![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
Latin America has quickly become a hotspot for cyber activity. The region’s rapid digitalization, expanding cloud adoption, and evolving geopolitical friction have drawn the attention of both financially motivated eCrime actors and strategic nation-state adversaries.
The CrowdStrike 2025 Latin America Threat Landscape Report provides key insights into cyber activity across Central and South America, Mexico, and the Caribbean. In its pages, CrowdStrike Counter Adversary Operations team details the eCrime activity, targeted intrusions, hacktivist disruptions, and cyber espionage targeting organizations in the region.
For organizations operating in or connected to Latin America, understanding this activity is critical to defending against it. This intelligence-driven deep dive provides information that security teams need to navigate the region’s changing threat landscape.
Global and Regional eCrime Proliferate
CrowdStrike currently tracks six named adversaries — OCULAR SPIDER, BLIND SPIDER, ODYSSEY SPIDER, PLUMP SPIDER, SAMBA SPIDER, and SQUAB SPIDER — either based in or primarily targeting Latin America. To evade detection, LATAM-focused threat actors continue to prioritize defense evasion by adopting novel tactics, techniques, and procedures (TTPs), including using newer programming languages such as Rust. This activity highlights threat actors’ interest in adapting to the current eCrime ecosystem.
Big game hunting (BGH) adversaries increasingly targeted the region. CrowdStrike Intelligence documented 291 LATAM-based victims named on data extortion and ransomware leak sites. Though this only represents roughly 5% of the 5,276 globally documented incidents, it marks a 15% increase over the 254 documented incidents in the region in 2023. No evidence suggests BGH adversaries target the LATAM region to the same extent as North America and Europe.
BGH adversaries often collaborate with access brokers, who gain and sell access to target networks. In 2024, 107 access brokers advertised network access to 428 LATAM-based entities. These entities were predominantly located in Brazil, Mexico, Colombia, Argentina, and Peru — the five most ransomware-affected LATAM countries. Notably, the cost of initial access has declined significantly, with average access broker prices dropping by 60% from 2023 to 2024.
Supporting this cybercrime activity is an active regional underground. The CrowdStrike Intelligence team observed Telegram forums catering to Spanish-speaking users and recovered more than 1 billion credentials belonging to LATAM-based individuals and organizations related to data leaks and malware stealer logs. LATAM eCrime adversaries also run their own forums and websites.
Nation-State Intrusions: China and DPRK Take Aim
While most attacks were criminal in nature, China-nexus adversaries were the most active nation-state threat in the region. Since 2019, VIXEN PANDA has targeted government organizations and non-government organizations in several countries in the LATAM region. LIMINAL PANDA, which primarily targets telecom networks highly likely to support intelligence collection efforts, likely gained access to telecom providers in Central and South America.
AQUATIC PANDA, attributed to a Chinese contractor, has likely targeted South America-based entities from 2022 to 2024. In 2022, the adversary likely targeted email servers belonging to government and telecom entities in South America. In 2023, they likely conducted reconnaissance against entities in Brazil. Evidence also indicates AQUATIC PANDA has targeted military entities in Peru.
These campaigns align closely with Beijing’s strategic objectives: intelligence collection, political influence, and technological expansion.
Over the past year, CrowdStrike Intelligence also observed DPRK-nexus adversaries FAMOUS CHOLLIMA, SILENT CHOLLIMA, and STARDUST CHOLLIMA conduct likely opportunistic campaigns in the LATAM region for financial gain and, less frequently, cyber espionage.
An example: Last year, CrowdStrike observed FAMOUS CHOLLIMA activity in Argentina, Brazil, and Uruguay. The adversary illicitly obtained freelance or full-time equivalent work to earn money that could be funneled to North Korea. While employed, these insiders can also collect information that could likely be used for technological and defense-related development.
Hacktivism Mirrors Regional and Global Tensions
Throughout 2024, CrowdStrike observed a variety of ideologically driven cyber operations impacting the public and private sectors across Latin America and the Caribbean. Many of these activities were linked to geopolitical events or perceived governance issues, echoing historical patterns of protest and activism.
Global groups, such as the Anonymous-affiliated GhostSec and others, claimed operations timed with major political milestones such as the Venezuelan presidential election and civil protests in Cuba and Guatemala. These actions often targeted government-affiliated infrastructure, signaling support for domestic movements or drawing attention to broader causes.
While the scope and impact of these campaigns vary, they collectively underscore how regional dynamics and global conflicts are shaping hacktivist motivations and targeting behavior in Latin America. Organizations operating in the region should remain mindful of these actors, both as potential disruptors and as barometers of underlying societal and political tensions.
Latin America is now a focal point for eCrime innovation, espionage, and ideological disruption. The CrowdStrike 2025 Latin America Threat Landscape Report offers a detailed roadmap of how adversaries are evolving in the region and what security leaders must do to stay ahead. The report is available in English and Portuguese; a Spanish version will be available in the coming weeks.
Additional Resources
- Download the Portuguese version of the report.
- Read the CrowdStrike 2025 Global Threat Report to learn more about emerging threats around the world.
- Learn more about CrowdStrike Counter Adversary Operations.
