State-sponsored threat actors have increased their cyber operations against government entities and organizations in Latin America and the Caribbean. This activity aligns with a more active geopolitical focus on the region by the US and China.
A May 28 report from the cybersecurity firm ESET noted that the China-linked group FamousSparrow focused on a Venezuelan government entity associated with maritime affairs, following a recent US military operation in the country. Additionally, FamousSparrow and NegativeGlimmer, another China-linked cyber-espionage group—have targeted government agencies in Panama.
According to ESET cyber threat analyst Alexis Rapin, China-linked actors have targeted approximately a dozen nations in the region since early 2025. Rapin notes that while these operations align with national strategic interests, the intelligence system operates in a decentralized manner. Many units report directly to provincial authorities, meaning multiple groups might target the same organization simultaneously without direct coordination if the target aligns with various regional strategic goals.
Geopolitical drivers and regional activity
Geopolitical developments serve as primary drivers for these operations. Tension points include the US military operation to capture the president of Venezuela and stated intentions by the US administration regarding the Panama Canal. Industry experts indicate these events prompt intelligence gathering to monitor closed-door discussions and assess economic interests.
For example, China maintains significant oil interests in Venezuela, which analysts identify as a primary motivation for aligned cyber operations in the country. In Panama, the Supreme Court recently ruled that a port operating contract held by Panama Ports Company (a subsidiary of Hong Kong-based CK Hutchison) violated the national constitution. The contract has since temporarily transitioned to APM Terminals.
Multiple threat groups remain active across the Americas to monitor these shifts. In 2024, the China-linked group Earth Krahang targeted organizations in Mexico, Brazil, and Paraguay. Groups identified as Vixen Panda, Aquatic Panda, and Liminal Panda focused on entities in Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Peru, Suriname, and Uruguay throughout 2024 and 2025.
Regarding Russian state-sponsored operations, activity in Latin America remains minimal, as their operations primarily focus on Ukraine and its allies. However, ongoing US policy focus on Cuba may spur localized intelligence-gathering activities there.
Access methodologies and remediation
Threat actors operating in this region largely rely on established methodologies rather than deploying zero-day vulnerabilities.
According to Santiago Rosenblatt, CEO of Strike.sh, identity-led access paths are the most common initial vectors. These include bypassing conditional access, targeting multifactor authentication (MFA) gaps, and conducting post-MFA token theft. These methods frequently target financial services and government-adjacent financial technology sectors in Mexico, Brazil, and Argentina. Furthermore, testing against edge devices and API surfaces has noticeably increased.
Researchers report that compromising unpatched servers, frequently Microsoft SQL databases or Exchange mail servers—remains a primary initial access technique. Mathieu Tartare, a senior malware researcher at ESET, notes that threat actors generally prefer off-the-shelf tools, reserving custom implementations for situations where standard methods fail. The second most frequent access method is spear-phishing, as observed in the operations attributed to NegativeGlimmer.
To safeguard environments against these specific access patterns, organizations should prioritize two main areas:
Secure identity access: Implement phishing-resistant MFA across all privileged accounts. Identity remains the primary boundary for cloud and financial infrastructure.
Prioritize edge device patching: Apply security updates to internet-facing edge devices within 14 days, particularly for systems listed on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog.
As noted in Mandiant's 2024 findings, the four most frequently targeted vulnerability classes were located in edge devices. Securing these external-facing components eliminates the most common pathway for unauthorized access into Latin American government and critical infrastructure networks.