Edward Kiledjian

As global business leaders increasingly leverage Mexico's growing digital economy and strategic supply chain position, we must remain acutely aware of the evolving cyber threats emanating from this region. The Mexican cyber landscape is uniquely challenging due to rapid digitization, substantial cybersecurity skill shortages, a fragmented regulatory environment, and strategic geopolitical positioning. Notably, Mexico endured an estimated 45 billion cyberattack attempts in 2024 and is on pace to exceed that in 2025. This represents approximately 60% of all attacks in Latin America, making it the region's primary battleground.

In this briefing, I provide a concise yet comprehensive overview of key threat actors operating in Mexico, their motivations, tactics, and strategic implications for organizations and security leadership.

The Threat Actors Defining Mexico's Cybersecurity Risk

Greedy Sponge Active since 2021, Greedy Sponge exemplifies persistent financial cyber threats targeting Mexican businesses. Utilizing Spanish-language spear-phishing and modified open-source malware, their historic success from 2021-2024 underscored the systemic gaps that more advanced actors now exploit. They serve as a key case study in how a permissive environment allows even moderately skilled groups to thrive.

FIN13 (Elephant Beetle) A more sophisticated financial threat, FIN13 has operated in Mexico since 2016. Known for exceptionally long dwell times (over two years in some instances), they infiltrate financial, retail, and hospitality sectors through legacy Java application vulnerabilities. Their stealthy operations, deploying custom malware tools, reflect a calculated approach to large-scale financial fraud.

Sophisticated Banking Trojans (Grandoreiro, Mekotio, etc.) A persistent plague on the financial sector, these veteran Delphi-based trojans continuously evolve. They use hyper-localized phishing lures (impersonating the SAT and CFE) and dynamic interface replication for over 40 Mexican banks to capture credentials and execute fraudulent transfers, often propagating laterally through compromised email accounts.

Ransomware Cartels & Access Brokers (e.g., LockBit 3.0, ALPHV affiliates) Highly active RaaS affiliates are systematically targeting Mexico's manufacturing, logistics, and healthcare sectors to exploit supply chain dependencies. On darknet forums like Exploit and XSS, Initial Access Brokers (IABs) are frequently observed selling verified remote access (RDP/VPN) to Mexican corporations for as little as $1,500 USD, providing a constant stream of victims for ransomware gangs and data thieves.

Goldoson/GoldPickaxe.Android A sophisticated mobile malware suite, initially seen in Asia, has been adapted for Mexico. It masquerades as government or banking applications and uses advanced social engineering to trick victims into enabling Accessibility Services. This grants the malware full device control, allowing it to capture credentials, intercept SMS (including 2FA codes), and exfiltrate data from other applications.

Guacamaya This politically motivated hacktivist group gained notoriety through high-impact data leaks. The fallout from their 'Fuerzas Represivas' leak continues to generate significant reputational and political damage, demonstrating the long-tail risk of hack-and-leak operations. This incident remains the benchmark for data-driven ideological attacks in the region.

Cartel-Affiliated Cyber Operations Perhaps most concerning is the convergence of digital and physical threats represented by cartel-linked cyber operations. Groups like CyberCartel and CJNG have leveraged Malware-as-a-Service models, phishing lures imitating tax authorities, deepfake scams, and crypto laundering to extend their criminal enterprises. Recent security bulletins from mid-2025 confirm CJNG-linked cells are using AI-powered voice cloning for CEO fraud. In these attacks, they target the finance departments of mid-sized companies, using a spoofed phone number and a deepfaked voice of the CEO to authorize urgent, fraudulent wire transfers. This hybrid threat necessitates a coordinated security approach integrating cyber and physical security measures.

Strategic Recommendations for CISOs

• Adopt Proactive Threat Hunting: Traditional detection methods often fail against persistent actors like FIN13. Proactive hunting programs focusing on unusual behaviours, lateral movements, and hidden persistence mechanisms are critical.
• Strengthen Identity and Access Controls: Given prevalent credential theft, implement phishing-resistant multi-factor authentication and stringent privileged access management.
• Enhance Supply Chain Security: Mexico's integration into global supply chains requires rigorous third-party risk assessments, penetration testing, and adoption of Zero Trust frameworks.
• Integrate Intelligence-Led Security Programs: Leverage region-specific threat intelligence to anticipate and respond effectively to emerging threats.
• Prepare for Hack-and-Leak Incidents: Develop comprehensive incident response playbooks specifically for managing data leaks, addressing both operational and reputational risks swiftly and transparently.

Concluding Thoughts

Mexico's cyber threat landscape is characterized by a diverse range of actors, from opportunistic financial criminals and sophisticated banking trojans to politically driven hacktivists and organized crime groups leveraging cyber capabilities. Navigating this complexity requires informed, agile, and integrated security strategies. By understanding the unique dynamics of Mexico’s cybersecurity environment, organizations can better protect themselves and maintain trust in an increasingly interconnected global economy.