploited by attackers. * Use a web application firewall (WAF) or intrusion detection system (IDS) to detect and block suspicious traffic patterns and anomalies in real-time. * Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in systems and applications, and implement remediation measures accordingly.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation RamzOperation RamzCampaign AfterCampaign AfterOperation Escaneo PresentsOperation Escaneo PresentsOperation EscaneoOperation EscaneoOperation Escaneo SignalsOperation Escaneo Signals Neo-reGeorgNeo-reGeorg CVE-2020-1938CVE-2020-1938 CVE-2023-46805CVE-2023-46805 CVE-2025-0282CVE-2025-0282 CVE-2024-21762CVE-2024-21762 CVE-2022-42475CVE-2022-42475 CVE-2024-21887CVE-2024-21887 CVE-2021-4034CVE-2021-4034 CVE-2023-27997CVE-2023-27997
Target & Sectors
LATAM LATAM MIDDLE_EAST MIDDLE_EAST DPRK DPRK governmentgovernment energyenergy
Incident Timeline
‎2026/06/17
MexicanMafia launched "Operation Escaneo" a threat campaign targeting Latin America.
campaign Operation Escaneo
That's according to threat monitoring firm CloudSEK, which yesterday detailed "Operation Escaneo," a threat campaign attributed with medium confidence to a sophisticated threat actor known as MexicanMafia or PanchoVilla.
organisation CloudSEK
That's according to threat monitoring firm CloudSEK, which yesterday detailed "Operation Escaneo," a threat campaign attributed with medium confidence to a sophisticated threat actor known as MexicanMafia or PanchoVilla.
organisation MexicanMafia
That's according to threat monitoring firm CloudSEK, which yesterday detailed "Operation Escaneo," a threat campaign attributed with medium confidence to a sophisticated threat actor known as MexicanMafia or PanchoVilla.
organisation PanchoVilla
That's according to threat monitoring firm CloudSEK, which yesterday detailed "Operation Escaneo," a threat campaign attributed with medium confidence to a sophisticated threat actor known as MexicanMafia or PanchoVilla.
‎between 2025 and 2026
CloudSEK's report details a coordinated campaign targeting critical infrastructure in Latin America.
target_region LATAM
CloudSEK's latest report, published as a research blog , covers a coordinated, multistage campaign targeting critical infrastructure mainly across Latin America between 2025 and 2026.
‎2026/06/18
MexicanMafia demonstrated the tactics, techniques, and procedures of an advanced persistent threat group by exploiting vulnerabilities in popular perimeter devices such as Fortinet FortiOS, Ivanti Connect Secure, and Cisco routers.
organisation Operation Escaneo
Mexico was the most targeted country through Operation Escaneo, followed by Ecuador and tertiary activity in Portugal.
data_breach 1.3 personal records
Inside victim networks, the attackers reached SAP and Oracle systems to run commands and pulled out a large volume of sensitive data, including: More than 1.3 million personal records from one transport provider A 407MB map of a victim's Active Directory SSL private keys, streamed out live from a database server SAP service-account hashes and browser-stored passwords A Suspected Hacktivist Link CloudSEK attributed the campaign, with medium confidence, to a group it calls Mexican Mafia, or Pancho Villa, which spent 2024 claiming breaches against Mexican government, judicial and energy targets, sometimes casting the hacks as protest.
data_breach 407 provider MB map
Inside victim networks, the attackers reached SAP and Oracle systems to run commands and pulled out a large volume of sensitive data, including: More than 1.3 million personal records from one transport provider A 407MB map of a victim's Active Directory SSL private keys, streamed out live from a database server SAP service-account hashes and browser-stored passwords A Suspected Hacktivist Link CloudSEK attributed the campaign, with medium confidence, to a group it calls Mexican Mafia, or Pancho Villa, which spent 2024 claiming breaches against Mexican government, judicial and energy targets, sometimes casting the hacks as protest.
organisation Ivanti
Related: EU Gets a Head Start in Developing 6G Network Security Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
This means patching previously mentioned vulnerabilities involving Fortinet FortiOS, Ivanti Connect Secure, and Apache Tomcat AJP, as well as auditing for unexpected tunnel interfaces.
