G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
Analyst context for executives and security teams
APT-C-36, also known as Blind Eagle, TAG-144, AguilaCiega, and APT-Q-98, is described by ATT&CK as a suspected South American threat group associated with espionage and financially motivated operations targeting government, financial, energy, and professional manufacturing entities in Colombia and other Latin American countries. The practical concern for leaders is not just the group name; it is the mix of user-driven execution, remote access tooling, obfuscation, and persistence techniques that can turn a phishing or remote-access event into a business disruption or sensitive-data incident.
Executive priority
Organizations with operations, suppliers, customers, or regulated data exposure in Latin America should treat this as a readiness test for identity controls, endpoint visibility, email/web defense, and incident response. Budget and audit conversations should focus on whether the organization can prove control coverage for malicious links, externally accessible remote services, Windows execution paths, scheduled tasks, WMI, and commodity RAT activity. Because the ATT&CK object includes both espionage and financially motivated operations, incident decision-making should account for confidentiality risk as well as operational continuity.
Technical view
ATT&CK does not provide an official detection section for this group, but relationships identify associated software and techniques. Defenders should validate telemetry and detections around Windows-heavy remote access tooling such as QuasarRAT, Remcos, njRAT, Imminent Monitor, AsyncRAT, DCRAT, PureCrypter, Caminho, and HeartCrypt, while noting the group object itself does not specify platforms. Technique relationships point to malicious links, PowerShell, Visual Basic, JavaScript, WMI, scheduled tasks, external remote services, ingress tool transfer, masquerading, process hollowing, and obfuscated or encoded files. SOC and IR teams should prioritize behavior-chain detection over single indicators because several related tools are commodity or dual-use and may be packed or obfuscated.
Likely telemetry
- Email security and web proxy records for malicious-link delivery and click-through activity
- Endpoint process creation telemetry, including PowerShell, script hosts, WMI, schtasks, and unusual child-process chains
- Windows scheduled task creation, modification, and execution logs
- Authentication and access logs for VPN, remote access gateways, and other external remote services
- EDR telemetry for process injection or process hollowing behaviors
Detection direction
- Validate whether detections correlate user link activity with subsequent script execution, payload download, scheduled task creation, or RAT-like network behavior.
- Tune PowerShell, WMI, Visual Basic, and JavaScript detections to distinguish routine administration from unusual execution paths, encoded content, network retrieval, or suspicious parent-child processes.
- Review monitoring of externally exposed remote services for anomalous logins, persistence use, and credential misuse; do not rely only on perimeter allow/block decisions.
- Hunt for masqueraded tasks, services, files, and resource names that approximate legitimate Windows components or trusted locations.
- Account for false positives from legitimate remote administration tools, scheduled enterprise jobs, software deployment systems, and administrative scripts.
Mitigation priorities
- Harden external remote services first: enforce strong authentication, limit exposure, review access paths, and retain sufficient logs for investigation.
- Reduce malicious-link execution risk through email/web controls, user reporting workflows, and safe handling of downloaded content.
- Constrain script and administrative execution paths where operationally feasible, including PowerShell, WMI, scheduled tasks, and script interpreters.
- Use least privilege and application control principles to limit installation and persistence of unauthorized remote access tools.
- Ensure endpoint protection and logging are configured to retain evidence of obfuscation, process injection, task creation, and tool transfer behaviors.
Analyst notes and limits
The relationship set makes this object useful for validating enterprise defensive coverage even though the group-level ATT&CK entry has no official detection text. The strongest local use is to map the listed techniques and associated software to existing SOC content, IR collection plans, and control evidence, especially for organizations with Latin America exposure or sector overlap with the described targeting.
Platforms and tactics are not specified on the group object, and ATT&CK provides no official detection guidance for APT-C-36. Related software and techniques indicate relevant defensive areas but do not prove that every listed behavior appears in every campaign. Local telemetry, exposure, and incident evidence are required before assessing organizational impact or detection coverage.
APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583.001 | Domains Sub-technique | APT-C-36 has acquired domains to host malicious payloads.CitationKaspersky BlindEagle AUG 2024CitationCheck Point Blind Eagle MAR 2025CitationLevelBlue Blind Eagle Proton66 JUN 2025CitationRecorded Future TAG-144 AUG 2025CitationRecorded Future TAG-144 AUG 2025CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | APT-C-36 has prompted victims to open attachments and to accept macros in order to execute the subsequent payload.CitationQiAnXin APT-C-36 Feb2019CitationRecorded Future TAG-144 AUG 2025 APT-C-36 has also lured victims into opening malicious files hosted on Google Drive that triggered WebDAV requests to download malware.CitationCheck Point Blind Eagle MAR 2025CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1683.001 | Written Content Sub-technique | APT-C-36 has generated email content impersonating official notifications and documents that direct victims to execute malicious payloads.CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | APT-C-36 has used junk characters to obfuscate malicious scripts.CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1047 | Windows Management Instrumentation | APT-C-36 has used WMI to execute PowerShell.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1059.007 | JavaScript Sub-technique | APT-C-36 has used a fileless attack chain composed of three JavaScript code snippets to execute subsequent payloads.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1684.001 | Impersonation Sub-technique | APT-C-36 has impersonated banks including Banco Davivienda, Bancolombia, and BBVA as well as government institutions such as Colombia’s National Directorate of Taxes and Customs, Ministry of Foreign Affairs, and Office of the Attorney General.CitationKaspersky BlindEagle AUG 2024CitationLevelBlue Blind Eagle Proton66 JUN 2025CitationRecorded Future TAG-144 AUG 2025CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1588.001 | Malware Sub-technique | |
| Enterprise | T1584.005 | Botnet Sub-technique | APT-C-36 has used a botnet management interface to control large numbers of compromised hosts.CitationLevelBlue Blind Eagle Proton66 JUN 2025 |
| Enterprise | T1583.006 | Web Services Sub-technique | APT-C-36 campaign architecture has included image hosting sites, Pastebin, Discord, GitHub, Google Drive, BitBucket, and Dropbox.CitationKaspersky BlindEagle AUG 2024CitationCheck Point Blind Eagle MAR 2025CitationRecorded Future TAG-144 AUG 2025CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | APT-C-36 has disguised its scheduled tasks as those used by Google.CitationQiAnXin APT-C-36 Feb2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT-C-36 has used encoded and obfuscated files, images, and executables.CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1588.002 | Tool Sub-technique | APT-C-36 utilizes tools well known in crime communities and has obtained and used a modified variant of Imminent Monitor.CitationQiAnXin APT-C-36 Feb2019CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1587.001 | Malware Sub-technique | |
| Enterprise | T1027 | Obfuscated Files or Information | APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payloads and RAT packages, and password protected encrypted email attachments to avoid detection.CitationQiAnXin APT-C-36 Feb2019 APT-C-36 has also compressed initial droppers into ZIP, LHA and UUE formats.CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | APT-C-36 has disguised malicious executables to appear as legitimate files.CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1534 | Internal Spearphishing | APT-C-36 has used a compromised account to send a phishing email to an address likely used and monitored by the IT team within the same targeted organization.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | APT-C-36 has used malicious links in emails, often impersonating official notifications and documents, to direct users to execute malicious payloads.CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1683.002 | Audio-Visual Content Sub-technique | APT-C-36 has used phishing pages appearing like legitimate banking login portals to compromise credentials.CitationLevelBlue Blind Eagle Proton66 JUN 2025 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | APT-C-36 has regularly used compromised email accounts in spearphishing campaigns.CitationRecorded Future TAG-144 AUG 2025CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.CitationQiAnXin APT-C-36 Feb2019 |
