There is nothing theoretical about the shift. Adversaries with a China nexus have moved from opportunistic intrusions to deliberate, infrastructure-oriented campaigns that blend cyber access with physical footholds. The pattern matters because it changes how defenders in Latin America must hunt, prioritize, and harden their networks.
Start with the telecom problem. A China-linked actor tracked as Liminal Panda has been observed targeting telecommunications providers with tools and techniques built specifically to exploit carrier systems and interconnections. Compromise of a telecom is not just data theft. It is a strategic node that enables metadata collection, routing manipulation, and pivoting into government and commercial targets that rely on those networks. That is exactly why telecom intrusions are now a core focus of threat hunters in the region.
Parallel to that, U.S. and allied reporting in 2024 uncovered large-scale compromises of internet and telecom providers that exposed how attractive these networks are for state-directed collection. Microsoft and U.S. agencies documented campaigns that reached deep into carrier infrastructure using zero-day exploits and high-privilege management accounts. Those operations demonstrate a playbook Latin American defenders should assume will be reused in their region: gain persistence in core network elements, collect call and message metadata, and maintain dry runs for potential disruptive actions.
Physical presence amplifies the cyber problem. China continued to expand its commercial footprint in Latin America through ports, telecom contracts, and infrastructure deals. New ports and logistics nodes, funded or operated by Chinese entities, are dual-use in the sense that they create economic leverage and present potential chokepoints for influence operations. When a foreign power operates critical facilities in a region, the risk surface widens because supply chains, hardware maintenance, and local vendor dependencies become vectors for compromise or pressure. Threat hunters must factor in that network-level compromises can be complemented by influence over physical infrastructure.
What does this mean on the ground for Latin American cyber defenders and security leaders? First, hunt assumptions must change. Traditional endpoint-focused detection will miss compromises that live on carrier gear, DNS systems, or management consoles. Incident response playbooks should include carrier-grade telemetry collection, router and switch configuration baselining, and checks for tampering in lawful intercept and billing systems. CISA and allied advisories already emphasize hunting for living-off-the-land techniques and long-lived persistence used by PRC-aligned actors. Adopt those playbooks and tailor them to local architectures.
Second, prioritize telecommunications and backbone visibility. Governments and large enterprises should treat telecom providers as critical infrastructure partners for defensive collaboration. That means formal information sharing, mandatory logging and retention policies for network management events, and joint tabletop exercises that simulate carrier-level compromises. If you cannot get telemetry from a carrier, assume it is blind in areas that matter.
Third, harden procurement and supply chain governance. Cheap or opaque procurement choices can bake in vulnerabilities. Contracts for network gear, port systems, and control software should demand verifiable supply chain integrity, secure development lifecycle attestations, and the ability to perform independent inspections. Procurement is a national security decision when your opponent is a state actor willing to integrate cyber and physical levers.
Finally, build hunting teams that think across domains. Effective threat hunting in 2024 is multidisciplinary. Analysts must fuse network forensics, telecom protocol analysis, and physical logistics intelligence. That fusion uncovers the asymmetric advantage adversaries are seeking. Start small: insert one telecom forensic capability into an existing SOC, run a guided hunt for management account misuse, and iterate based on findings. The alternative is to discover lateral movement only after a high-value node has been stripped of metadata or used as a staging area.
Countries and companies in Latin America are not powerless. They can 1) demand transparency and resilience clauses when negotiating infrastructure deals, 2) require independent security assessments for critical network components, 3) invest in carrier-aware threat hunting, and 4) join regional information sharing initiatives so that indicators of compromise are not siloed. These are basic, operational steps that blunt strategic intent at low cost. The harder truth is political will. If national leaders prize short-term savings over systemic resilience, defenders will be chasing compromises rather than preventing them.
The region is a contested space. Malware and access in Latin America are not isolated criminal acts. They are pieces in a broader mosaic that includes ports, procurement, and influence. For security leaders the task is straightforward and unforgiving: hunt where the adversary lives, harden where they can hide, and make forward presence a liability for the attacker rather than an advantage for the host.