Fal.Con 2025: Leading cybersecurity into the AI era Register now
PRESSROOM | MEDIA ON CROWDSTRIKE

CrowdStrike 2025 LATAM Threat Landscape Report: Ransomware Surges 15%, China-Nexus Adversaries Target Regional Governments

CrowdStrike, a global leader in adversary intelligence, reveals Brazil as the most targeted country, as credential theft, identity-based attacks and cyber aggression surge across the region

May 7, 2025 — CrowdStrike (NASDAQ: CRWD) today released the 2025 Latin America Threat Landscape Report, revealing a 15% year-over-year surge in ransomware attacks alongside a dramatic rise in credential theft and identity-based intrusions. Brazil, Mexico and Argentina were the most affected countries. While financially motivated eCrime remains dominant, CrowdStrike observed an uptick in nation-state operations, with China-nexus adversaries targeting government agencies, telecoms and military entities across the region. The findings underscore that Latin America is no longer a peripheral geography – it’s a strategic target for both financially and politically motivated adversaries.

CrowdStrike tracks six eCrime adversaries – OCULAR SPIDER, BLIND SPIDER, ODYSSEY SPIDER, PLUMP SPIDER, SAMBA SPIDER and SQUAB SPIDER – that are either based in, or primarily target, the region. The report shows that adversaries based in other parts of the world – or typically focused on different regions – are now turning their attention to Latin America, expanding the threat landscape with new campaigns of espionage, data theft and financially motivated intrusions. 

Key findings include:

  • Big Game Hunting Adversaries Drive Ransomware Rise: Ransomware attacks rose 15% year-over-year across Latin America, with Brazil, Mexico and Argentina most affected; RansomHub and LockBit were the most active variants.
  • Chinese Nation-State Threats Accelerate: China-nexus adversaries, including VIXEN PANDA, AQUATIC PANDA and LIMINAL PANDA, conducted espionage campaigns targeting regional governments, telecoms and military entities aligned with Beijing’s strategic objectives.
  • Global Adversaries Turn Attention to LATAM: CrowdStrike observed Nigeria-based AVIATOR SPIDER, Russia-based RENAISSANCE SPIDER and SOLAR SPIDER targeting entities in Latin America for the first time.
  • Credential Theft and Data Extortion Accelerate: CrowdStrike recovered over 1 billion credentials tied to individuals and organizations across Latin America, largely sourced from stealer logs and data leaks. Brazil saw the highest exposure, followed by Mexico, Argentina, Colombia and Peru.
  • Criminal Underground Fuels Identity-Based Attacks: Stolen credentials are powering a surge in identity-driven intrusions. CrowdStrike identified 107 access brokers advertising credentials for 428 Latin American organizations, with Spanish-language Telegram channels like Acceso X, CryptersAndTools Updates and MalwareBit Team acting as hubs for malware distribution, credential dumps and hacking tutorials.


“Latin America is no longer a secondary geography for cyber threat activity – it’s a key battleground where access brokers, ransomware crews and nation-state adversaries converge,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “Massive volumes of stolen credentials are driving identity-based intrusions at scale, while espionage-focused actors aligned with China’s interests target the region’s most sensitive institutions. To defeat these threats, organizations must adopt a unified-platform, fueled by threat intelligence and hunting, to stop breaches.”

Built on industry-leading threat intelligence, 24/7 expert threat hunting and advanced AI trained on trillions of security events, the CrowdStrike Falcon® cybersecurity platform delivers real-time protection against the most advanced threats. As the only managed threat hunting service that extends to third-party data, CrowdStrike Falcon® Adversary OverWatch provides visibility into previously unmanaged attack surfaces. CrowdStrike helps eliminate blind spots and delivers expert detection beyond endpoints, identity and cloud environments to stop breaches across every attack surface.

About CrowdStrike
CrowdStrike (NASDAQ: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

Learn more: https://www.crowdstrike.com/
Follow us: Blog | Twitter | LinkedIn | Facebook | Instagram
Start a free trial today: https://www.crowdstrike.com/free-trial-guide/

© 2025 CrowdStrike, Inc. All rights reserved. CrowdStrike and CrowdStrike Falcon are marks owned by CrowdStrike, Inc. and are registered in the United States and other countries. CrowdStrike owns other trademarks and service marks and may use the brands of third parties to identify their products and services.