Mexican Mafia

Mexican Mafia is a suspected hacktivist threat actor that CloudSEK also refers to as Pancho Villa. CloudSEK attributed Operation Escaneo to this group with medium confidence. The campaign primarily targeted government, financial, and critical infrastructure organizations in Latin America, especially Mexico, with additional activity observed in Ecuador and Portugal. Targeted sectors included government, tax authorities, utilities, transport, telecommunications, and banks. According to the provided reporting, the group spent 2024 claiming breaches against Mexican government, judicial, and energy targets, sometimes framing the intrusions as protest, although some of those claims were disputed by the named organizations. In Operation Escaneo, the actor used internet-facing security appliances for initial access, including Fortinet FortiOS SSL-VPN vulnerabilities CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure vulnerabilities CVE-2023-46805, CVE-2024-21887, and CVE-2025-0282. The group also possessed exploits for GhostCat, EternalBlue, Zerologon, and Log4Shell. Observed tradecraft included a custom reconnaissance engine called Kimera, Neo-reGeorg webshells, Chisel reverse tunnels over HTTP, and a compromised Cisco router configured with a GRE tunnel to attacker infrastructure. The actor accessed SAP and Oracle systems to execute commands and conducted large-scale data theft, including more than 1.3 million personal records from one transport provider, a 407MB Active Directory map, SSL private keys, SAP service-account hashes, and browser-stored passwords. The content also states that in March 2026 the group underwent structural changes by merging with Mexican Mafia Team to form Chronus Mafia.