Emerging Challenges
China's cyber espionage infiltrates strategic networks across Latin America
During 'hunt forward missions' in Latin America and the Caribbean, analysts detected malware linked to the Chinese Communist Party on multiple foreign partner networks.
![Participants take part in a cybersecurity competition during the Second Cyber Security Summit in Tianjin, China. [Sun Fanyue/Xinhua via AFP]](/gc7/images/2025/04/09/49929-cyber-370_237.webp)
Global Watch |
WASHINGTON -- China has been infiltrating and attacking critical infrastructure in Latin America through malicious software (malware), targeting strategic networks across militaries, governments, higher education institutions, telecommunications and defense industrial bases.
This type of malware -- such as the notorious "ShadowPad" and "Raptor Train" --is used for espionage, sabotage and unauthorized access to sensitive government and private sector data across the region.
ShadowPad is engineered to infiltrate corporate and governmental systems, enabling the extraction of confidential information. Raptor Train, meanwhile, functions as a botnet, infecting devices and compromising critical national security networks.
The warning about this Chinese cyber strategy came from Lt. Gen. Dan Caine, who outlined his concerns in written responses to lawmakers' advance policy questions ahead of his confirmation hearing before the US Senate Armed Services Committee on April 1.
![Lt. Gen. Dan Caine testifies before the US Senate Armed Services Committee during his nomination hearing for chairman of the Joint Chiefs of Staff in Washington, DC, April 1. [Jim Watson/AFP]](/gc7/images/2025/04/09/49930-cyber2-370_237.webp)
During "hunt forward missions" in Latin America and the Caribbean, specialists detected malware linked to the Chinese Communist Party (CCP) on multiple foreign partner networks, wrote Caine, the nominee for chairman of the US Joint Chiefs of Staff.
These operations took place at the request of certain Latin American partners, but the specific countries where Chinese cyber threats were identified remain undisclosed because of bilateral confidentiality agreements.
Caine did not specify when the searchers found the the malware.
"Our foreign intelligence enterprise helps ascertain sources and objectives of foreign influence operations and can contribute to designing persistent approaches to counter these operations at their source," he added.
Caine stated that, if confirmed, he would work to strengthen existing alliances and partnerships with Latin American nations to "further degrade PRC [People's Republic of China] influence in the hemisphere."
The Chinese and Russian governments exert economic pressure and deploy disinformation campaigns to sway governments in Latin America and the Caribbean, he wrote.
"While in the short term Chinese activities might translate into positive economic outcomes, long term we have seen that many of these projects undercut local competition or impede on partner nations' sovereignty," he added.
Spyware hits diplomacy
Some cybersecurity analysts and firms have raised alarms over a surge in Chinese malware targeting national security systems and private companies across Latin America.
In February 2023, Microsoft revealed that the DEV-0147 cyber espionage group, known for its ties to the Chinese government and military, compromised the computers of embassies and consulates in several South American countries.
The China-based cyber espionage actor was "compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't [government] agencies and think tanks in Asia and Europe," according to a Microsoft Security Intelligence tweet posted then.
The Chinese cyber espionage attack in South America included subsequent activities such as abuse of identities for reconnaissance and data exfiltration, Microsoft added.
The DEV-0147 group is known for using tools such as ShadowPad.
A ShadowPad malware analysis carried out in February 2022 by the firm Secureworks found that this malware had been deployed by other groups sponsored by the Chinese government and was coordinated by threat groups that have operated since 2017 "on behalf of the regional theater commands" of the Chinese People's Liberation Army (PLA).
"ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security... civilian intelligence agency and the [PLA]," according to the analysis.
PLA theater commands were created as part of a 2015 military reform led by President Xi Jinping. That December, China launched the Strategic Support Force (SSF) to modernize PLA capabilities in space, cyberspace and the electromagnetic spectrum.
Since then, "the impact on the PLA's cyber espionage mission has been extensive," according to Secureworks.
The SSF is said to oversee "a broad range of information warfare capabilities," including cyber espionage, electronic countermeasures and both offensive and defensive cyber operations.