Imagine finding the attacker''s server completely exposed. The entire operational toolchain. Session logs. Credentials in plaintext. That is exactly what CloudSEK discovered in June 2026 when it identified Operation Escaneo. We analyzed the report and the signal is clear: the cyberthreat in Latin America has graduated from banking trojans to APT-level operations.
The open briefcase: staging server exposed on DigitalOcean
According to CloudSEK, a VPS on DigitalOcean (62.171.185.97) was functioning as the operation''s staging server. Inside it, the complete toolchain: custom reconnaissance framework Kimera (V1 and V2), an arsenal of 15 exploited CVEs, logs of 3,708 Chisel tunnel sessions, 407MB of BloodHound AD data, FortiGate dumps with VPN credentials in plaintext, SAP/Oracle exploitation scripts, credential cracking infrastructure, and reverse shell logs confirming active exploitation.
The attacker''s briefcase, open. This is not a theoretical report — it is the mirror of an ongoing operation. According to CloudSEK, discovery and analysis occurred on June 17, 2026.
Kimera: a custom distributed reconnaissance framework
The technical anatomy is what sets this campaign apart. According to CloudSEK, Kimera is a distributed reconnaissance framework with an automated pipeline from discovery to exploitation. Subdomain enumeration combines 4 concurrent tools: dnsx at 200 threads, naabu at 5,000 pps, httpx fingerprinting, and automatic Nuclei scanning with XSS validation via dalfox.
The significance for LATAM is clear. A regional actor is operating with state-level tradecraft, building custom frameworks instead of using commodity tools. This changes the risk calculus for any organization operating in the region.
The 15 CVEs: edge and legacy arsenal
According to CloudSEK, the exploited arsenal covers 15 CVEs: Fortinet (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762), Ivanti chain (CVE-2023-46805 + CVE-2024-21887, CVE-2025-0282), GhostCat, Zerologon, PwnKit, SMBGhost, Log4Shell, VMware AirWatch, plus MS17-010 and MS08-067.
Most of these CVEs already have patches. The problem is inconsistent patching at the edge and on legacy appliances. MS17-010 and MS08-067 date from 2017 and 2008 — they still work because unpatched hosts still exist. Operation Escaneo does not rely on zero-days. It relies on hygiene.
Layered persistence: from webshell to router
According to CloudSEK, persistence is layered. Neo-reGeorg webshells with AES channels and a custom Base64 alphabet. Chisel reverse tunnels — 3,708 sessions logged. GRE tunnel in a Cisco router via TCL script injection in IOS-XE for network-level C2, bypassing host-based detection. AnyDesk and N-able as additional persistence.
Router-level persistence is particularly severe. It survives endpoint reinstalls. It falls outside the scope of traditional EDR tools. When the attacker establishes network-level C2, incident response needs to go beyond the endpoint.
SAP/Oracle capability: enterprise application exploitation
According to CloudSEK, the attacker has documented SAP/Oracle exploitation capability. SAP RFC modules (SXPG_CALL_SYSTEM, SXPG_COMMAND_INSERT) for OS command execution via SAP ERP. Oracle DBMS_SCHEDULER with a UTL_FILE loop. PostgreSQL sys_eval for SSL private key exfiltration.
This is significant. SAP and Oracle are the core of finance, HR, and operations in large enterprises. Exploitation via legitimate RFC modules means the attacker abuses native functionality — no malware needed. The same principle as FortiBleed applied to enterprise applications.
Exfiltration: 407MB of BloodHound and 1.3 million PII records
According to CloudSEK, documented exfiltration includes 407MB of BloodHound AD data, 1.3 million+ PII records from a transportation provider, FortiGate dumps, Kerberoast hashes, and browser credentials. The BloodHound volume indicates deep AD mapping for lateral movement. The 1.3 million PII records indicate financial crime in parallel.
Attribution: MexicanMafia/PanchoVilla at MEDIUM confidence
According to CloudSEK, attribution to MexicanMafia/PanchoVilla is MEDIUM confidence. Spanish regex patterns in credential collection scripts confirm a regional focus. The scope is Mexico primary, Ecuador secondary, and Portugal tertiary.
CloudSEK identifies hybrid objectives: financial crime and intelligence collection in parallel, possibly without central coordination. According to Koushik Pal, in an interview with Dark Reading, the simplest explanation is opportunistic monetization running parallel to intelligence collection.
Conclusion: LATAM has graduated to APT-level
We repeat: the cyberthreat in Latin America has graduated from banking trojans to APT-level operations. Custom frameworks. Router-level persistence. SAP/Oracle exploitation. State-level tradecraft from a regional actor. The exposed staging server was luck. The next campaign will not leave the briefcase open.
Every organization operating in Latin America needs to reassess their threat model. Now. At Tech86, we help companies audit exposure to edge CVEs, detect router persistence, review segmentation for Chisel tunnels and webshells, and reassess threat models assuming adversaries with APT capability — not just common criminals.