By Entorno | 2025-04-08

WASHINGTON -- China has been infiltrating and attacking critical infrastructure in Latin America through malicious software (malware), targeting strategic networks across militaries, governments, higher education institutions, telecommunications and defense industrial bases.

This type of malware -- such as the notorious "ShadowPad" and "Raptor Train" --is used for espionage, sabotage and unauthorized access to sensitive government and private sector data across the region.

ShadowPad is engineered to infiltrate corporate and governmental systems, enabling the extraction of confidential information. Raptor Train, meanwhile, functions as a botnet, infecting devices and compromising critical national security networks.

The warning about this Chinese cyber strategy came from Lt. Gen. Dan Caine, who outlined his concerns in written responses to lawmakers' advance policy questions ahead of his confirmation hearing before the US Senate Armed Services Committee on April 1.

During "hunt forward missions" in Latin America and the Caribbean, experts detected malware linked to the Chinese Communist Party (CCP) on multiple foreign partner networks, wrote Caine, President Donald Trump's nominee for chairman of the Joint Chiefs of Staff.

These operations were conducted at the request of certain Latin American partners, but the specific countries where Chinese cyber threats were identified remain undisclosed due to bilateral confidentiality agreements.

Caine did not specify when the malware was detected.

"Our foreign intelligence enterprise helps ascertain sources and objectives of foreign influence operations and can contribute to designing persistent approaches to counter these operations at their source," he added.

Caine also stated that, if confirmed, he would work to strengthen existing alliances and partnerships with Latin American nations to "further degrade PRC [People's Republic of China] influence in the hemisphere."

He wrote that the Chinese and Russian governments exert economic pressure and deploy disinformation campaigns to sway governments in Latin America and the Caribbean.

"While in the short term Chinese activities might translate into positive economic outcomes, long term we have seen that many of these projects undercut local competition or impede on partner nation’s sovereignty," he added.

Spyware hits diplomacy

Some cybersecurity experts and firms also have raised alarms over a surge in Chinese malware targeting national security systems and private companies across Latin America.

In February 2023, Microsoft revealed that the DEV-0147 cyber espionage group, known for its ties to the Chinese government and military, compromised the computers of embassies and consulates in several South American countries.

The China-based cyber espionage actor was "compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't [government] agencies and think tanks in Asia and Europe," according to a Microsoft Security Intelligence tweet posted then.

The Chinese cyber espionage attack in South America included subsequent activities such as abuse of identities for reconnaissance and data exfiltration, Microsoft added.

The DEV-0147 group is known for using tools such as ShadowPad.

A ShadowPad malware analysis carried out in February 2022 by the firm Secureworks found that this malware had been deployed by other groups sponsored by the Chinese government and was coordinated by threat groups that have operated since 2017 "on behalf of the regional theater commands" of the Chinese People's Liberation Army (PLA).

"ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security... civilian intelligence agency and the People's Liberation Army," according to the analysis.

PLA theater commands were created as part of a 2015 military reform led by President Xi Jinping. That December, China also launched the Strategic Support Force (SSF) to modernize PLA capabilities in space, cyberspace, and the electromagnetic spectrum.

Since then, "the impact on the PLA's cyber espionage mission has been extensive," according to Secureworks.

The SSF is believed to oversee "a broad range of information warfare capabilities," including cyber espionage, electronic countermeasures and both offensive and defensive cyber operations.