CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

Operation Escaneo Signals Shift in LatAm Threat Landscape

Dark Reading Archived Jun 18, 2026 ✓ Full text saved

The threat group's curious business model may combine opportunistic monetization alongside intel collection, without much coordination between the two.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERSECURITY OPERATIONS DATA PRIVACY CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Operation Escaneo Signals Shift in LatAm Threat Landscape The threat group's curious business model may combine opportunistic monetization alongside intel collection, without much coordination between the two. Alexander Culafi,Senior News Writer,Dark Reading June 18, 2026 4 Min Read SOURCE: STOCKCAM VIA GETTY IMAGES A new cyber intrusion campaign suggests a shift in Latin America's threat landscape, as a financially motivated attacker demonstrated the tactics, techniques, and procedures of an advanced persistent threat group. That's according to threat monitoring firm CloudSEK, which yesterday detailed "Operation Escaneo," a threat campaign attributed with medium confidence to a sophisticated threat actor known as MexicanMafia or PanchoVilla. MexicanMafia has a history of targeting critical infrastructure in Latin America but particularly in Mexico. Some of its previous victims include Oaxaca State Police, Mexico City government, the Mexico state government, Mexican tax authority SAT, the Mexico City Supreme Court, Mexican-owned petroleum company Pemex, and many others. CloudSEK's latest report, published as a research blog, covers a coordinated, multistage campaign targeting critical infrastructure mainly across Latin America between 2025 and 2026. Mexico was the most targeted country through Operation Escaneo, followed by Ecuador and tertiary activity in Portugal. Researchers described the campaign's toolset as "sophisticated," featuring automated reconnaissance and data exfiltration.  Related:EU Gets a Head Start in Developing 6G Network Security Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said. "The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms," researchers said. But perhaps unusual for a financially motivated threat actor, MexicanMafia has shown espionage "potential" through the compromise of particularly valuable data like tax authority SSL private keys and mobile device management (MDM) infrastructure. CloudSEK threat intelligence researcher Koushik Pal tells Dark Reading that this doesn't necessarily mean that MexicanMafia has political interests, but rather that the group is grabbing what it can to sell (at least in some cases) on underground forums. "What we're observing isn't quite the North Korea model, where financial operations explicitly fund state programs, but something arguably more interesting: opportunistic monetization running parallel to what looks like intelligence collection, possibly without central coordination between the two objectives," he says. "The simplest explanation isn't a sophisticated dual mandate, but rather an actor who needed to pay for infrastructure and took whatever was accessible, while a subset of targets served a separate collection agenda." Related:Asia's Cyber Insurance Market Shows Signs of Life Operation Escaneo Presents a Sophisticated Campaign After using Kimera for reconnaissance, MexicanMafia exploits a range of popular vulnarabilities to gain initial access. These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain. The group also exploits Apache Tomcat AJP connectors via the GhostCat vulnerability, CVE-2020-1938.  For code execution and persistence, the campaign uses Web shells and tunneling tools. Privilege escalation and lateral movement are achieved through a combination of exploiting vulnerabilities (Zerologon, EternalBlue, and PwnKit flaw CVE-2021-4034 among them) as well as utilities such as RDP, PsExec, and Impacket tooling. MexicanMafia is considered a highly mature threat actor. In addition to operating its own proprietary reconnaissance framework, it maintains an exploit armory, including custom proof-of-concepts, on-premise credential cracking on operational infrastructure, and a demonstrated "capability to compromise network-layer infrastructure (Cisco routers, FortiGate VPNs) in addition to host-level systems."  Related:Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East MexicanMafia is a financially motivated threat actor that mainly steals valuable data at scale. CloudSEK further identified credential and cryptographic material theft, Active Directory mapping for long-term persistence, and financial exploitation as possible motivators.  A Change in Latin America's Threat Landscape This campaign acts as a reminder that the tooling gap between cybercriminals and APT actors has essentially closed. As Pal explains, what historically separated APT actors was operational patience and target selection discipline rather than technical capability. This further speaks to a shift in Latin America's threat landscape. "[Latin America] has historically been primarily a victim environment," he says. "Seeing a Spanish-nexus actor with this level of operational sophistication, custom frameworks, router-level persistence, SAP-specific tooling, suggests a growing interest by threat actors in that region." For defenders, CloudSEK recommends prioritizing the hardening of critical perimeter devices immediately. This means patching previously mentioned vulnerabilities involving Fortinet FortiOS, Ivanti Connect Secure, and Apache Tomcat AJP, as well as auditing for unexpected tunnel interfaces. Organizations should also prioritize network visibility and segmentation, strict access controls, and endpoint and application monitoring. Read more about: DR Global Latin America About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBERSECURITY OPERATIONS Hand CVE Over to the Private Sector by Brian Martin JAN 27, 2026 CYBERSECURITY OPERATIONS China Imposes One-Hour Reporting Rule for Major Cyber Incidents by Robert Lemos, Contributing Writer OCT 01, 2025 CYBERSECURITY OPERATIONS CISA, FBI, NSA Warn of Chinese 'Global Espionage System' by Alexander Culafi AUG 28, 2025 CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