An attacker who left a staging server exposed on the open internet has handed researchers a rare, end-to-end look inside a sophisticated intrusion campaign targeting government agencies, a tax authority, utilities, and financial institutions across Latin America, with Mexico squarely in the crosshairs. Researchers at CloudSEK, who discovered the open directory during routine infrastructure hunting, dubbed the operation Operation Escaneo.
The recovered toolkit reveals a well-resourced and disciplined operator. CloudSEK found a proprietary distributed reconnaissance engine the attackers call Kimera, a curated armory of exploits aimed at enterprise perimeter devices from Fortinet, Ivanti, and Cisco, portable lateral-movement kits, and layered command-and-control built on Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers running persistent GRE tunnels.
What the attackers achieved
The artifacts show real impact, not just capability. CloudSEK observed remote-code-execution beacons from at least five distinct victim IP addresses, the theft of a 407 MB Active Directory dataset, and more than 1.3 million personal records extracted. The group can operate across both Windows and Linux, and was seen compromising SAP ERP and Oracle database systems to run commands, harvest cryptographic material, and maintain long-term access through several redundant persistence mechanisms.
Who is behind it
CloudSEK attributes the campaign with medium confidence to a threat actor known as MexicanMafia, also called PanchoVilla, a group with a long public track record of breaching Mexican government bodies. Past claims attributed to the crew include leaks from state police, Mexico City government email accounts, the national tax authority, the state oil company PEMEX, and Mexico City Supreme Court, where the actor published the source code and credentials of more than 162,000 users after a ransom deadline passed. The actor has framed several operations as protests against government neglect. IntelFusions has separately tracked criminal abuse of trusted platforms to phish customers of Mexican banks.
What you should do
The campaign leans almost entirely on known, patchable weaknesses in internet-facing gear. Prioritize patching perimeter devices from Fortinet, Ivanti, and Cisco, several of which have been exploited in the wild after public proof-of-concept releases. Hunt for Neo-reGeorg webshells and unexpected Chisel tunnels, review Cisco router configurations for unauthorized GRE tunnels, and enforce multi-factor authentication on VPN and remote-access portals.
Indicators of compromise
Selected defanged indicators: attacker servers 62[.]171[.]185[.]97 and 165[.]22[.]184[.]26; exploited flaws include CVE-2024-21762 and CVE-2025-0282 (Fortinet and Ivanti), CVE-2020-1472 (Zerologon), and CVE-2021-4034. The full analysis appears in the original CloudSEK report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.