APT-C-36 / Blind Eagle | Threat Actor Profile

The most active and persistent APT threat actor focused exclusively on Latin America — hyper-targeted at Colombia's government, judiciary, financial sector, and critical infrastructure, with secondary targeting in Ecuador, Chile, and Panama. Blind Eagle's campaigns are operationally notable for their rapid adaptation to newly patched vulnerabilities, high infection rates despite a selective APT posture, and consistent use of commodity RATs delivered through multi-stage phishing chains that abuse trusted cloud platforms. Active since 2018 and tracked continuously by Kaspersky GReAT, Check Point Research, and BlackBerry.

attributed origin Colombia (suspected); Spanish-speaking — South America

suspected sponsor Unknown — espionage and financial motivation; possible state nexus

first observed 2018

primary motivation Espionage (government targeting); Financial (credential and banking theft)

primary targets Colombia judiciary, government, finance, critical infrastructure

known campaigns Five confirmed activity clusters (May 2024 – Jul 2025); 9,000+ victims in single week

mitre att&ck group G0099 (APT-C-36)

target regions Colombia (87% of victims), Ecuador, Chile, Panama, Spain

threat level High

Overview

APT-C-36, widely known as Blind Eagle, is one of the longest-running and operationally consistent APT actors in Latin America. Active since at least 2018, the group maintains a near-exclusive geographic focus on Colombia, where approximately 87% of confirmed victims are located. Despite this regional specificity, Blind Eagle has expanded campaigns to Ecuador, Chile, Panama, and Spain, and brief targeting of Spanish-speaking manufacturing workers in North America was observed in early 2024.

The group is suspected to originate from South America — likely Colombia — based on its linguistic profile, target selection, and deep familiarity with Colombian government structures, legal processes, and financial institutions. Portuguese-language artifacts found in code strings during 2024 campaigns introduced a notable anomaly, raising questions about possible collaboration with or code reuse from Brazilian cybercriminal ecosystems, though this has not been conclusively attributed.

Blind Eagle operates with a dual mandate: targeted espionage against government and judicial institutions, and financially motivated credential theft from banking and financial targets. The group switches between these objectives campaign by campaign, adapting its toolset and lure themes accordingly. What distinguishes Blind Eagle from technically superior APT groups is not sophistication but consistency and local knowledge — its phishing lures achieve high click rates by accurately mimicking Colombian government agencies, tax authority communications, court summons, and banking notifications.

Check Point Research designated Blind Eagle one of Latin America's most dangerous threat actors following its November 2024 through March 2025 campaign series, which achieved over 9,000 infections within a single week across multiple campaigns, and over 1,600 infections from a single campaign on December 19, 2024. The group adapted a variant of CVE-2024-43451 just six days after Microsoft released the patch, demonstrating unusually fast operational turnaround.

geolocation filtering

Blind Eagle employs geolocation filtering in its phishing infrastructure. Visitors from non-target countries attempting to access malicious links are silently redirected to the legitimate website of the impersonated Colombian government agency, making the attack chain difficult to analyze from outside the region and reducing exposure to international security researchers.

Target Profile

Blind Eagle's targeting reflects its dual espionage and financial mandate, with Colombian institutions accounting for the overwhelming share of confirmed victims. Lure themes are crafted around entities that generate urgency and compliance: tax obligations, court notices, and banking security alerts.

Colombian Judiciary: A primary and consistent target. The group impersonates judicial institutions and fabricates demand notices or court summons as lure documents. The June 2024 HijackLoader campaign and the November 2024 through March 2025 campaign cluster both focused heavily on Colombian judicial entities.
Colombian Government — Tax and Customs (DIAN): Colombia's Directorate of National Taxes and Customs (DIAN) is the most frequently impersonated entity across Blind Eagle's campaign history. Lures exploit recipients' concern about tax compliance to drive clicks on malicious attachments.
Colombian Financial Institutions: Banking and financial sector targets are pursued in financially motivated campaign phases. Quasar RAT has been modified to function as a banking Trojan against Colombian banks. Operation OPFail (March 2024) harvested over 8,000 PII entries including credentials and ATM PINs by impersonating Colombian banks.
Colombian Law Enforcement and Immigration: BlackBerry researchers observed 2023 campaigns targeting law enforcement, immigration agencies, and the peace negotiation office alongside financial and health sector targets.
Ecuador and Chile: Secondary targeting with confirmed intrusions. Campaigns targeting Ecuador date to at least 2019. Chile and Panama have also been confirmed as secondary victim geographies.
Spanish-speaking manufacturing workers in North America: A brief targeting expansion observed in early 2024, using Ande Loader to distribute Remcos and NjRAT to Spanish-speaking employees in the manufacturing sector.

