Operation Escaneo Signals Shift in LatAm Threat Landscape
Dark ReadingArchived Jun 18, 2026✓ Full text saved
The threat group's curious business model may combine opportunistic monetization alongside intel collection, without much coordination between the two.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERSECURITY OPERATIONS
DATA PRIVACY
CYBERATTACKS & DATA BREACHES
ENDPOINT SECURITY
NEWS
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Operation Escaneo Signals Shift in LatAm Threat Landscape
The threat group's curious business model may combine opportunistic monetization alongside intel collection, without much coordination between the two.
Alexander Culafi,Senior News Writer,Dark Reading
June 18, 2026
4 Min Read
SOURCE: STOCKCAM VIA GETTY IMAGES
A new cyber intrusion campaign suggests a shift in Latin America's threat landscape, as a financially motivated attacker demonstrated the tactics, techniques, and procedures of an advanced persistent threat group.
That's according to threat monitoring firm CloudSEK, which yesterday detailed "Operation Escaneo," a threat campaign attributed with medium confidence to a sophisticated threat actor known as MexicanMafia or PanchoVilla. MexicanMafia has a history of targeting critical infrastructure in Latin America but particularly in Mexico.
Some of its previous victims include Oaxaca State Police, Mexico City government, the Mexico state government, Mexican tax authority SAT, the Mexico City Supreme Court, Mexican-owned petroleum company Pemex, and many others.
CloudSEK's latest report, published as a research blog, covers a coordinated, multistage campaign targeting critical infrastructure mainly across Latin America between 2025 and 2026. Mexico was the most targeted country through Operation Escaneo, followed by Ecuador and tertiary activity in Portugal. Researchers described the campaign's toolset as "sophisticated," featuring automated reconnaissance and data exfiltration.
Related:EU Gets a Head Start in Developing 6G Network Security
Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.
"The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said.
But perhaps unusual for a financially motivated threat actor, MexicanMafia has shown espionage "potential" through the compromise of particularly valuable data like tax authority SSL private keys and mobile device management (MDM) infrastructure.
CloudSEK threat intelligence researcher Koushik Pal tells Dark Reading that this doesn't necessarily mean that MexicanMafia has political interests, but rather that the group is grabbing what it can to sell (at least in some cases) on underground forums.
"What we're observing isn't quite the North Korea model, where financial operations explicitly fund state programs, but something arguably more interesting: opportunistic monetization running parallel to what looks like intelligence collection, possibly without central coordination between the two objectives," he says. "The simplest explanation isn't a sophisticated dual mandate, but rather an actor who needed to pay for infrastructure and took whatever was accessible, while a subset of targets served a separate collection agenda."
Related:Asia's Cyber Insurance Market Shows Signs of Life
Operation Escaneo Presents a Sophisticated Campaign
After using Kimera for reconnaissance, MexicanMafia exploits a range of popular vulnarabilities to gain initial access. These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain. The group also exploits Apache Tomcat AJP connectors via the GhostCat vulnerability, CVE-2020-1938.
For code execution and persistence, the campaign uses Web shells and tunneling tools. Privilege escalation and lateral movement are achieved through a combination of exploiting vulnerabilities (Zerologon, EternalBlue, and PwnKit flaw CVE-2021-4034 among them) as well as utilities such as RDP, PsExec, and Impacket tooling.
MexicanMafia is considered a highly mature threat actor. In addition to operating its own proprietary reconnaissance framework, it maintains an exploit armory, including custom proof-of-concepts, on-premise credential cracking on operational infrastructure, and a demonstrated "capability to compromise network-layer infrastructure (Cisco routers, FortiGate VPNs) in addition to host-level systems."
Related:Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East
MexicanMafia is a financially motivated threat actor that mainly steals valuable data at scale. CloudSEK further identified credential and cryptographic material theft, Active Directory mapping for long-term persistence, and financial exploitation as possible motivators.
A Change in Latin America's Threat Landscape
This campaign acts as a reminder that the tooling gap between cybercriminals and APT actors has essentially closed. As Pal explains, what historically separated APT actors was operational patience and target selection discipline rather than technical capability. This further speaks to a shift in Latin America's threat landscape.
"[Latin America] has historically been primarily a victim environment," he says. "Seeing a Spanish-nexus actor with this level of operational sophistication, custom frameworks, router-level persistence, SAP-specific tooling, suggests a growing interest by threat actors in that region."
For defenders, CloudSEK recommends prioritizing the hardening of critical perimeter devices immediately. This means patching previously mentioned vulnerabilities involving Fortinet FortiOS, Ivanti Connect Secure, and Apache Tomcat AJP, as well as auditing for unexpected tunnel interfaces. Organizations should also prioritize network visibility and segmentation, strict access controls, and endpoint and application monitoring.
Read more about:
DR Global Latin America
About the Author
Alexander Culafi
Senior News Writer, Dark Reading
Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.
At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.
He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBERSECURITY OPERATIONS
Hand CVE Over to the Private Sector
by Brian Martin
JAN 27, 2026
CYBERSECURITY OPERATIONS
China Imposes One-Hour Reporting Rule for Major Cyber Incidents
by Robert Lemos, Contributing Writer
OCT 01, 2025
CYBERSECURITY OPERATIONS
CISA, FBI, NSA Warn of Chinese 'Global Espionage System'
by Alexander Culafi
AUG 28, 2025
CYBERSECURITY OPERATIONS
Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers
by Elizabeth Montalbano, Contributing Writer
JUL 16, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS