Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions
ID: 5b956dde-7898-5658-a24b-518ca1c79eea
STIX ID: report--5b956dde-7898-5658-a24b-518ca1c79eea
Feed Name: CloudSEK Blog
**Executive Summary:** This report documents a coordinated, multi-stage cyber campaign attributed with medium-to-high confidence to the MexicanMafia (Pancho Villa) targeting Latin American government and critical infrastructure between 2025–2026, detailing proprietary reconnaissance tooling (Kimera), a curated exploit armory against Fortinet/Ivanti/Cisco and application servers, layered persistence and tunnelling (Neo-reGeorg webshells, Chisel, GRE tunnels), confirmed RCE callbacks and exfiltration of large datasets (≥1.3M PII records, 407 MB Active Directory dump), and provides MITRE ATT&CK mappings, detection guidance and remediation recommendations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
