TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Recorded Future Blog

Latin America and the Caribbean Cybercrime Landscape

2026-04-02 · Read original ↗

ATT&CK techniques detected

25 predictions
T1005Data from Local System
98%
“##ikt group in 2025. cybercriminal activities in lac throughout 2025, insikt group investigated and identified different types of cybercriminals operating on clearnet and dark web sources. cybercriminals routinely leveraged phishing for initial access, and among the most common m…”
T1566.002Spearphishing Link
95%
“, and displaying phishing overlays to steal sensitive credentials ; coyote ’ s infrastructure is dynamic and hosted on various platforms, indicating robust evasion techniques by its operators coyote remained active in 2025 and was observed in a whatsapp - based worm campaign that…”
T1486Data Encrypted for Impact
94%
“ransomware data from antigua and barbuda, belize, cuba, saint kitts and nevis, saint lucia, or suriname in 2025. figure 2 : global ransomware landscape dashboard view of attack metrics for the top five ransomware groups impacting lac in 2025 ( source : recorded future ) figure 3 …”
T1566.002Spearphishing Link
87%
“artifacts in the panels analyzed and consistent targeting of brazilian victims ; analysis of a notable campaign dubbed “ water saci ” indicates whatsapp web was used for distribution analysis of the new infrastructure tied to the sorvepotel loader demonstrates that it has distrib…”
T1486Data Encrypted for Impact
87%
“can contribute to credential theft, the propagation of phishing campaigns, the distribution of spam, the takeover and abuse of residential ip addresses, and the enabling of distributed denial - of - service ( ddos ) attacks. insikt group also observed threat actors targeting paym…”
T1486Data Encrypted for Impact
86%
“in brazil. mitigations use recorded future ’ s global ransomware landscape dashboard : recorded future customers can proactively mitigate this threat by operationalizing the recorded future global ransomware landscape dashboard and leveraging the victimology tab to filter based o…”
T1486Data Encrypted for Impact
86%
“- speaking cybercriminal underground. based on current and historical data, we anticipate these trends will continue, and lac will likely remain a popular target for ransomware groups and a hotspot for mobile malware in 2026. appendix a : sample listing of posts targeting entitie…”
T1078Valid Accounts
84%
“latin america and the caribbean cybercrime landscape executive summary this report provides an overview of trends and developments in the cybercriminal ecosystem of latin america and the caribbean ( lac ) in 2025. insikt group found that threat actors operating in or targeting th…”
T1486Data Encrypted for Impact
83%
“( 27 attacks ). these countries are among the largest economies in the region, which may lead to downstream spillover effects for enterprises that conduct business directly with them or with neighboring countries. insikt group found that the majority of ransomware groups leverage…”
T1657Financial Theft
70%
“value data, face operational urgency, and, at times, rely on legacy systems that may be vulnerable. key findings insikt group assesses that criminal forum darkforums and the messaging platform telegram are the primary special - access forums and communications platforms used by t…”
T1486Data Encrypted for Impact
69%
“on the dire wolf blog. figure 4 : global ransomware landscape dashboard view of the most affected countries in lac in 2025 ( source : recorded future ) banking trojans according to the global system for mobile communications association ( gsma ), in 2024, approximately 64 % of th…”
T1588.002Tool
68%
“to the top organizations ( based on revenue ) in the healthcare, government, and financial sectors for countries with the top five largest economies in lac ( source : recorded future data ) lummac2 was undoubtedly the most active infostealer targeting entities in the lac region d…”
T1657Financial Theft
66%
“to extortion attempts, digital and social engineering scams, ransomware deployment, data theft, and account takeovers. insikt group research indicates that threat actors generally advertise breached databases and payment card data because they can be lucrative, require relatively…”
T1555.003Credentials from Web Browsers
66%
“in several countries, including brazil and colombia, likely because sinkholing requires some time to have a noticeable effect as it redirects traffic but does not automatically clean infected machines. more complete remediation would require patching and malware removal on affect…”
T1078Valid Accounts
64%
“and obtaining credentials from prior infostealer infections, password reuse, brute - force attacks, and other initial access points. based on data within the recorded future intelligence operations platform, there are approximately 29, 000 references to exposed lac - related cred…”
T1557.001Name Resolution Poisoning and SMB Relay
60%
“in the lac region due to increased remote work adoption, legacy infrastructure in many public institutions, and limited monitoring and resources. insikt group observed threat actors advertising carding tools, bulk sms / email blasting, sim swapping, hacking assistance, and other …”
T1588.007Artificial Intelligence
59%
“links that redirect to fake login pages and contain malicious attachments with embedded links. many of these techniques are effective when targeting entities in the lac region due to an overwhelming reliance on email and messaging applications for business, as well as a general s…”
T1071.001Web Protocols
56%
“targeting the lac region using traditional cybercriminal methods, such as phishing and ransomware. this suggests some apt groups may also have financial motivations extending beyond seeking strategic geopolitical influence. prominent apts, such as dark caracal, conducted cyber es…”
T1588.002Tool
46%
“in 2025. this forum is an english - language, low - tier forum operated by english - speaking administrators, launched in march 2023, and is accessible via a clearnet domain. additionally, darkforums was observed hosting leaked databases and data breaches involving spanish - spea…”
T1111Multi-Factor Authentication Interception
45%
“in the lac region due to increased remote work adoption, legacy infrastructure in many public institutions, and limited monitoring and resources. insikt group observed threat actors advertising carding tools, bulk sms / email blasting, sim swapping, hacking assistance, and other …”
T1584.001Domains
41%
“##tivist groups began transitioning to ransomware - as - a - service ( raas ) for financial gain. one such hacktivist group, “ fivefamilies ”, functions as a collective of several groups ; some of their targeted entities included those located in cuba and brazil. figure 1 : chron…”
T1588.001Malware
37%
“and type of botnet first identified in june 2023, targeting spanish - speaking users in six lac countries : mexico, guatemala, colombia, peru, chile, and argentina. horabot uses invoice - themed phishing emails to gain initial access to victims ' systems. payment terminal malware…”
T1588.002Tool
36%
“very low to low, and mexico ’ s ransomware targeting risk score increased from low to medium at the end of 2025. notably, data was leaked relating to a mexican government entity on the dark web name - and - shame extortion website, tekir apt data leak site. argentina ’ s network …”
T1657Financial Theft
33%
“( 27 attacks ). these countries are among the largest economies in the region, which may lead to downstream spillover effects for enterprises that conduct business directly with them or with neighboring countries. insikt group found that the majority of ransomware groups leverage…”
T1584.005Botnet
30%
“##tivist groups began transitioning to ransomware - as - a - service ( raas ) for financial gain. one such hacktivist group, “ fivefamilies ”, functions as a collective of several groups ; some of their targeted entities included those located in cuba and brazil. figure 1 : chron…”

Summary

This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025.