APT-C-36 (Blind Eagle): A Persistent Threat to Latin America
- Suspected Origin
- Suspected Colombia/South America
- Motivation
- Espionage, Financial Gain
- Aliases
- Blind Eagle, TAG-144, AguilaCiega, APT-Q-98
- Target Sectors
- Government, Financial Services, Telecommunications, Energy, Professional Manufacturing, Healthcare, Education
- Associated Malware
- AsyncRAT, QuasarRAT, BitRAT, njRAT, LimeRAT, Remcos RAT, DCRat, Imminent Monitor, Warzone RAT, Gh0stCringe, XWorm, PureCrypter, Caminho
Overview
APT-C-36, also widely known as Blind Eagle and TAG-144, has been a significant and persistent cyber threat in Latin America since at least 2018. This group operates with a hybrid motivation, engaging in both cyber-espionage and financially driven operations. They are suspected to operate primarily out of Colombia, or at least have strong ties to the region, leveraging a deep understanding of local socio-political contexts to enhance their attack efficacy. While perhaps not possessing the same level of technical sophistication as some global advanced persistent threats, their consistent, flexible, and contextually aware approach makes them a formidable adversary within their operational sphere.
The group’s targeting primarily focuses on South American entities, with a notable emphasis on Colombia, but their reach extends to Ecuador, Chile, Panama, and occasionally to Spain and Brazil. They cast a wide net across critical sectors, including government institutions (ministries, tax authorities like DIAN, judicial branches, law enforcement, immigration), financial services, telecommunications providers, energy, oil and gas, professional manufacturing, healthcare, and educational institutions. Their espionage objectives center on collecting intelligence for political and strategic purposes, while their financial motivations involve stealing credentials and sensitive data, often to be sold on dark web markets.
Tactics & Techniques
APT-C-36’s operational methodology is characterized by simplicity, consistency, and adaptability. Initial access almost universally begins with highly targeted spear-phishing campaigns. These emails are meticulously crafted, often impersonating legitimate government bodies such as Colombia’s National Directorate of Taxes and Customs (DIAN), the Ministry of Foreign Affairs, the Ministry of Transport, or the Judicial Branch. They also frequently mimic financial institutions, urging recipients to address “outstanding obligations” or respond to legal notifications.
These phishing lures typically contain malicious attachments, such as PDF or Word documents, or embedded malicious URLs. The group has also been observed exploiting vulnerabilities like CVE-2024-43451, an NTLMv2 hash disclosure vulnerability, through malicious .URL files. For payload delivery and command and control (C2), APT-C-36 heavily abuses legitimate internet services (LIS) like Google Drive, Dropbox, MediaFire, Discord’s Content Delivery Network (CDN), Paste.ee, GitHub, and BitBucket. They further obfuscate their infrastructure using URL shorteners like Geo Targetly and cort.as, and dynamic DNS (DDNS) services such as DuckDNS, noip.com, con-ip.com, and ydns.eu.
Upon execution, the infection chain often involves multi-stage processes using VBScript, PowerShell, and JavaScript for fileless execution, downloading subsequent payloads directly into memory to evade disk-based detection. Persistence is achieved through modifications to Windows Registry keys and the creation of scheduled tasks, sometimes disguised as legitimate Google tasks.
APT-C-36 employs various evasion techniques, including extensive obfuscation using tools like ConfuserEx, junk characters, and Base64 encoding. Payloads are often compressed (ZIP, LHA, UUE) and password-protected to bypass security scans. A notable tactic is the use of steganography, embedding malicious code within benign image files, and extracting it directly in memory. They also utilize geolocation filtering, redirecting traffic not originating from target regions (e.g., Colombia or Ecuador) to harmless sites, complicating analysis by external researchers. The group continuously rotates its C2 infrastructure with frequent new domain registrations and temporary servers to avoid blacklisting, often using HTTPS and cloud-based C2 communications to blend with normal network traffic.
Notable Campaigns
APT-C-36 has maintained a consistent operational tempo since its emergence in 2018. Early campaigns focused on government institutions and financial sectors in Colombia.
In 2023, the group conducted a significant Tax Authority Phishing Campaign, impersonating Colombia’s DIAN and using PDF attachments to deliver AsyncRAT, aiming to extract credentials from government employees. This campaign also reportedly expanded its victimology footprint to include healthcare, law enforcement, and immigration entities in Colombia, Ecuador, Chile, and Spain.
During 2024, they were implicated in a new wave of phishing emails targeting banking networks across South America, using fake legal notifications as lures to achieve data exfiltration and lateral movement within internal banking systems.
Recent intelligence from 2024 and 2025 indicates intensified operations, particularly against Colombian government entities at local, municipal, and federal levels. A campaign in early 2025 targeted Latin American government and telecom infrastructure through spear-phishing, leveraging WebDAV payloads and dynamic DNS. A more recent campaign in September 2025 targeted a Colombian government agency under the Ministry of Commerce, Industry and Tourism, deploying Caminho downloader and DCRat, likely from a compromised internal email account to bypass security controls.
Associated Malware & Tools
APT-C-36 predominantly relies on a diverse arsenal of commodity and open-source Remote Access Trojans (RATs), customizing them for their campaigns. Key RATs observed include AsyncRAT, QuasarRAT, BitRAT, njRAT, LimeRAT, Remcos RAT, DCRat, Imminent Monitor, Warzone RAT, Gh0stCringe, XWorm, ProyectoRAT, and BlotchyQuasar.
Beyond RATs, the group employs custom droppers, PowerShell loaders, and JavaScript stagers as part of their multi-stage infection chains. Recent campaigns in late 2025 have shown the use of Caminho, a downloader malware, and HijackLoader. They also utilize crypters and packers like HeartCrypt, PureCrypter, and ConfuserEx to obfuscate their malware and enhance evasion capabilities, sometimes leveraging “crypter-as-a-service” offerings.
Current Status
APT-C-36 remains an active and evolving threat in Latin America. Throughout 2024, 2025, and into 2026, reports consistently highlight their ongoing campaigns and adaptive strategies. They continue to refine their operational security (OPSEC), demonstrating improvements in infrastructure rotation, increased use of encryption, and tool diversification to reduce traceability and lower development costs.
Their persistent in-context targeting and mastery of social engineering remain their most significant strengths, allowing them to bypass traditional defenses despite not always employing the most advanced custom malware. The group’s evolution reflects a maturing cyber threat landscape in Latin America, emphasizing the critical need for regional organizations to adopt robust, proactive defenses, including enhanced email filtering, continuous threat intelligence integration, and user awareness training. Their continued activity and adaptation suggest that APT-C-36 will remain a significant concern for government, financial, and critical infrastructure entities in South America for the foreseeable future.
Related content
Gorgon Group (G0078): Hybrid Threat Actor Profile
Adversary ProfileMolerats (G0021): Persistent Cyber Espionage in the Middle East
Adversary ProfilePatchwork (G0040): A Persistent Indian Cyber Espionage Threat
Adversary ProfileGroup5 (G0043): Persistent Iranian-Linked Espionage Targeting Syrian Opposition
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call