MexicanMafia

MexicanMafia, also known as PanchoVilla, is a threat actor that CloudSEK attributed with medium confidence to Operation Escaneo, a coordinated multistage intrusion campaign active between 2025 and 2026. The actor has a reported history of targeting critical infrastructure and government-related entities in Latin America, with Mexico as the primary focus, Ecuador as a secondary focus, and some activity observed in Portugal. Reported targeted sectors include government, tax authorities, utilities, transportation, telecommunications, and financial services. Prior claimed or reported victims mentioned in the source material include Oaxaca State Police, the Mexico City government, the Estado de México government, SAT, the Mexico City Supreme Court, Pemex, UNAM institutes IIMAS and IIFL, ORFIS Veracruz, Quálitas Insurance, PJCDMX, and the Tribunal Superior de Justicia de Oaxaca. CloudSEK described the actor as highly mature and capable of operating across Windows and Linux environments, as well as SAP ERP, Oracle, PostgreSQL, and network infrastructure. The campaign used a proprietary reconnaissance framework called Kimera, supported by automated discovery and vulnerability tooling including subfinder, assetfinder, findomain, gobuster, dnsx, naabu, httpx, LinkFinder, whatweb, nuclei, and dalfox. The actor maintained a curated exploit arsenal targeting Fortinet FortiOS, Ivanti Connect Secure, Apache Tomcat, Windows SMB services, Linux polkit, VMware AirWatch, and Log4j. Exploitation observed in the reporting included CVE-2022-42475, CVE-2023-27997, CVE-2024-21762, CVE-2023-46805, CVE-2024-21887, CVE-2025-0282, CVE-2020-1938, CVE-2020-1472, CVE-2021-4034, CVE-2020-0796, MS17-010, MS08-067, and Log4Shell. Observed tradecraft included use of FortiGate configuration dumps to obtain cleartext VPN credentials; custom phishing pages targeting tax-authority employees and corporate document-management users; execution via Oracle DBMS_SCHEDULER, SAP RFC functions such as SXPG_CALL_SYSTEM, GeoServer WFS injection, Java deserialization payloads, and multiple webshell variants; deployment of Neo-reGeorg webshells in JSPX, JSP, ASPX, PHP, Go, and ASHX variants; Chisel reverse tunnels for TCP-over-HTTP command and control; and persistent GRE tunnels on compromised Cisco routers. The actor also abused AnyDesk and impersonated N-able RMM agents with crafted LNK files for persistence and remote access, and used a ZipSlip tool named mkzip34.py to deploy webshells and re-establish access after restoration. For privilege escalation, credential access, and lateral movement, the reporting cites use of PwnKit, Zerologon, EternalBlue, SMBGhost, SambaCry, MS08-067, RDP, PsExec, and Impacket tools including psexec.py, wmiexec.py, smbexec.py, secretsdump.py, GetUserSPNs.py, and ntlmrelayx.py. CloudSEK reported that the actor maintained long-dwell access through redundant persistence mechanisms across host, application, and network layers, including compromised Cisco routers and FortiGate VPN infrastructure. Reported collection objectives included credentials, Kerberoastable hashes, Chrome credential stores, FortiGate cleartext credentials, Zimbra passwords, SAP service account hashes, SSL private keys, Active Directory datasets, and large-scale PII. The source material states that the actor exfiltrated a 407 MB BloodHound Active Directory dataset and more than 1.3 million customer records from a transportation provider, and that tax authority SSL private keys and mobile device management infrastructure were compromised. CloudSEK assessed likely motivations as credential theft, cryptographic material theft, Active Directory mapping for long-term persistence, and financial exploitation, while also noting possible intelligence-collection objectives. The reporting characterizes MexicanMafia as an increasingly sophisticated Latin American threat actor, but does not explicitly identify it as a nation-state actor.