What vulnerabilities did the attackers rely on during Operation Escaneo?

The attackers heavily relied on internet-facing vulnerabilities, including Fortinet FortiOS SSL-VPN flaws like CVE-2022-42475 and CVE-2024-21762, Ivanti Connect Secure flaws such as CVE-2023-46805, CVE-2024-21887, and CVE-2025-0282.

Why is Operation Escaneo significant for the cybersecurity industry?

Operation Escaneo serves as a warning sign for Latin America's cybersecurity ecosystem, demonstrating that financially motivated attackers are adopting more advanced intrusion methods, making defense more difficult.

Operation Escaneo: Latin America Targeted by Sophisticated Cyberattack

Q: Which regions were targeted by Operation Escaneo?

Operation Escaneo targeted government, financial, and critical infrastructure organizations across Mexico, with smaller activity in Ecuador and Portugal.

Q: What is the business model of the threat group behind Operation Escaneo?

The threat group's business model may combine opportunistic monetization alongside intel collection, without much coordination between the two.

Q: What tools did the attackers use during Operation Escaneo?

The group used tools such as Neo-reGeorg webshells, Chisel reverse tunnels, and even a compromised Cisco router configured with a GRE tunnel to maintain access.

A coordinated campaign against government, financial, and critical infrastructure organizations across Mexico, Ecuador, and Portugal has been uncovered, demonstrating a shift in the region's threat landscape. The attackers used advanced tools and exploited internet-facing vulnerabilities.

A coordinated campaign against government and financial targets across Latin America has been laid bare by the attackers' own mistake, after they left a staging server exposed online.

Operation Escaneo: A Shift in the Threat Landscape

The operation, uncovered through an exposed attacker server, targeted government, financial, and critical infrastructure organizations across Mexico, with smaller activity in Ecuador and Portugal. Researchers say the operation reflects a shift in the region, where threat actors are increasingly combining opportunistic motives with sophisticated tooling.

CloudSEK's analysis of the campaign, which it named Operation Escaneo, revealed that the attackers relied heavily on internet-facing vulnerabilities to gain entry. The group kept tuned exploits for Fortinet FortiOS SSL-VPN flaws, including CVE-2022-42475 and CVE-2024-21762, and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282, adapting public proof-of-concept (PoC) code so it would not crash the target.

Background and Context

The threat group's curious business model may combine opportunistic monetization alongside intel collection, without much coordination between the two. This approach is a departure from traditional threat actor models, where financial gain or espionage are often the primary objectives.

Operation Escaneo's tactics, techniques, and procedures (TTPs) suggest that the group has adopted a more flexible and adaptable approach to intrusion, using multiple layers of persistence and control. CloudSEK's findings describe Neo-reGeorg webshells, Chisel reverse tunnels, and even a compromised Cisco router configured with a GRE tunnel to maintain access.

The use of custom reconnaissance engines, such as Kimera, also indicates that the group has invested in developing sophisticated tools to scan and triage targets at high speed. This level of tradecraft suggests that regional attackers are moving closer to APT-level capability, with the potential to disrupt operations far beyond the initial breach.

Why it Matters to the Industry

The Operation Escaneo campaign serves as a warning sign for Latin America's cybersecurity ecosystem. The scale and tradecraft of the operation demonstrate that financially motivated attackers are adopting more advanced intrusion methods, making defense more difficult.

The use of internet-facing vulnerabilities and custom reconnaissance engines highlights the importance of patching perimeter appliances and monitoring for unusual tunneling activity. Limiting the spread of privileged credentials is also crucial in preventing lateral movement and further compromise.

What Comes Next

The Operation Escaneo campaign underscores the need for regional defenders to prioritize cybersecurity measures, including patching, monitoring, and credential management. The use of custom reconnaissance engines and multiple layers of persistence and control also emphasizes the importance of staying ahead of emerging threats through continuous monitoring and threat intelligence sharing.

Key Facts

The Operation Escaneo campaign targeted government, financial, and critical infrastructure organizations across Mexico, with smaller activity in Ecuador and Portugal.
The attackers relied heavily on internet-facing vulnerabilities to gain entry, including Fortinet FortiOS SSL-VPN and Ivanti Connect Secure flaws.
CloudSEK's analysis revealed the use of custom reconnaissance engines, such as Kimera, to scan and triage targets at high speed.
The group used multiple layers of persistence and control, including Neo-reGeorg webshells, Chisel reverse tunnels, and a compromised Cisco router configured with a GRE tunnel.
The operation resulted in large-scale theft of sensitive data, including personal records, Active Directory maps, SSL private keys, SAP service-account hashes, and browser-stored passwords.