LATAM Infrastructure Hit by Fortinet and Ivanti Exploits.
The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws , including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
Regardless of the link, CloudSEK urged Latin American organizations to patch perimeter appliances first, singling out the Fortinet and Ivanti flaws and to watch for the operation's quieter tells.
organisation EU
Related: EU Gets a Head Start in Developing 6G Network Security Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.
organisation Fortinet
Related: EU Gets a Head Start in Developing 6G Network Security Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.
Regardless of the link, CloudSEK urged Latin American organizations to patch perimeter appliances first, singling out the Fortinet and Ivanti flaws and to watch for the operation's quieter tells.
organisation Chisel
Related: EU Gets a Head Start in Developing 6G Network Security Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.
Neo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.
organisation GRE
Related: EU Gets a Head Start in Developing 6G Network Security Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.
Neo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.
organisation Cyber Insurance Market Shows
Related: Asia's Cyber Insurance Market Shows Signs of Life Operation Escaneo Presents a Sophisticated Campaign After using Kimera for reconnaissance, MexicanMafia exploits a range of popular vulnarabilities to gain initial access.
infrastructure Fortigate
In addition to operating its own proprietary reconnaissance framework, it maintains an exploit armory, including custom proof-of-concepts, on-premise credential cracking on operational infrastructure, and a demonstrated "capability to compromise network-layer infrastructure (Cisco routers, FortiGate VPNs) in addition to host-level systems.
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
organisation PwnKit
Privilege escalation and lateral movement are achieved through a combination of exploiting vulnerabilities ( Zerologon , EternalBlue , and PwnKit flaw CVE-2021-4034 among them) as well as utilities such as RDP, PsExec, and Impacket tooling.
organisation RDP
Privilege escalation and lateral movement are achieved through a combination of exploiting vulnerabilities ( Zerologon , EternalBlue , and PwnKit flaw CVE-2021-4034 among them) as well as utilities such as RDP, PsExec, and Impacket tooling.
organisation PsExec
Privilege escalation and lateral movement are achieved through a combination of exploiting vulnerabilities ( Zerologon , EternalBlue , and PwnKit flaw CVE-2021-4034 among them) as well as utilities such as RDP, PsExec, and Impacket tooling.
organisation CVE-2023-27997
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
organisation CVE-2024-21762
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
organisation FortiGate SSL-VPN
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
organisation CVE-2022
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
organisation Fortinet FortiOS
This means patching previously mentioned vulnerabilities involving Fortinet FortiOS, Ivanti Connect Secure, and Apache Tomcat AJP, as well as auditing for unexpected tunnel interfaces.
organisation Ivanti Connect Secure
This means patching previously mentioned vulnerabilities involving Fortinet FortiOS, Ivanti Connect Secure, and Apache Tomcat AJP, as well as auditing for unexpected tunnel interfaces.
The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws , including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
organisation LATAM Infrastructure Hit by Fortinet
LATAM Infrastructure Hit by Fortinet and Ivanti Exploits.
organisation CVE-2022-42475
The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws , including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
organisation Fortinet FortiOS SSL-VPN
The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws , including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
organisation CVE-2025
The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws , including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
organisation PoC
The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws , including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
organisation MDM
But perhaps unusual for a financially motivated threat actor, MexicanMafia has shown espionage "potential" through the compromise of particularly valuable data like tax authority SSL private keys and mobile device management (MDM) infrastructure.
organisation APT
A Change in Latin America's Threat Landscape This campaign acts as a reminder that the tooling gap between cybercriminals and APT actors has essentially closed.
infrastructure Windows
"The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said.
Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.
infrastructure Linux
"The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said.
organisation SAP ERP
"The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said.
organisation Active Directory
"The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said.
organisation GhostCat
Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.
The group also exploits Apache Tomcat AJP connectors via the GhostCat vulnerability, CVE-2020-1938.
organisation Apache Tomcat's
Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.
organisation EternalBlue
Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.
organisation Log4Shell
Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.
organisation Apache Tomcat AJP
The group also exploits Apache Tomcat AJP connectors via the GhostCat vulnerability, CVE-2020-1938.
organisation Interpol
"  Related: Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East MexicanMafia is a financially motivated threat actor that mainly steals valuable data at scale.
organisation SAP
These include GRE tunnels reaching external addresses, Chisel's TCP-over-HTTP traffic and unexpected commands running through SAP and Oracle.
organisation Oracle
These include GRE tunnels reaching external addresses, Chisel's TCP-over-HTTP traffic and unexpected commands running through SAP and Oracle.
‎early 2026
CloudSEK revealed Operation Escaneo, a threat operation targeting Latin America.
organisation Operation Escaneo
New analysis from CloudSEK detailed the operation, which it named Operation Escaneo, after researchers found an open directory on the group's server in early 2026 and mapped its toolkit from the artifacts left behind.
organisation CloudSEK
New analysis from CloudSEK detailed the operation, which it named Operation Escaneo, after researchers found an open directory on the group's server in early 2026 and mapped its toolkit from the artifacts left behind.
Tactical Metrics
Metrics
infrastructure
‎Ivanti
Affected Product
Related: EU Gets a Head Start in Developing 6G Network Security Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
This means patching previously mentioned vulnerabilities involving Fortinet FortiOS, Ivanti Connect Secure, and Apache Tomcat AJP, as well as auditing for unexpected tunnel interfaces.
LATAM Infrastructure Hit by Fortinet and Ivanti Exploits.
The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws , including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
Regardless of the link, CloudSEK urged Latin American organizations to patch perimeter appliances first, singling out the Fortinet and Ivanti flaws and to watch for the operation's quieter tells.
Metrics
infrastructure
‎Fortigate
Affected Product
In addition to operating its own proprietary reconnaissance framework, it maintains an exploit armory, including custom proof-of-concepts, on-premise credential cracking on operational infrastructure, and a demonstrated "capability to compromise network-layer infrastructure (Cisco routers, FortiGate VPNs) in addition to host-level systems.
These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475 , CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain.
Metrics
infrastructure
‎Windows
Affected Product
"The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said.
Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.
Metrics
infrastructure
‎Linux
Affected Product
"The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said.
Metrics
data_breach
1,300,000
Personal Records
Inside victim networks, the attackers reached SAP and Oracle systems to run commands and pulled out a large volume of sensitive data, including: More than 1.3 million personal records from one transport provider A 407MB map of a victim's Active Directory SSL private keys, streamed out live from a database server SAP service-account hashes and browser-stored passwords A Suspected Hacktivist Link CloudSEK attributed the campaign, with medium confidence, to a group it calls Mexican Mafia, or Pancho Villa, which spent 2024 claiming breaches against Mexican government, judicial and energy targets, sometimes casting the hacks as protest.
Metrics
data_breach
407
Provider Mb Map
Inside victim networks, the attackers reached SAP and Oracle systems to run commands and pulled out a large volume of sensitive data, including: More than 1.3 million personal records from one transport provider A 407MB map of a victim's Active Directory SSL private keys, streamed out live from a database server SAP service-account hashes and browser-stored passwords A Suspected Hacktivist Link CloudSEK attributed the campaign, with medium confidence, to a group it calls Mexican Mafia, or Pancho Villa, which spent 2024 claiming breaches against Mexican government, judicial and energy targets, sometimes casting the hacks as protest.
Intelligence Sources
Dark Reading 2026-06-18
Infosecurity-Magazine 2026-06-18