Mexican government agencies, financial institutions and critical infrastructure are being targeted through a sophisticated intrusion campaign capable of exploiting perimeter devices, stealing credentials and maintaining long-term access inside compromised networks.
CloudSEK researchers have uncovered the attacker’s exposed staging server, providing a rare view into the infrastructure, tools and tactics behind Operation Escaneo.
The investigation revealed:
- A custom reconnaissance platform called Kimera
- Exploits targeting Fortinet, Ivanti, Cisco, SAP, Oracle and Windows systems
- Evidence of more than 1.3 million PII records being extracted
- Exfiltration of a 407 MB Active Directory dataset
- Webshells, reverse tunnels and compromised routers used for persistent access
- CloudSEK’s analysis identifies significant operational and tactical links between the campaign and MexicanMafia, also known as PanchoVilla.
The report shows how the campaign progresses from mass reconnaissance and exploitation to lateral movement, credential theft, data exfiltration and long-term persistence—posing a serious risk to public-sector and financial networks across the region.
Full report: https://www.cloudsek.com/blog/operation-escaneo-mexican-government-financial-institutions-cyberattack
Related
This entry was posted on June 17, 2026 at 11:52 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Operation Escaneo: Inside a Cyber Campaign Targeting Mexico’s Government and Financial Sector
Mexican government agencies, financial institutions and critical infrastructure are being targeted through a sophisticated intrusion campaign capable of exploiting perimeter devices, stealing credentials and maintaining long-term access inside compromised networks.
CloudSEK researchers have uncovered the attacker’s exposed staging server, providing a rare view into the infrastructure, tools and tactics behind Operation Escaneo.
The investigation revealed:
The report shows how the campaign progresses from mass reconnaissance and exploitation to lateral movement, credential theft, data exfiltration and long-term persistence—posing a serious risk to public-sector and financial networks across the region.
Full report: https://www.cloudsek.com/blog/operation-escaneo-mexican-government-financial-institutions-cyberattack
Share this:
Like this:
Related
This entry was posted on June 17, 2026 at 11:52 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.