A recent analysis has uncovered a meticulously coordinated campaign targeting government and financial sectors across Latin America, particularly Mexico, revealing the challenge posed by cybercriminals to both the security of critical infrastructure and personnel. This operation, dubbed Operation Escaneo, was exposed due to the attackers’ oversight in leaving a staging server accessible online, thus allowing cybersecurity researchers from CloudSEK to connect the dots and trace their activities.
According to CloudSEK, which specializes in cybersecurity intelligence, the investigation began when researchers discovered an open directory on the attackers’ server in early 2026. Examining the artifacts left behind illuminated the tools and techniques employed in this expansive assault. The campaign successfully breached critical infrastructures within Mexico, while also affecting entities in Ecuador and Portugal. The targeted sectors included a wide range of services such as government agencies, tax authorities, utilities, transportation, telecommunications, and banking institutions.
CloudSEK’s analysis revealed that there were confirmed beacons from at least five victims, indicating substantial data theft. This extensive breach highlights the vulnerabilities in Latin America’s governmental and financial systems, raising alarm bells for cybersecurity stakeholders across the region.
### Breaking In Through the Perimeter
The attackers mainly compromised systems through internet-facing security appliances. They exploited well-known vulnerabilities in Fortinet FortiOS SSL-VPN systems, specifically targeting CVE-2022-42475 and CVE-2024-21762, as well as flaws in Ivanti Connect Secure identified as CVE-2023-46805, CVE-2024-21887, and CVE-2025-0282. Significantly, they adapted public proof-of-concept (PoC) code to avoid crashing their target systems, showcasing their technical prowess.
However, their incursion was not limited to perimeter defenses alone. The attackers utilized exploits for a range of vulnerabilities, including Apache Tomcat’s GhostCat flaw, and notable Windows vulnerabilities like EternalBlue, Zerologon, and Log4Shell. Central to these efforts was a custom reconnaissance engine named Kimera, which allowed the cybercriminals to scan and categorize targets with remarkable speed, funneling information directly to the exploitation phase.
### Tunnels, Routers, and Stolen Data
To maintain persistence inside victim networks, the attackers employed layered access methods. They used Neo-reGeorg webshells for encrypted footholds on compromised web servers, while Chisel reverse tunnels facilitated traffic through HTTP. A compromised Cisco router was equipped with a Generic Routing Encapsulation (GRE) tunnel that directed traffic back to the attackers, creating a covert channel that evaded many host-based defenses. Over a short span of just 13 days, Chisel logs indicated a staggering 3,708 sessions, underscoring the volume of activity.
Once entrenched within the networks of their victims, the attackers accessed SAP and Oracle systems to execute commands and siphon off sensitive data. This included alarming amounts of personal information, such as over 1.3 million records from one transportation provider and an expansive, 407MB map of a victim’s Active Directory. Even SSL private keys were streamed live from compromised database servers, compromising the integrity of the organizations involved. Furthermore, the attackers harvested SAP service-account hashes along with browser-stored passwords, amplifying the potential for further harm.
### A Suspected Hacktivist Link
CloudSEK attributed this campaign, albeit with medium confidence, to a group they refer to as the Mexican Mafia or Pancho Villa. This group has made headlines throughout 2024 by claiming a series of breaches against various Mexican government, judicial, and energy targets, often framing their activities as acts of protest. However, it is worth noting that some of their past claims have faced disputes by the organizations identified in these hacks.
Regardless of the claimed motivations behind the operation, CloudSEK has advised organizations across Latin America to prioritize patching their perimeter appliances—specifically highlighting the vulnerabilities in Fortinet and Ivanti products. Furthermore, they encourage entities to be vigilant for subtle indicators associated with these attacks, including GRE tunnels connecting to external addresses, Chisel’s TCP-over-HTTP traffic, and unrecognized commands being executed within SAP and Oracle platforms.
In summary, as cyber threats become increasingly sophisticated, the findings from Operation Escaneo serve as a stark reminder for governments and businesses alike about the urgent need to bolster their cybersecurity measures and respond proactively to evolving risks in the digital landscape.