Tactics, Techniques & Procedures

Blind Eagle's TTPs are characterized by multi-stage delivery chains, abuse of trusted cloud infrastructure, commodity RAT customization, and process hollowing for in-memory execution. The group continuously introduces new loaders while maintaining consistent final-stage payloads.

mitre id	technique	description
T1566.001	Phishing: Spearphishing Attachment	Phishing emails carrying malicious PDF or DOCX attachments impersonate DIAN, the Attorney General's Office, Ministry of Foreign Affairs, or judicial institutions. Attachments contain links redirecting to payload-hosting infrastructure.
T1566.002	Phishing: Spearphishing Link	Emails include body links appearing to lead to official Colombian government URLs, which redirect through attacker-controlled infrastructure to payload downloads. Geolocation filtering redirects non-target visitors to legitimate sites.
T1027.003	Obfuscated Files or Information: Steganography	Malicious payloads are hidden within image files (JPG), text files, or executable resources using steganography. PowerShell scripts fetch steganographically hidden payloads from images hosted on legitimate platforms including Archive.org.
T1055.012	Process Injection: Process Hollowing	The group's preferred execution technique. A legitimate process is created in a suspended state, its memory unmapped, replaced with the malicious RAT payload, and resumed — executing the RAT within the memory space of a trusted process.
T1574.002	Hijack Execution Flow: DLL Side-Loading	Legitimate signed executables (ASUS, IObit) are used to sideload malicious DLLs. Observed in the June 2024 campaign alongside HijackLoader as a delivery mechanism for AsyncRAT.
T1105	Ingress Tool Transfer	Payloads are distributed via abused legitimate platforms including Google Drive, Dropbox, GitHub, Bitbucket, Discord, Pastebin, lovestoblog.com, and Archive.org — bypassing URL reputation controls that flag known malicious infrastructure.
T1059.005	Command and Scripting Interpreter: VBScript	Initial dropper ZIP archives contain VBS files that retrieve next-stage payloads from hard-coded remote servers. The VBS stage is often the entry point into the multi-stage delivery chain.
T1071.001	Application Layer Protocol: Web Protocols	C2 communications for RAT payloads use HTTPS and dynamic DNS (duckdns.org, ddns-ip.net) with DGA-like naming patterns to evade static blocking and complicate attribution.
T1056.001	Input Capture: Keylogging	RATs are customized to include keylogging capabilities. NjRAT variants include screenshot-capturing alongside keylogging. Modified Quasar RAT performs keylogging specifically on Colombian financial institution websites.
T1550.002	Use Alternate Authentication Material: Pass the Hash	The CVE-2024-43451 variant used in the November 2024 campaign does not expose NTLMv2 hashes directly, but triggers a WebDAV request on file interaction, notifying attackers of victim engagement before manual execution — enabling victim triage prior to full payload delivery.

Known Campaigns

DIAN Tax Authority Phishing — Sustained Campaign Series 2018 — Present

Blind Eagle's foundational and most persistent campaign type. Phishing emails impersonating Colombia's DIAN tax and customs directorate deliver malicious ZIP archives containing VBS droppers. Lures warn recipients of tax compliance issues requiring immediate action. This template has been used continuously since the group's initial tracking, with the payload updated across campaigns from njRAT to AsyncRAT, LimeRAT, BitRAT, and Remcos RAT over time.

Operation OPFail — Colombian Bank Impersonation Mar 2024

Check Point Research discovered a phishing campaign impersonating Colombian banks that collected over 8,000 valid PII entries including email-password pairs and ATM PINs. The dataset, inadvertently exposed by Blind Eagle, confirmed the campaign's scope: over 8,075 valid credential entries, with five accounts belonging to the Colombian government and fourteen to educational institutions. The C2 domain servicioseguroenlineabb[.]com was used to host the phishing infrastructure.

