Somewhere inside government networks across Latin America and the Caribbean, Chinese malware was quietly waiting. U.S. Cyber Command sent 68 cyber protection teams to find it, marking the largest defensive deployment in the command’s history. The operation, conducted under the military’s “hunt forward” framework, uncovered implants tied to the Chinese Communist Party on multiple foreign partner networks, according to a congressional document that has received little public attention despite its extraordinary implications.
For countries in the region, the discovery forces a blunt reckoning: Beijing had already burrowed into their digital infrastructure, and no one locally had detected it.
What the congressional record shows
The strongest public evidence comes from Lt. Gen. John Daniel Caine, a retired U.S. Air Force officer who disclosed the scope of these missions in written responses to the Senate Armed Services Committee. In his advance policy question responses, Caine confirmed that hunt forward teams discovered “CCP malware” on multiple foreign partner networks within U.S. Southern Command’s area of responsibility. That geographic zone spans Central America, South America, and the Caribbean, a region where Chinese investment in telecommunications and port infrastructure has expanded steadily over the past decade.
The language Caine used matters. He wrote “CCP malware,” directly attributing the implants to the Chinese Communist Party rather than hedging with phrases like “state-linked” or “suspected.” In a formal Senate submission, that specificity carries real weight. Advance policy question responses are submitted under the expectation of accuracy, and misleading answers can jeopardize a nominee’s confirmation and invite congressional scrutiny. The phrasing signals that U.S. officials are willing to tie specific malicious code to Beijing’s political leadership, not just to abstract state organs or loosely affiliated hacking groups.
Caine’s responses also established a broader operational principle: the Cyber Mission Force routinely operates beyond Department of Defense networks and into the systems of allies and partners. That confirms the U.S. military treats allied network defense as part of its standing mission, not as an emergency exception. Hunt forward teams deploy at the invitation of host nations, embed inside local networks, and search for adversary footholds that local defenders may lack the tools or training to find independently.
The 68-team figure aligns with the CMF’s documented structure. The force consists of 133 operational teams, divided into four categories: 13 national mission teams, 68 cyber protection teams, 27 combat mission teams, and 25 support teams. The cyber protection teams form the defensive backbone of the force, responsible for identifying and neutralizing threats inside friendly networks. Deploying all of them into partner networks would represent a full commitment of the command’s defensive capacity, a step without known precedent. It is worth noting that the 133-team structure reflects the CMF’s long-standing force design; whether all 68 teams deployed simultaneously or in rolling waves across different partner nations is not specified in the available documents.
What remains uncertain
No official Department of Defense press release or Cyber Command statement has independently confirmed this as the largest defensive operation by team count. The characterization of scale rests on combining Caine’s statement with the Pentagon’s own description of how many cyber protection teams exist. That inference is reasonable, but it is still an inference.
The exact timeline is also unclear. Caine’s Senate responses do not include start or end dates for the hunt forward missions. Without those dates, it is impossible to say whether the deployments unfolded over weeks or months. The silence may reflect classification concerns, diplomatic sensitivities with host nations, or a Pentagon preference to keep successful defensive operations quiet.
The malware itself has not been described in technical terms in any declassified source. Public reporting on Chinese cyber operations has previously identified threat groups like Volt Typhoon, which U.S. agencies linked to pre-positioned implants inside American critical infrastructure, and Salt Typhoon, which compromised U.S. telecommunications providers. Whether the malware found in Southern Command’s area of responsibility belongs to the same families, uses similar techniques, or targets similar systems is not addressed in the congressional record. No forensic indicators of compromise have been released publicly, limiting the ability of independent researchers and regional defenders to hunt for related activity on their own networks.
The identity of the specific partner nations involved remains undisclosed. Southern Command’s area of responsibility includes more than 30 countries and territories. Some maintain close defense relationships with the United States; others have significant economic ties to Beijing. Which governments invited the hunt forward teams, and whether any declined, is not part of the public record.
Even the operational focus of the 68 teams is ambiguous. Caine’s responses confirm that cyber protection units operated “beyond DoD networks,” but they do not specify whether the teams focused on government ministries, critical infrastructure providers, telecommunications backbones, or a combination. Each target type would imply a different level of Chinese access and a different potential impact if implants were activated during a conflict.
How to weigh the evidence
Two tiers of evidence support this story, and they deserve different levels of confidence. The first tier is Caine’s congressional submission. As a formal response to Senate Armed Services Committee questions, it names the adversary, identifies the geographic scope, and confirms the operational concept. It is the single strongest piece of evidence available and establishes that U.S. cyber forces encountered and removed CCP-linked malware on partner networks in the Western Hemisphere.
The second tier is the Department of Defense’s published breakdown of the Cyber Mission Force structure. That material confirms the existence of 68 cyber protection teams and explains their defensive role. It provides the numerical foundation for the scale claim but does not directly describe the Southern Command operation.
What is absent matters too. There are no leaked intelligence assessments, no named technical indicators, and no partner nation confirmations in the public domain. The operation’s details come entirely from the U.S. side, filtered through a nomination process. That does not make the claims false, but it means independent verification from affected countries or from cybersecurity firms operating in the region has not yet surfaced. As of June 2026, outside observers should treat this as a well-sourced but still partially one-sided account of a sensitive multinational effort.
What this means for the Western Hemisphere
For allied governments in the region, the practical takeaway is immediate. If CCP malware was found on their networks, the question is no longer “are we at risk” but “what else was missed.” Hunt forward missions are designed to find what automated defenses cannot, but they are snapshots, not permanent monitoring. Once U.S. teams leave, host nations need their own capacity to detect the next round of implants. Countries that lack dedicated cyber defense units or rely heavily on Chinese-built telecommunications equipment face a harder version of that challenge, because their exposure is both technical and political.
The scale of this deployment also reveals something about how Cyber Command prioritizes threats. Committing all 68 protection teams to partner networks means those teams were not simultaneously defending U.S. military systems. That tradeoff only makes strategic sense if senior military leaders judged the risk of inaction to be severe: that compromised partner networks could serve as staging grounds for operations against U.S. forces, or as pressure points against fragile democracies during a crisis. It is notable that the Cybersecurity and Infrastructure Security Agency (CISA) has not publicly commented on whether civilian agencies played a supporting role, a gap that leaves the full scope of the U.S. government response unclear.
At its core, this operation illustrates how cyber defense is becoming a shared burden rather than a purely national task. Digital supply chains and regional infrastructures are deeply interconnected; one country’s weak link can become another’s entry point. By sending its entire defensive bench into allied networks, the United States made a calculated judgment that shoring up those weak links abroad would strengthen its own security at home. Whether that bet pays off depends on what happens next: whether partner nations build lasting defenses, or whether the implants simply return once the American teams go home.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
