A Persistent Threat: Blind Eagle Hacking Group Continues to Target Colombia

Insikt Group has released new findings on TAG-144, also known as Blind Eagle, AguilaCiega, APT-C-36, or APT-Q-98, detailing five distinct activity clusters that have been active across 2024 and 2025. The clusters reveal an adaptable and persistent threat group that continues to target Colombian government institutions at local, municipal, and federal levels, while also impacting private and non-governmental entities.

The report highlights that “Insikt Group has identified five distinct activity clusters linked to TAG-144 (also known as Blind Eagle). These clusters have operated at various times throughout 2024 and 2025, targeting a significant number of victims, primarily within the Colombian government across local, municipal, and federal levels.”

TAG-144 is leveraging a broad range of tools and infrastructure:

• Commodity and cracked RATs such as AsyncRAT, REMCOS RAT, LimeRAT, DcRAT, njRAT, and Quasar variants like BlotchyQuasar.
• Dynamic DNS services like DuckDNS, NoIP, and Con-IP to mask malicious infrastructure.
• Legitimate Internet Services (LIS) including GitHub, Discord, Bitbucket, Google Drive, and Paste.ee for malware staging and payload delivery.
• Steganography, embedding malicious code within image files to bypass detection.

Insikt Group noted that TAG-144 “appears to maintain an extensive operational infrastructure, comprising virtual private servers (VPS), IP addresses within Colombian ISP ranges, and servers that appear to function as VPN servers.”

Initial access is most commonly achieved via spearphishing emails impersonating Colombian authorities, often themed around debt collection and judicial notifications. The emails use shortened URLs (cort[.]as, acortaurl[.]com, gtly[.]to) and geo-fencing techniques to restrict malicious payload access to Colombian or Ecuadorian IP ranges, while redirecting outsiders to legitimate government websites.

The threat group has also been observed using compromised government email accounts to deliver phishing campaigns, significantly boosting credibility. Insikt Group reported, “various compromised Colombian government email accounts likely used in spearphishing campaigns” were tied to TAG-144 operations.

Once victims engage, the infection chain typically involves:

• Malicious attachments or URLs that load obfuscated PowerShell or JavaScript.
• Staging of payloads via LIS or free hosting platforms.
• Deployment of RATs enabling remote control, credential theft, keylogging, and surveillance.

While Blind Eagle has occasionally conducted operations in Ecuador, Chile, Panama, and Spanish-speaking regions of North America, its primary focus remains Colombia. The group has persistently targeted:

Government institutions, especially judiciary and tax authorities.

• Financial entities and banks.
• Energy and petroleum companies.
• Organizations across education, healthcare, manufacturing, and retail.

As the report states, “TAG-144’s primary focus appears to be on credential theft, evidenced by banking-related keylogging and browser monitoring, alongside indications of espionage, such as persistently targeting government entities and using modified RATs with surveillance functions.”

The Insikt Group analysis also points to operational overlaps with another cluster, Red Akodon, tracked by SCILabs. Both groups share tooling (AsyncRAT, REMCOS RAT, QuasarRAT, XWorm) and rely on spearphishing tied to Colombian judicial institutions. Insikt Group noted the use of GitHub, Bitbucket, and Pastebin accounts linked to Colombian themes, suggesting either direct collaboration or shared access to tool developers.

Blind Eagle exemplifies the blurring lines between cybercrime and espionage in Latin America. The report stresses, “TAG-144 exemplifies the increasingly blurred lines between cybercrime and espionage, a trend that has become more prominent in the coming year.”

This persistence highlights how well-established methods remain effective even without cutting-edge exploits, especially when tailored to regional languages, cultural cues, and compromised local infrastructure.

Related Posts:

• Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
• Blind Eagle (APT-C-36): Financially Motivated Cybercrime Meets Open-Access Infrastructure in LATAM
• DCRat: Sophisticated RAT Delivered via Phishing Campaign Impersonating Government Entity
• Shadow Vector: Malicious SVGs Deliver AsyncRAT & RemcosRAT in Colombian Phishing Campaign!
• Obscure VBScript “sostener.vbs” Unmasked: Fuels Multi-Stage RAT Delivery, Linked to Blind Eagle APT