Cybersecurity researchers discovered five different activity clusters linked to a permanent threat actor known as Blind Eagle between May 2024 and July 2025.
These attacks observed by future recorded Insikt groups targeted a variety of casualties, but were primarily targeted within the Colombian government at the local, city and federal levels. The Threat Intelligence Company tracks activities under the name Tag-144.
“Clusters share similar tactics, techniques and procedures (TTPs), including open source and crack remote access trojans (rats), dynamic domain providers, and staging legitimate Internet services (LI), but differ significantly in infrastructure, malware deployment, and other ways of operation.
Blind Eagle has a history of targeting South American organizations since at least 2018, with the attacks reflecting both cyber-espionage and economically driven motivations. This has been proven in recent campaigns that include bank-related keylogs and browser monitoring, as well as targeting government agencies using various remote access trojans (RATs).
The group’s targets of attack include judicial and tax authorities, including entities in the financial, oil, energy, education, healthcare, manufacturing and professional services sectors. The business spans Spanish-speaking users from Colombia, Ecuador, Chile, Panama and, in some cases, North American.
Attack chains are now usually impersonating local government agencies, tempting recipients to open malicious documents, or clicking hidden links using URL shorteners like Cort.[.]As,Acortaurl[.]com, and gtly[.]To.
Blind Eagle leverages geofencing tricks to redirect users to official government websites when trying to send messages using a compromised email account and navigate to attacker-controlled infrastructure outside of Colombia or Ecuador.
“The TAG-144’s Command and Control (C2) infrastructure often includes the IP address of your Columbia ISP along with virtual private servers (VPSs) such as Proton666 and VPN services such as Powerhouse Management, FrootVPN, and Torguard. This setup is further enhanced by the use of dynamic DNS services, including duckdns.[.]org, ip-ddns[.]com, and noip[.]com. “
Threat groups also use legitimate internet services to set up payloads for malicious content and Evard detection, such as Bitbucket, Discord, Dropbox, Github, Google Drive, The Internet Archive, lovestoblog.com, Paste.ee, Tagbox, and the lesser known Brazilian image hosting website.
A recent campaign, organized by Threat Actor, employs visual basic script files as droppers to run dynamically generated PowerShell scripts at runtime. This will access an external server that downloads the injector modules responsible for loading Limerat, DCRAT, Asynchronous, or REMCOS RAT.
Regional focus aside, hacking groups have consistently relied on the same techniques since their emergence, highlighting that “established methods” continue to provide high success rates in the region.
A recorded Future analysis of Blind Eagle’s campaign discovered five activities –
Cluster 1 (February to July 2025). It targets Colombian government agencies that only cover DCRAT, Asyncrat, and Remcos Rat Cluster 2. Remcos Rat Cluster 4 (May 2024 to February 2025). This is related to malware and phishing infrastructure caused by TAG-144, and the phishing page mimics Banco Davivivienda, Bancolombia and BBVA Cluster 5 (March to July).
The digital miscives used in these campaigns come with an SVG attachment, so we will contact the discord CDN of the CDN to get the JavaScript payload that retrieves the PowerShell script from Paste.ee. The PowerShell script is designed to decode and run another PowerShell payload that retrieves JPG images hosted in an Internet archive and extracts embedded .NET assemblies from it.
Interestingly, the cracked version of Asyncrat used in the attack has been previously observed in connection with invasion activity mounted by threat activists Red Akodon and Shadow Vector, both of which have targeted Colombia for the past year.
Nearly 60% of blinded Eagle activities observed during the analysis targeted the government sector, followed by education, healthcare, retail, transportation, defense and oil verticals.
“TAG-144 targets other sectors and may be linked to invasions of additional South American countries such as Ecuador and the invasion of Spanish-speaking victims in the US, but its main focus has consistently remained Colombia, particularly government entities,” says Future, recorded.
“This persistent targeting raises questions about the true motivations of threat groups, such as whether it will only serve as a financially driven threat actor that leverages established tools, techniques, and monetization strategies.
Source link
