Executive Summary

This report documents a coordinated, multi-stage campaign run by a threat actor targeting critical infrastructure across Latin America. Artifacts from the threat actor's staging server reveal a sophisticated operational toolchain spanning all phases of the MITRE ATT&CK framework, from automated reconnaissance through data exfiltration. The campaign is characterised by a proprietary distributed reconnaissance engine (Kimera), a curated exploit armory targeting enterprise perimeter devices (Fortinet, Ivanti, Cisco), portable lateral movement toolkits, and layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels.

The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms. Based on the available information, we have attributed this campaign with medium confidence to MexicanMafia aka PanchoVilla.

Background

Known/Claimed Attacks by Pancho Villa

1. Oaxaca State Police (Secretaría de Seguridad y Protección Ciudadana) — March 2024 Pancho Villa posted on Breach Forums claiming to have exfiltrated 2,935,021 lines of data spanning 2007–2024, totalling over 800MB. The data included names of detained individuals, personal data, and police officer credentials. When the state government denied the breach, Pancho Villa defaced the official Oaxaca government website in the early hours of April 3, 2024, inserting the group's image as proof — where it remained visible until at least 8am that day.

2. "Chilango Leaks" — Mexico City Government (CDMX) — April 2024 Mexican Mafia released 20GB of what they called "Chilango Leaks," which included approximately 2.1 million private emails from over 2,000 CDMX public servant accounts across agencies ranging from the Secretaría de Obras y Servicios to the DIF.

3. UNAM — Instituto de Investigaciones en Matemáticas Aplicadas y en Sistemas (IIMAS) — early 2024 Member "Lord Peña" obtained 2.3 million files from UNAM's IIMAS, including banking data, for which he asked $500.

4. UNAM — Instituto de Investigaciones Filológicas (IIFL) — April 2024 Member "Dyce" hacked UNAM's IIFL and put up for sale a 29GB database claiming to contain network credentials, full names, images, and access keys.

5. SAT (Tax Authority) — Vulnerabilities Disclosed — March/April 2024 Lord Peña disclosed at least three vulnerabilities in the SAT website during the annual personal income tax filing period in 2024.

6. ORFIS Veracruz (Órgano de Fiscalización Superior) — March 2024 Lord Peña listed access to ORFIS internal servers on Breach Forums for $1,500.

7. Estado de México Government — March 2024 Member "Buda" put up for sale a database of subdomains from the State of Mexico government.

8. Quálitas Insurance — June 2024 Pancho Villa claimed to hold 300,000 lines of Quálitas Mexico customer data including names, phone numbers, addresses, and insurance types, offered for sale at $400.

9. PEMEX — July 2024 Mexican Mafia breached servers contracted by PEMEX and obtained over 50 databases with 11,000 records including employee contracts, names, email addresses, and payroll data. The data was initially listed at $1,000, then raised to $2,000 to, as Pancho Villa stated, "push away intelligence researchers."

10. Poder Judicial de la Ciudad de México (PJCDMX) — August 2024 Mexican Mafia compromised the Mexico City Supreme Court, offering 300,000+ user credentials from their appointments and case management system (SICOR/OPC), covering data from 2017 to 2024 including pension claims, legal filings, actuarial assignments, and payment receipts. After a 72-hour ultimatum expired without a sale, they published source code and credentials of 162,439 users, including accounts from UNAM (1,192), IMSS, ISSSTE, SEP, and the FGR. Pancho Villa said the breach took "10 to 15 minutes" due to unpatched legacy systems.

11. Tribunal Superior de Justicia de Oaxaca — October 2024 Mexican Mafia claimed access to over 30 terabytes of data from the Oaxaca Superior Court, including videos of court proceedings that exposed the identities of those involved in legal cases. Pancho Villa framed this as a protest against government neglect of indigenous communities.

Important caveats:

• The 2025–2026 AI-assisted breach of Mexican government agencies (Gambit Security report) was not attributed to Mexican Mafia, but based on the overlaps, it can be ascertained with high confidence that the threat actor we analyzed is following the same footsteps.
• Some claims (especially database sizes) have been disputed or denied by affected institutions, though in several cases (Oaxaca defacement, PJCDMX source code leak) independent verification was possible.

Analysis 

In early 2026, during routine malicious infrastructure discovery, CloudSEK discovered an open directory hosted on 62.171.185[.]97.

Based on the artefacts obtained from the server, we were able to comprehensively map the capabilities of the threat actor.

‍

‍

1. Threat Actor Categorization

The threat actor exhibits TTPs consistent with a well-resourced, operationally disciplined group with established infrastructure and custom tooling development capability. The following characteristics are assessed with high confidence from artifact analysis.

1.1 Operational Maturity Indicators

• Maintains a proprietary distributed reconnaissance framework (Kimera) with parallelised enumeration and automated vulnerability-to-exploitation pipeline
• Operates a centralised exploit armory with stable, operationally-tested CVE implementations — including custom variants of public PoCs modified to prevent target crashes
• Conducts on-premise credential cracking on operational infrastructure to avoid exfiltrating encrypted hashes over the internet (OPSEC-aware)
• Implements per-target proxychains configurations with creation timestamps and operator comments, indicating structured operational documentation
• Demonstrated capability to compromise network-layer infrastructure (Cisco routers, FortiGate VPNs) in addition to host-level systems
• Active campaign duration of at least 13 days confirmed by Chisel session logs (3,708 sessions processed)

1.2 Geographic and Sectoral Focus

• Primary targeting of LATAM government ministries, tax authorities, and utility providers
• Spanish-language regex patterns in credential harvesting scripts confirm regional operational focus
• Secondary targeting of telecommunications and aviation infrastructure for network-level access
• Tertiary activity against European financial institution (confirmed via Chisel reverse tunnel pivot)

1.3 Motivations Assessment

• Data theft and PII aggregation at scale (>1.3M records extracted from single transportation provider)
• Credential and cryptographic material theft enabling impersonation and traffic decryption
• Active Directory mapping for sustained long-term persistence beyond credential rotation
• Financial exploitation via compromised procurement workflows and e-commerce platform API key theft
• Strategic espionage potential through compromise of tax authority SSL private keys and MDM infrastructure

‍

2. MITRE ATT&CK Mapping 

The following table maps all observed techniques to the MITRE ATT&CK Enterprise framework v15. Each row reflects direct artifact evidence from the threat actor's staging server.

‍

‍

‍

‍

‍