logo

Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions

ID: 5b956dde-7898-5658-a24b-518ca1c79eea

STIX ID: report--5b956dde-7898-5658-a24b-518ca1c79eea

Feed Name: CloudSEK Blog

Threat Score
90/100

Date Published: 2026-06-17

Date Updated: 2026-06-17

...
...

**Executive Summary:** This report documents a coordinated, multi-stage cyber campaign attributed with medium-to-high confidence to the MexicanMafia (Pancho Villa) targeting Latin American government and critical infrastructure between 2025–2026, detailing proprietary reconnaissance tooling (Kimera), a curated exploit armory against Fortinet/Ivanti/Cisco and application servers, layered persistence and tunnelling (Neo-reGeorg webshells, Chisel, GRE tunnels), confirmed RCE callbacks and exfiltration of large datasets (≥1.3M PII records, 407 MB Active Directory dump), and provides MITRE ATT&CK mappings, detection guidance and remediation recommendations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.