HijackLoader and DLL Sideloading — Judicial Targeting Jun 2024

Kaspersky GReAT identified a campaign introducing two new techniques: DLL sideloading using legitimate ASUS and IObit-signed executables, and HijackLoader, a modular malware loader new to Blind Eagle's arsenal. Phishing emails impersonated Colombian judicial institutions with PDF or DOCX attachments posing as court summons or demand notices. Clicking embedded links downloaded legitimate-looking signed executables that sideloaded malicious DLLs, ultimately injecting AsyncRAT via process hollowing.

CVE-2024-43451 Variant Campaign — PARAISO and SOCIALISMO Nov 2024 — Mar 2025

Six days after Microsoft patched CVE-2024-43451 on November 12, 2024, Blind Eagle incorporated a variant of the technique using malicious .url files that trigger a WebDAV request when interacted with in unusual ways (right-clicking, deleting, dragging), notifying attackers of victim engagement before execution. The PARAISO campaign (December 2024) infected over 1,600 victims via Bitbucket-hosted Remcos RAT. Total infections across the campaign cluster over one week exceeded 9,000. The SOCIALISMO and MIAMI campaigns (January 2025) distributed .url files via compromised Google Drive accounts. HeartCrypt packer-as-a-service protected intermediate .NET RAT payloads, with Remcos RAT as the final stage.

TAG-144 Cluster Activity — Five Activity Clusters May 2024 — Jul 2025

Recorded Future's Insikt Group tracks Blind Eagle as TAG-144 and identified five distinct activity clusters between May 2024 and July 2025, primarily targeting Colombian government entities at local, municipal, and federal levels. Cluster 1 (February through July 2025) used TorGuard VPN servers with duckdns.org domains featuring DGA-like naming to deploy DcRAT, AsyncRAT, and Remcos RAT, and introduced payload staging via steganographically hidden JPG images hosted on Archive.org, with Portuguese-language comments in code. Cluster 2 (September through December 2024) sourced cracked AsyncRAT variants from Telegram channels, affecting government, education, defense, and retail sectors.

Tools & Infrastructure

Blind Eagle relies entirely on commodity and open-source RATs as final payloads, which it customizes per campaign. Intermediate-stage tooling includes both custom-built and crimeware-sourced loaders. This approach keeps development costs low and makes attribution through malware signatures difficult.

Remcos RAT: The primary final-stage payload in recent campaigns (2024–2025). Grants full remote access, keylogging, screenshot capture, credential theft, scheduled task persistence, and file manipulation. Distributed via Bitbucket, GitHub, and compromised Google Drive accounts in recent campaigns.
AsyncRAT: Long-running campaign payload. C2 communications use AES-256 encryption with Base64-encoded configuration. Used in both espionage and credential-theft campaigns. Introduced via HijackLoader in the June 2024 campaign and via steganographically hidden images in 2025 cluster activity.
NjRAT: Used in both standard and modified forms. Modified NjRAT variants include expanded keylogging, screenshot capture, and remote plugin installation from the C2 server.
Quasar RAT (modified): Repurposed from general espionage use into a banking Trojan targeting Colombian financial institutions. Modified to monitor browser activity on Colombian banking sites and keylog financial credentials.
LimeRAT / BitRAT: Additional RATs observed in campaigns. Blind Eagle rotates between all available commodity RATs based on campaign objectives, swapping tools frequently to reduce signature-based detection.
DcRAT: Observed in TAG-144 Cluster 1 activity (2025), deployed alongside AsyncRAT and Remcos in campaigns targeting Colombian government entities.
HijackLoader: Modular malware loader introduced in June 2024. Accepts multiple execution modules and was used to inject AsyncRAT via process hollowing following DLL sideloading.
Ande Loader: Custom loader observed in early 2024 campaigns distributing Remcos and NjRAT, including the North American manufacturing sector targeting operation.
HeartCrypt: Packer-as-a-service used to protect intermediate .NET RAT payloads in the November 2024 through March 2025 campaign cluster, complicating static analysis of intermediate stage binaries.
C2 Infrastructure: Dynamic DNS services (duckdns.org, ddns-ip.net, longmusic.com) with DGA-like domain naming patterns. TorGuard VPN servers observed in TAG-144 cluster activity. C2 ports including 30204 and 3020 observed in Check Point Research campaign analysis.

