The threat actor known as TAG-144, also referred to as Blind Eagle or APT-C-36, has been linked to five distinct activity clusters operating from May 2024 through July 2025, primarily targeting Colombian government entities at local, municipal, and federal levels.
This cyber threat group, active since at least 2018, employs a sophisticated blend of cyber-espionage and financially motivated tactics, focusing on credential theft and surveillance through commodity remote access trojans (RATs) such as AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT.
The clusters demonstrate overlapping yet varied tactics, techniques, and procedures (TTPs), including multi-stage infection chains that leverage legitimate internet services (LIS) like Discord, GitHub, and Archive.org for payload staging, alongside steganography to embed malicious code within image files for evasion.
Infrastructure analysis reveals extensive use of virtual private servers (VPS), Colombian ISP IP addresses, and dynamic DNS providers such as duckdns.org and noip.com, with some clusters incorporating VPN services like TorGuard to obscure command-and-control (C2) operations.
Victimology data indicates a heavy emphasis on government institutions, with additional intrusions into sectors like education, healthcare, and energy, underscoring TAG-144’s regional focus on South America, particularly Colombia, Ecuador, Chile, and Panama.
Malware Deployment Strategies
TAG-144’s operational resilience is evident in the differentiation across its clusters, each tailored with unique infrastructure and deployment methods while maintaining core TTPs.
For instance, Cluster 1, active from February to July 2025, relies on TorGuard VPN servers and static duckdns.org domains with domain generation algorithm (DGA)-like naming patterns, such as “envio16-05.duckdns.org,” to deploy DcRAT, AsyncRAT, and REMCOS RAT.
This cluster introduces novel LIS abuse, including the free hosting platform lovestoblog.com, where encoded PowerShell scripts fetch steganographically hidden payloads from JPG images on Archive.org, often accompanied by Portuguese-language comments hinting at potential collaboration or code reuse from Brazilian cybercriminal ecosystems.
Cluster 2, spanning September to December 2024, incorporates AS-COLOCROSSING and VULTR hosting with Spanish-themed domains like “pesosdepesoslibras.duckdns.org,” and deploys cracked AsyncRAT variants sourced from Telegram channels, resulting in infections across government, education, defense, and retail sectors.
Meanwhile, Cluster 3 utilizes Colombian ISP UNE EPM for AsyncRAT and REMCOS deployments, Cluster 4 combines malware with phishing infrastructure impersonating banks like Bancolombia, and Cluster 5 employs GLESYS hosting for LimeRAT and dynamic domains.
Overlaps in infrastructure, such as shared IP resolutions and victim communications, confirm these clusters as interconnected facets of TAG-144’s campaigns.
Further linkages to the threat actor Red Akodon, through shared GitHub repositories and compromised government email accounts used in spearphishing, highlight TAG-144’s adaptive ecosystem, blending open-source tools with crypters like HeartCrypt and geo-fencing to restrict access outside targeted regions.
Blurring Cybercrime Lines
To counter TAG-144’s threats, security teams are advised to implement IP and domain blocking from associated RAT C2s, deploy detection rules including YARA, Sigma, and Snort for malware signatures, and monitor LIS connections for anomalous activity.
Email filtering, data exfiltration monitoring, and continuous threat intelligence updates are crucial, given the group’s use of compromised routers as reverse proxies and persistent targeting of high-value entities.
Looking ahead, TAG-144 is expected to sustain its focus on Colombian government assets, potentially integrating emerging tools and expanding LIS exploitation, while blurring lines between cybercrime and espionage in South America’s evolving digital landscape.
This persistence underscores the need for enhanced regional defenses and collaboration to mitigate such regionally attuned threats.
Indicator of Compromise (IoCs)
| IOC Type | Examples |
|---|---|
| IP Addresses (Cluster 1) | 45.133.180.26, 146.70.137.90, 181.235.4.255 |
| Domains (Cluster 1) | envio16-05.duckdns.org, trabajonuevos.duckdns.org |
| IP Addresses (Cluster 2) | 64.188.9.172, 179.14.8.131 |
| Domains (Cluster 2) | pesosdepesoslibras.duckdns.org, deadpoolstart2064.duckdns.org |
| SHA256 Hashes | 04878a5889e3368c2cf093d42006ba18a87c5054f1464900094e6864f4919899, aee42a6d8d22a421fd445695d8b8c8b3311fa0dc0476461ea649a08236587edd |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
