A new cyber intrusion campaign suggests a shift in Latin America’s threat landscape, as a financially motivated attacker demonstrated the tactics, techniques, and procedures of an advanced persistent threat group.
That’s according to threat monitoring firm CloudSEK, which yesterday detailed “Operation Escaneo,” a threat campaign attributed with medium confidence to a sophisticated threat actor known as MexicanMafia or PanchoVilla. MexicanMafia has a history of targeting critical infrastructure in Latin America but particularly in Mexico.
Some of its previous victims include Oaxaca State Police, Mexico City government, the Mexico state government, Mexican tax authority SAT, the Mexico City Supreme Court, Mexican-owned petroleum company Pemex, and many others.
CloudSEK’s latest report, published as a research blog, covers a coordinated, multistage campaign targeting critical infrastructure mainly across Latin America between 2025 and 2026. Mexico was the most targeted country through Operation Escaneo, followed by Ecuador and tertiary activity in Portugal. Researchers described the campaign’s toolset as “sophisticated,” featuring automated reconnaissance and data exfiltration.
Tooling including proprietary reconnaissance engine Kimera; a “curated exploit armory” targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and “layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels,” researchers said.
“The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms,” researchers said.
But perhaps unusual for a financially motivated threat actor, MexicanMafia has shown espionage “potential” through the compromise of particularly valuable data like tax authority SSL private keys and mobile device management (MDM) infrastructure.
CloudSEK threat intelligence researcher Koushik Pal tells Dark Reading that this doesn’t necessarily mean that MexicanMafia has political interests, but rather that the group is grabbing what it can to sell (at least in some cases) on underground forums.
“What we’re observing isn’t quite the North Korea model, where financial operations explicitly fund state programs, but something arguably more interesting: opportunistic monetization running parallel to what looks like intelligence collection, possibly without central coordination between the two objectives,” he says. “The simplest explanation isn’t a sophisticated dual mandate, but rather an actor who needed to pay for infrastructure and took whatever was accessible, while a subset of targets served a separate collection agenda.”
Operation Escaneo Presents a Sophisticated Campaign
After using Kimera for reconnaissance, MexicanMafia exploits a range of popular vulnarabilities to gain initial access. These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain. The group also exploits Apache Tomcat AJP connectors via the GhostCat vulnerability, CVE-2020-1938.
For code execution and persistence, the campaign uses Web shells and tunneling tools. Privilege escalation and lateral movement are achieved through a combination of exploiting vulnerabilities (Zerologon, EternalBlue, and PwnKit flaw CVE-2021-4034 among them) as well as utilities such as RDP, PsExec, and Impacket tooling.
MexicanMafia is considered a highly mature threat actor. In addition to operating its own proprietary reconnaissance framework, it maintains an exploit armory, including custom proof-of-concepts, on-premise credential cracking on operational infrastructure, and a demonstrated “capability to compromise network-layer infrastructure (Cisco routers, FortiGate VPNs) in addition to host-level systems.”
MexicanMafia is a financially motivated threat actor that mainly steals valuable data at scale. CloudSEK further identified credential and cryptographic material theft, Active Directory mapping for long-term persistence, and financial exploitation as possible motivators.
A Change in Latin America’s Threat Landscape
This campaign acts as a reminder that the tooling gap between cybercriminals and APT actors has essentially closed. As Pal explains, what historically separated APT actors was operational patience and target selection discipline rather than technical capability. This further speaks to a shift in Latin America’s threat landscape.
“[Latin America] has historically been primarily a victim environment,” he says. “Seeing a Spanish-nexus actor with this level of operational sophistication, custom frameworks, router-level persistence, SAP-specific tooling, suggests a growing interest by threat actors in that region.”
For defenders, CloudSEK recommends prioritizing the hardening of critical perimeter devices immediately. This means patching previously mentioned vulnerabilities involving Fortinet FortiOS, Ivanti Connect Secure, and Apache Tomcat AJP, as well as auditing for unexpected tunnel interfaces. Organizations should also prioritize network visibility and segmentation, strict access controls, and endpoint and application monitoring.
