OPERATION Escaneo campaign targets Latin American government and financial infrastructure, attributed to the threat actor MexicanMafia, after researchers found an exposed staging server online according to CloudSEK. The activity was first spotted in mid‑June 2026 when a misconfigured server left by the attackers was discovered on the public internet. Analysis of that server revealed the tools and tactics used in the intrusion. The campaign appears to be ongoing and has already affected multiple entities in Mexico and other countries in the region.
The attackers relied on a proprietary reconnaissance tool called Kimera to quickly enumerate potential victims and identify exposed services. They then exploited known vulnerabilities in Fortinet FortiGate firewalls and Ivanti VPN appliances to gain an initial foothold inside target networks. After gaining access they deployed webshells to maintain persistent command and control channels. Hidden tunnels were built using legitimate protocols such as DNS and HTTP to exfiltrate data while blending with normal traffic.
During the intrusion the threat actors stole sensitive information including employee personal records and SSL private keys, which could be used for further fraud or to impersonate the victims. The stolen data was packaged and sent to external servers controlled by the group. No public CVE identifiers were referenced in the reports, but the exploited flaws correspond to previously disclosed vulnerabilities in the affected products. The use of both custom tools and off‑the‑shelf exploits indicates a mature operational capability.
CloudSEK links the activity to MexicanMafia, a group that has previously claimed similar breaches as forms of protest but now appears to pursue financial gain alongside intelligence collection as noted in Dark Reading. The operation illustrates how criminal actors are adopting tactics once seen only in state‑sponsored APTs, such as layered access and stealthy exfiltration. This shift raises the risk profile for organisations that rely on perimeter security alone. Researchers warn that similar campaigns could spread to other sectors if defences are not tightened.
Defenders should start by auditing any publicly exposed management interfaces and ensuring that staging servers are not reachable from the internet. Applying the latest security updates for Fortinet FortiGate and Ivanti VPN products is essential, as is disabling any unused services that could be abused. Network traffic should be inspected for signs of webshell beaconing or unusual tunnelling protocols such as DNS or HTTP over non‑standard ports. Log collection from VPN concentrators and firewalls must be enabled to detect anomalous authentication attempts.
Implementing network segmentation limits lateral movement, while enforcing multi‑factor authentication on privileged accounts reduces the risk of credential theft. Security teams ought to hunt for indicators associated with Kimera, including specific file hashes and command‑line patterns shared in the CloudSEK report. Regular red‑team exercises that simulate webshell deployment and tunnel creation can help validate detection capabilities. Finally, sharing indicators with regional information sharing and analysis centres helps build a collective defence across Latin America.