Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
3 malware familiesExploits CVEs in the wild

Pancho Villa

Also known asPancho Villa
Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0003
Persistence
1 technique
T1505
Server Software Component
T1505.003
Web Shell
TA0004
Privilege Escalation
1 technique
T1068
Exploitation for Privilege Escalation
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0009
Collection
1 technique
T1213
Data from Information Repositories
TA0011
Command and Control
1 technique
T1090
Proxy
TA0010
Exfiltration
1 technique
T1048
Exfiltration Over Alternative Protocol
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ChiselNeo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.1Jun 18, 2026
KimeraAll of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.1Jun 18, 2026
Neo-reGeorgNeo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.1Jun 18, 2026
WEAPONIZED

Associated vulnerabilities

8 CVEs this actor has used in observed campaigns. 8 of them exploited in the wild.

CVE-2017-0144EternalBlue SMBv1 Remote Code ExecutionIn the wildEvidence1

Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.

CVE-2020-1472Zerologon in Microsoft Netlogon Remote ProtocolIn the wildEvidence1

Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.

CVE-2021-44228Log4ShellIn the wildEvidence1

Its reach went well beyond perimeter gear, with exploits for Apache Tomcat's GhostCat flaw, the Windows bugs EternalBlue and Zerologon and Log4Shell.

CVE-2022-42475FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCEIn the wildEvidence1

The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws, including CVE-2022-42475 and CVE-2024-21762, adapting public proof-of-concept (PoC) code so it would not crash the target.

CVE-2023-46805Authentication Bypass in Ivanti Connect Secure and Policy Secure Web ComponentIn the wildEvidence1

The group kept tuned exploits for ... Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.

3 more CVEs tied to this actor tracked in Mallory.

ACTIVITY FEED

Recent activity

No public activity tracked yet. Mallory keeps watching.

0 SOURCESView more in app

No public activity observed for this threat actor.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs8

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.