Pular para o conteúdo principal
Close
Security

Operation Escaneo: CloudSEK Exposes APT-Level Threat Against LATAM

Gabriel Ferraresi· CEO | Tech86July 4, 20264 min
securityaptlatamcloudsekkimeraoperation-escaneothreat

Imagine finding the attacker''s server completely exposed. The entire operational toolchain. Session logs. Credentials in plaintext. That is exactly what CloudSEK discovered in June 2026 when it identified Operation Escaneo. We analyzed the report and the signal is clear: the cyberthreat in Latin America has graduated from banking trojans to APT-level operations.

The open briefcase: staging server exposed on DigitalOcean

According to CloudSEK, a VPS on DigitalOcean (62.171.185.97) was functioning as the operation''s staging server. Inside it, the complete toolchain: custom reconnaissance framework Kimera (V1 and V2), an arsenal of 15 exploited CVEs, logs of 3,708 Chisel tunnel sessions, 407MB of BloodHound AD data, FortiGate dumps with VPN credentials in plaintext, SAP/Oracle exploitation scripts, credential cracking infrastructure, and reverse shell logs confirming active exploitation.

The attacker''s briefcase, open. This is not a theoretical report — it is the mirror of an ongoing operation. According to CloudSEK, discovery and analysis occurred on June 17, 2026.

Kimera: a custom distributed reconnaissance framework

The technical anatomy is what sets this campaign apart. According to CloudSEK, Kimera is a distributed reconnaissance framework with an automated pipeline from discovery to exploitation. Subdomain enumeration combines 4 concurrent tools: dnsx at 200 threads, naabu at 5,000 pps, httpx fingerprinting, and automatic Nuclei scanning with XSS validation via dalfox.

The significance for LATAM is clear. A regional actor is operating with state-level tradecraft, building custom frameworks instead of using commodity tools. This changes the risk calculus for any organization operating in the region.

The 15 CVEs: edge and legacy arsenal

According to CloudSEK, the exploited arsenal covers 15 CVEs: Fortinet (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762), Ivanti chain (CVE-2023-46805 + CVE-2024-21887, CVE-2025-0282), GhostCat, Zerologon, PwnKit, SMBGhost, Log4Shell, VMware AirWatch, plus MS17-010 and MS08-067.

Most of these CVEs already have patches. The problem is inconsistent patching at the edge and on legacy appliances. MS17-010 and MS08-067 date from 2017 and 2008 — they still work because unpatched hosts still exist. Operation Escaneo does not rely on zero-days. It relies on hygiene.

Layered persistence: from webshell to router

According to CloudSEK, persistence is layered. Neo-reGeorg webshells with AES channels and a custom Base64 alphabet. Chisel reverse tunnels — 3,708 sessions logged. GRE tunnel in a Cisco router via TCL script injection in IOS-XE for network-level C2, bypassing host-based detection. AnyDesk and N-able as additional persistence.

Router-level persistence is particularly severe. It survives endpoint reinstalls. It falls outside the scope of traditional EDR tools. When the attacker establishes network-level C2, incident response needs to go beyond the endpoint.

SAP/Oracle capability: enterprise application exploitation

According to CloudSEK, the attacker has documented SAP/Oracle exploitation capability. SAP RFC modules (SXPG_CALL_SYSTEM, SXPG_COMMAND_INSERT) for OS command execution via SAP ERP. Oracle DBMS_SCHEDULER with a UTL_FILE loop. PostgreSQL sys_eval for SSL private key exfiltration.

This is significant. SAP and Oracle are the core of finance, HR, and operations in large enterprises. Exploitation via legitimate RFC modules means the attacker abuses native functionality — no malware needed. The same principle as FortiBleed applied to enterprise applications.

Exfiltration: 407MB of BloodHound and 1.3 million PII records

According to CloudSEK, documented exfiltration includes 407MB of BloodHound AD data, 1.3 million+ PII records from a transportation provider, FortiGate dumps, Kerberoast hashes, and browser credentials. The BloodHound volume indicates deep AD mapping for lateral movement. The 1.3 million PII records indicate financial crime in parallel.

Attribution: MexicanMafia/PanchoVilla at MEDIUM confidence

According to CloudSEK, attribution to MexicanMafia/PanchoVilla is MEDIUM confidence. Spanish regex patterns in credential collection scripts confirm a regional focus. The scope is Mexico primary, Ecuador secondary, and Portugal tertiary.

CloudSEK identifies hybrid objectives: financial crime and intelligence collection in parallel, possibly without central coordination. According to Koushik Pal, in an interview with Dark Reading, the simplest explanation is opportunistic monetization running parallel to intelligence collection.

Conclusion: LATAM has graduated to APT-level

We repeat: the cyberthreat in Latin America has graduated from banking trojans to APT-level operations. Custom frameworks. Router-level persistence. SAP/Oracle exploitation. State-level tradecraft from a regional actor. The exposed staging server was luck. The next campaign will not leave the briefcase open.

Every organization operating in Latin America needs to reassess their threat model. Now. At Tech86, we help companies audit exposure to edge CVEs, detect router persistence, review segmentation for Chisel tunnels and webshells, and reassess threat models assuming adversaries with APT capability — not just common criminals.

Need expert guidance?

Schedule a consultation with our specialists.

Threat Assessment and Security for LATAM

Frequently Asked Questions

Operation Escaneo is an APT campaign discovered by CloudSEK in June 2026 when a VPS on DigitalOcean (62.171.185.97) functioning as a staging server was found completely exposed. According to CloudSEK, the server contained the custom reconnaissance framework Kimera (V1 and V2), an arsenal of 15 exploited CVEs, logs of 3,708 Chisel tunnel sessions, 407MB of BloodHound AD data, FortiGate dumps with VPN credentials in plaintext, SAP/Oracle exploitation scripts, credential cracking infrastructure, and reverse shell logs confirming active exploitation.

According to CloudSEK, Kimera is a distributed reconnaissance framework with an automated pipeline from discovery to exploitation. It combines subdomain enumeration with 4 concurrent tools, dnsx at 200 threads, naabu at 5,000 pps, httpx fingerprinting, and automatic Nuclei scanning with XSS validation via dalfox. The significance for LATAM is clear: a regional actor is operating with state-level tradecraft, building custom frameworks instead of using commodity tools.

According to CloudSEK, the attacker injects TCL scripts into IOS-XE on Cisco routers to create network-level GRE tunnels, establishing a C2 channel that bypasses host-based detection. Router-level persistence is particularly severe because it survives endpoint reinstalls and falls outside the scope of traditional EDR tools. The attacker also uses Neo-reGeorg with AES channels and a custom Base64 alphabet, Chisel reverse tunnels, and AnyDesk/N-able.

According to CloudSEK, attribution to MexicanMafia/PanchoVilla is MEDIUM confidence. Spanish regex patterns in credential collection scripts confirm a regional focus. The scope is Mexico primary, Ecuador secondary, and Portugal tertiary. According to Koushik Pal, in an interview with Dark Reading, the simplest explanation is opportunistic monetization running parallel to intelligence collection. LATAM has graduated from banking trojans to APT-level operations.

According to CloudSEK, Operation Escaneo demonstrates that the cyberthreat in Latin America has graduated from banking trojans to APT-level operations. Custom frameworks, router-level persistence, SAP/Oracle exploitation — state-level tradecraft from a regional actor. The exposed staging server was luck. The next campaign will not leave the briefcase open. Every organization operating in LATAM needs to reassess their threat model now.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.