Indicators of Compromise

The following indicators are drawn from Check Point Research, Kaspersky GReAT, BlackBerry, and Darktrace analysis of Blind Eagle campaigns from 2024 through early 2025.

warning

Blind Eagle rotates domains and payloads frequently. Dynamic DNS domains observed in campaigns are short-lived. IOCs should be cross-referenced against live threat intelligence feeds before use in blocking rules. Geolocation filtering in the group's infrastructure means malicious links may appear benign when accessed outside Colombia.

indicators of compromise — Blind Eagle 2024–2025 campaigns

ip (c2) 62[.]60[.]226[.]112 — rare external IP observed in Feb 2025 Darktrace incident, geolocated Germany; used for initial HTTP redirection

c2 domain newstaticfreepoint24.ddns-ip[.]net:3020 — PARAISO campaign Remcos RAT C2 (Dec 2024)

c2 domain 21ene.ip-ddns[.]com:30204 — diciembre repository campaign Remcos RAT C2 (Feb 2025)

c2 pattern duckdns.org subdomains with DGA-like naming (e.g., envio16-05.duckdns.org, pesosdepesoslibras.duckdns.org) — TAG-144 cluster activity

phishing domain servicioseguroenlineabb[.]com — OPFail Colombian bank impersonation campaign (Mar 2024)

payload repo Bitbucket: facturacioncol/fact and trabajo12023/proyecto — Remcos RAT hosted Dec 2024, used in PARAISO campaign

behavioral Unusual WebDAV requests triggered by right-clicking, deleting, or dragging .url files — indicator of CVE-2024-43451 variant delivery

behavioral Process hollowing into legitimate Windows processes followed by encrypted C2 traffic to dynamic DNS domains; AES-256 encrypted AsyncRAT C2 traffic using Base64 config

Mitigation & Defense

Blind Eagle's attack chain is phishing-initiated and relies on user interaction with lure documents, embedded links, and compressed attachments. Defense priorities should center on email filtering, user awareness specific to Colombian government impersonation, and detection of multi-stage in-memory execution patterns.

Email Security and Attachment Sandboxing: Enforce email security controls capable of detonating VBS, .url, PDF, and DOCX attachments in a sandboxed environment before delivery. Blind Eagle's initial droppers are consistently ZIP-compressed VBS files or malicious .url files — sandbox detonation is the most reliable pre-delivery control.
URL Reputation and Cloud Platform Monitoring: Blind Eagle abuses Google Drive, Dropbox, Bitbucket, GitHub, Discord, and Archive.org to host payloads, bypassing domain-reputation filtering. Security controls must be able to inspect and detonate files downloaded from these platforms, not just flag the domains. CASB solutions may help enforce download policies for cloud platforms.
Disable or Monitor WebDAV: The CVE-2024-43451 variant delivery relies on WebDAV requests triggered by .url file interaction. Disabling WebDAV where not operationally required, and alerting on unusual WebDAV traffic originating from user endpoints, reduces exposure to this delivery mechanism.
Process Injection Detection: Blind Eagle's consistent use of process hollowing makes behavioral EDR detection critical. Alert on processes created in a suspended state that are subsequently modified in memory before resumption, particularly when the parent process is a scripting engine or document viewer. Standard signature-based AV has limited efficacy against in-memory RAT execution.
Dynamic DNS Blocking and Monitoring: Block or alert on outbound connections to dynamic DNS providers (duckdns.org, ddns-ip.net, longmusic.com) from endpoints, particularly on non-standard ports observed in Blind Eagle C2 configurations. These domains are used extensively across all campaign clusters.
NTLM Hardening: Disable NTLMv2 where not required by legacy applications. Implement NTLM authentication policies that block or alert on unsolicited WebDAV-based NTLM negotiation from user endpoints. This reduces exposure to both the original CVE-2024-43451 and Blind Eagle's subsequent variant.
Regionally Aware Phishing Training: Blind Eagle's lure effectiveness depends on employees' familiarity with Colombian government branding — DIAN, the Attorney General's Office, judicial summons. Security awareness programs for Colombian-based organizations should include specific training on these lure themes, including the behavioral cue that legitimate Colombian government communications do not include download links to external services.
Patch Velocity Monitoring: Blind Eagle adapted CVE-2024-43451 within six days of patch release. Organizations should track Blind Eagle campaign reporting from Check Point Research, Kaspersky GReAT, and BlackBerry, and prioritize patching vulnerabilities related to Windows file handling and NTLMv2 hash exposure on an accelerated timeline.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — apt-c-36 / blind eagle — last updated 2025-03-27