MalwareUsed by 4 actorsExploits 6 CVEs

Kimera

Kimera is a proprietary distributed reconnaissance framework used in the multi-stage intrusion campaign Operation Escaneo, which CloudSEK attributed with medium confidence to the threat actor MexicanMafia, also known as PanchoVilla. It is described as a custom reconnaissance engine, including V1 and V2 variants, that performs high-speed parallelized target scanning, enumeration, triage, and automated handoff from vulnerability discovery to exploitation. Reported tooling integrated with or surrounding Kimera included common reconnaissance utilities such as subfinder, assetfinder, findomain, gobuster, dnsx, naabu, httpx, LinkFinder, whatweb, nuclei, and dalfox.

Within the reported campaign, Kimera supported targeting of internet-facing perimeter and enterprise systems across Latin America, primarily in Mexico, with additional activity in Ecuador and Portugal. The broader operation targeted government, tax authority, utilities, transportation, telecommunications, financial services, and other critical infrastructure organizations during 2025 to 2026. The exploitation pipeline associated with the campaign included vulnerabilities affecting Fortinet FortiOS SSL-VPN, Ivanti Connect Secure, Apache Tomcat GhostCat, Windows SMB services, Linux polkit, VMware AirWatch, and Log4j/Log4Shell. Specific CVEs mentioned in the reporting include CVE-2022-42475, CVE-2023-27997, CVE-2024-21762, CVE-2023-46805, CVE-2024-21887, CVE-2025-0282, CVE-2020-1938, CVE-2020-1472, CVE-2021-4034, CVE-2020-0796, MS17-010, and MS08-067.

Kimera was part of a larger intrusion stack that included Neo-reGeorg webshells, Chisel reverse tunnels, and persistent GRE tunnels on compromised Cisco routers for command and control and persistence. The associated actor operated across Windows and Linux environments and was reported to compromise SAP ERP, Oracle, PostgreSQL, and network infrastructure. Campaign objectives linked to the Kimera-enabled intrusion workflow included credential theft, Active Directory mapping, theft of cryptographic material including SSL private keys, and large-scale exfiltration of personal and enterprise data. High-confidence indicators directly mentioned alongside the campaign include staging infrastructure at 62.171.185.97, a secondary relay at 165.22.184.26, and a possible secondary C2 at 185.65.245.10:7227.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

6 CVES

CVE-2024-21887Command Injection in Ivanti Connect Secure and Policy Secure Web Components

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

CVE-2023-46805Authentication Bypass in Ivanti Connect Secure and Policy Secure Web Component

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

CVE-2024-21762Fortinet FortiOS/FortiProxy SSL-VPN Out-of-Bounds Write RCE

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

CVE-2022-42475FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

CVE-2021-44228Log4Shell

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

CVE-2025-0282Unauthenticated RCE in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateway

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

PanchoVilla

Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.

via dark readingdarkreading.com

MexicanMafia

via dark readingdarkreading.com

Mexican Mafia

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

Pancho Villa

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

via infosecurity magazineinfosecurity-magazine.com

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

3 techniques

T1595Active ScanningEvidence1

All of it was fed by a custom reconnaissance engine the group calls Kimera, which CloudSEK said scanned and triaged targets at high speed, then handed them straight to the exploitation stage.

T1595.001Scanning IP BlocksEvidence1

High-velocity subdomain enumeration via subfinder, assetfinder, findomain and gobuster with 50 threads; dnsx with 200 threads; naabu port scanning at 5,000 pps against government and aviation targets.

T1595.002Vulnerability ScanningEvidence1

Nuclei fed all discovered URLs, scanning all CVE severity levels; dalfox automated XSS hunting; GeoServer WFS endpoint probing.

Resource Development

1 technique

T1587.001MalwareEvidence1

Custom Kimera V1/V2 distributed reconnaissance framework; Xortigate exploit variants; custom SMB protocol handlers ( mysmb.py ); ZipSlip webshell dropper ( mkzip34.py ).

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence2

After using Kimera for reconnaissance, MexicanMafia exploits a range of popular vulnarabilities to gain initial access. These include FortiGate SSL-VPN vulnerabilities CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, as well as the CVE-2023-46805/CVE-2024-21887 Ivanti Connect Secure authentication bypass and command injection chain. The group also exploits Apache Tomcat AJP connectors via the GhostCat vulnerability, CVE-2020-1938.

Collection

1 technique

T1119Automated CollectionEvidence1

dump_batch.sh iterating through Oracle tables in 100,000-row increments; SAP XML bulk-credential extraction; Kimera automated pipeline from discovery to exploitation triage.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app11 days ago

ip.v4●●●●●●●●●●●●View more in app11 days ago

domain●●●●●●●●●●●●View more in app11 days ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

infosecurity magazineNews

Jun 18, 2026

LATAM Infrastructure Hit by Fortinet and Ivanti Exploits - Infosecurity Magazine

A custom reconnaissance engine used to scan and triage targets rapidly before passing them to exploitation workflows.

dark readingNews

Jun 18, 2026

Operation Escaneo Signals Shift in LatAm Threat Landscape

A proprietary reconnaissance engine used by the MexicanMafia/PanchoVilla threat actor during Operation Escaneo for automated reconnaissance prior to exploitation and follow-on intrusion activity.

cloudsekNews

Jun 17, 2026

Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions | CloudSEK

A custom distributed reconnaissance framework used to automate subdomain enumeration, port scanning, vulnerability scanning, XSS validation, screenshotting, JavaScript endpoint extraction, and triage from discovery to exploitation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities6

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.