A coordinated campaign against government and financial targets across Latin America has been laid bare by the attackers’ own mistake, after they left a staging server exposed online.
New analysis from CloudSEK detailed the operation, which it named Operation Escaneo, after researchers found an open directory on the group’s server in early 2026 and mapped its toolkit from the artifacts left behind.
The campaign hit critical infrastructure across Mexico, with lesser activity in Ecuador and Portugal, spanning government, tax authorities, utilities, transport, telecoms and banks.
CloudSEK said it confirmed beacons from at least five victims and large-scale data theft.
Breaking In Through the Perimeter
Entry came mainly through internet-facing security appliances. The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws, including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.
Its reach went well beyond perimeter gear, with exploits for Apache Tomcat’s GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.
All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.
Read more on attacks targeting Mexican infrastructure: OpenAI and Anthropic LLMs Used in Critical Infrastructure Cyber-Attack
Tunnels, Routers and Stolen Data
To stay connected, the group layered its access. Neo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.
Chisel logs alone recorded 3,708 sessions over a 13-day window.
Inside victim networks, the attackers reached SAP and Oracle systems to run commands and pulled out a large volume of sensitive data, including:
-
More than 1.3 million personal records from one transport provider
-
A 407MB map of a victim’s Active Directory
-
SSL private keys, streamed out live from a database server
-
SAP service-account hashes and browser-stored passwords
A Suspected Hacktivist Link
CloudSEK attributed the campaign, with medium confidence, to a group it calls Mexican Mafia, or Pancho Villa, which spent 2024 claiming breaches against Mexican government, judicial and energy targets, sometimes casting the hacks as protest.
The firm hedged the link, noting some of the group’s past claims have been disputed by the organizations named.
Regardless of the link, CloudSEK urged Latin American organizations to patch perimeter appliances first, singling out the Fortinet and Ivanti flaws and to watch for the operation’s quieter tells.
These include GRE tunnels reaching external addresses, Chisel’s TCP-over-HTTP traffic and unexpected commands running through SAP and Oracle.
