China-Linked Espionage Groups Intensify Cyber Operations in Latin America

State-sponsored threat groups have significantly increased their cyber operations targeting countries and government entities throughout Latin America and the Caribbean, coinciding with a more active geopolitical role by both the United States and China in the region. Cybersecurity firm ESET has identified China-linked groups, including FamousSparrow and NegativeGlimmer, as key players in these escalating activities.

ESET's recent report on advanced persistent threat (APT) groups highlights that FamousSparrow targeted a Venezuelan governmental group focused on maritime affairs shortly after a US military operation in Venezuela. Concurrently, both FamousSparrow and NegativeGlimmer were observed targeting Panamanian government agencies. These incidents are part of a broader trend, with ESET tracking approximately a dozen targeted countries in the region since early 2025.

According to Alexis Rapin, a cyber threat analyst at ESET, the decentralized nature of China's intelligence system, with various units reporting to provincial authorities, can lead to multiple APT groups targeting the same entity. This suggests a strategic focus on specific entities or regions by different Chinese intelligence arms, potentially without direct coordination between them.

The heightened geopolitical focus on Latin America by major nation-states, particularly the US and China, appears to be a significant driver for this surge in cyber activity. Tensions surrounding US military actions in Venezuela and statements regarding the Panama Canal have created an environment ripe for intelligence gathering. China's substantial economic interests in Venezuela, including claims to a significant portion of its oil production, and the loss of contracts for its subsidiary operating Panama Canal ports, further underscore the strategic importance of the region for Beijing.

"It's pretty clear that oil constitutes one of China's primary interests in Venezuela, and it thus seems fair to assume that this in turn constitutes one of the major motivations behind China-aligned APT activities in the country," Rapin stated. The primary objective for these state-sponsored attacks is overwhelmingly focused on gathering intelligence from government agencies across North and South America.

Beyond FamousSparrow and NegativeGlimmer, other China-linked APT groups like Earth Krahang have targeted Mexico, Brazil, and Paraguay, while groups such as Vixen Panda, Aquatic Panda, and Liminal Panda have been active in multiple South American nations throughout 2024 and 2025. These groups often eschew zero-day exploits, instead relying on a toolkit of common tactics. Santiago Rosenblatt, CEO of security vendor Strike.sh, noted that identity-led intrusion paths, including exploiting gaps in phishing-resistant multi-factor authentication (MFA) and post-MFA token theft, are increasingly common, particularly in financial services and government-adjacent fintech sectors.

ESET's research indicates that the most frequent initial access technique involves compromising unpatched servers, often Microsoft SQL databases or Exchange mail servers. While zero-day exploits are sometimes deployed, threat actors generally prefer to avoid more advanced techniques unless necessary. Mathieu Tartare, a senior malware researcher at ESET, emphasized that "Properly patching such servers should be the highest priority." Spear-phishing remains a significant vector, as seen in the NegativeGlimmer attack.

Rosenblatt further advises organizations to prioritize identity security by implementing phishing-resistant MFA on all privileged accounts and to patch internet-facing edge devices within 14 days, especially if they are listed on CISA's Known Exploited Vulnerabilities (KEV) list. He highlighted Mandiant's finding that edge devices are the most frequently exploited vulnerability class by PRC-aligned actors targeting Latin American governments, underscoring the critical need for robust edge security.