Full Report
Persistent cyber operations by TAG-144 (Blind Eagle) continue to target South American, primarily Colombian, government entities through advanced spearphishing and RAT-based malware campaigns. Explore the latest threat clusters, TTPs, and mitigation strategies.
Analysis Summary
# Threat Actor: TAG-144 (Blind Eagle)
## Attribution & Identity
**Aliases:** Blind Eagle, AguilaCiega, APT-C-36, and APT-Q-98.
**Known Associations:** Further evidence links TAG-144 to the threat group Red Akodon.
**Active Since:** At least 2018.
## Activity Summary
TAG-144 has been tracked via five distinct activity clusters operating throughout 2024 and 2025. The group primarily targets organizations within **Colombia** across local, municipal, and federal government levels. Activity reflects a blend of cyber-espionage and financially driven motivations, with a strong focus on credential theft (keylogging, browser monitoring) and espionage functions. Initial access is achieved mainly through spearphishing campaigns impersonating Colombian government entities (e.g., using themes like debt collection or judicial notifications). The actor also leverages compromised Colombian government email accounts for these campaigns.
## Tactics, Techniques & Procedures
- **Infection Chain:** Leverages a multi-stage infection chain utilizing an expanding set of Legitimate Internet Services (LIS) for staging.
- **Obfuscation:** Uses steganography to obscure malicious content and evade detection.
- **Infrastructure Use:** Employs dynamic domain providers (DuckDNS are specified), VPS, and servers acting as VPNs, often registered via services like _duckdns[.]org_, _noip[.]com_, and _con-ip[.]com_.
- **Evasion:** Employs geo-fencing to block access from outside specific South American countries (Colombia/Ecuador) or redirects external traffic.
- **Specific TTPs (MITRE ATT&CK Codes):**
- Initial Access: Spearphishing Link (T1566.002)
- Execution: Command and Scripting Interpreter: PowerShell (T1059.001)
- Discovery: System Information Discovery (T1082), Query Registry (T1012)
- Defense Evasion: Modify Registry (T1112)
- Command and Control: Application Layer Protocol: Web Protocols (T1071.001), Encrypted Channel (T1573.001, T1573.002), Ingress Tool Transfer (T1105)
- Resource Development: Acquiring infrastructure (Domains T1583.001, VPS T1583.003, Server T1583.004, Malvertising T1583.008), Compromising Infrastructure (Server T1584.004)
## Targeting
**Sectors:** Government (local, municipal, federal), Judiciary, Tax Authorities, Financial entities, Petroleum and Energy companies, Education, Healthcare, and Professional Services.
**Geography:** Primarily Colombia, with additional activity noted in Ecuador, Chile, and Panama. Occasional campaigns target Spanish-speaking users in North America.
**Victims:** Numerous victims primarily within the Colombian government structure.
## Tools & Infrastructure
**Malware Families Used:**
* Open-source and cracked Remote Access Trojans (RATs), including: AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT.
**Infrastructure:**
* Virtual Private Servers (VPS).
* IP addresses within Colombian ISP ranges (e.g., AS13489).
* Servers appearing to function as VPN servers.
* Domains hosted on dynamic DNS services: _duckdns[.]org_, _noip[.]com_, _con-ip[.]com_.
* URL shorteners historically used: _cort[.]as_, _acortaurl[.]com_, and _gtly[.]to_.
* **Example IoCs (DANGLED):**
* IPs associated with RATs: _181[.]131[.]216[.]206_, _181[.]131[.]218[.]182_, _181[.]131[.]219[.]42_, _45[.]135[.]232[.]38_, _46[.]246[.]82[.]9_, _89[.]117[.]23[.]25_, _178[.]73[.]218[.]8_, _181[.]235[.]3[.]0_, _191[.]93[.]113[.]151_.
* Domains (DuckDNS): _ansy10jun[.]duckdns[.]org_, _ansy1703[.]duckdns[.]org_, _asegurar2octubre[.]duckdns[.]org_, _gotemburgoxm[.]duckdns[.]org_, _romanovas[.]duckdns[.]org_.
## Implications
TAG-144 demonstrates persistence and adaptability, evidenced by tracking five distinct clusters exhibiting varying operational methods while maintaining adherence to core TTPs. The heavy reliance on government targeting in Colombia suggests either state-sponsored espionage or a highly motivated financially corrupting agenda targeting public funds/data. The continued use of legitimate services and custom/cracked RATs allows for low-cost, high-volume targeting.
## Mitigations
- Block IP addresses and domains associated with the identified RATs and infrastructure.
- Flag and potentially block connections to unusual Legitimate Internet Services (LIS) used for staging.
- Deploy updated detection rules (YARA, Sigma, Snort) tuned for current and historic infections involving the mentioned RATs.
- Implement robust email filtering systems capable of analyzing attachments and links from phishing campaigns (especially those impersonating Colombian authorities).
- Deploy data exfiltration monitoring to detect unauthorized data movement.
- Continuously monitor the environment for emerging threats specific to this actor due to their history of adapting controls.