| Enterprise | T1480 | Execution Guardrails | APT-C-36 has used geolocation filtering in malware delivery to redirect traffic not coming from a targeted region or country, such as Ecuador or Colombia, to legitimate sites.CitationKaspersky BlindEagle AUG 2024CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT-C-36 has sent emails containing a link that appear to lead to an urgent notification from a government institution, at times using URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to.CitationKaspersky BlindEagle AUG 2024CitationCheck Point Blind Eagle MAR 2025CitationCheck Point Blind Eagle MAR 2025CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1133 | External Remote Services | APT-C-36 has used VPNs in their operational infrastructure.CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | APT-C-36 has incorporated virtual private servers (VPS) into its operational infrastructure.CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.CitationQiAnXin APT-C-36 Feb2019 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | APT-C-36 has staged malware implants on group-owned repositories and sites.CitationKaspersky BlindEagle AUG 2024CitationLevelBlue Blind Eagle Proton66 JUN 2025 |
| Enterprise | T1027.003 | Steganography Sub-technique | APT-C-36 has used steganography to hide malicious code, typically in the resource section of executable files.CitationKaspersky BlindEagle AUG 2024CitationRecorded Future TAG-144 AUG 2025CitationRecorded Future TAG-144 AUG 2025CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | APT-C-36 has used VBScript for initial malware deployment including within a malicious Word document which is executed upon the document opening.CitationQiAnXin APT-C-36 Feb2019CitationKaspersky BlindEagle AUG 2024CitationLevelBlue Blind Eagle Proton66 JUN 2025 |
| Enterprise | T1568 | Dynamic Resolution | APT-C-36 has used DDNS services such as DuckDNS, noip[.]com, and con-ip[.]com to redirect victims to sites or repositories hosting malware implants.CitationKaspersky BlindEagle AUG 2024CitationCheck Point Blind Eagle MAR 2025CitationLevelBlue Blind Eagle Proton66 JUN 2025CitationRecorded Future TAG-144 AUG 2025CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | APT-C-36 has set the ShowWindow property of the Win32_ProcessStartup object to zero to hide PowerShell execution.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1571 | Non-Standard Port | APT-C-36 has used port 4050 for C2 communications.CitationQiAnXin APT-C-36 Feb2019 |
| Enterprise | T1586.003 | Cloud Accounts Sub-technique | APT-C-36 has used compromised Google Drive accounts including one associated with a Colombian government organization.CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1593 | Search Open Websites/Domains | APT-C-36 has gathered information on Colombian financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda to craft phishing pages.CitationLevelBlue Blind Eagle Proton66 JUN 2025 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT-C-36 has used spearphishing emails with malicious .pdf and .docx files and password protected RAR attachments to avoid being detected by the email gateway.CitationQiAnXin APT-C-36 Feb2019CitationKaspersky BlindEagle AUG 2024CitationRecorded Future TAG-144 AUG 2025CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | APT-C-36 has used process hollowing to execute malware in the memory of legitimate processes.CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT-C-36 has used PowerShell in malware execution including as part of fileless attack chains to download additional payloads.CitationKaspersky BlindEagle AUG 2024CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1574.001 | DLL Sub-technique | APT-C-36 has used side-loading to execute the HijackLoader payload.CitationKaspersky BlindEagle AUG 2024 |
Groups, software, and campaigns
S0385: njRAT
S0434: Imminent Monitor
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[1]
S9017: DCRAT
S9019: PureCrypter
PureCrypter is a fully-featured malware loader, developed by a threat actor called “PureCoder," that has been in use since at least 2021 to distribute a variety of remote access trojans and information stealers.[1]
S9016: Caminho
S0332: Remcos
S1087: AsyncRAT
S0262: QuasarRAT
S9018: HeartCrypt
HeartCrypt is a packer-as-a-service (PaaS) used to protect malware that has been available since at least 2024. HeartCrypt has been used to pack a variety of malware including Lumma Stealer, Remcos, and Rhadamanthys. In the HeartCrypt PaaS model, customers submit malware via private messaging services and it is then packed and returned by the operator as a new binary.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 81a0329b9c45… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
QiAnXin APT-C-36 Feb2019
QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
Open source URL -
[2]
Kaspersky BlindEagle AUG 2024
Global Research & Analysis Team, Kaspersky. (2024, August 19). BlindEagle flying high in Latin America. Retrieved April 16, 2026.
Open source URL -
[3]
Check Point Blind Eagle MAR 2025
Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026.
Open source URL -
[4]
Recorded Future TAG-144 AUG 2025
Insikt Group. (2025, August 26). TAG-144’s Persistent Grip on South American Organizations. Retrieved April 16, 2026.
Open source URL -
[5]
APT-Q-98
(Citation: Recorded Future TAG-144 AUG 2025)
-
[6]
AguilaCiega
(Citation: Recorded Future TAG-144 AUG 2025)
-
[7]
Blind Eagle
(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Recorded Future TAG-144 AUG 2025)
-
[8]
TAG-144
(Citation: Recorded Future TAG-144 AUG 2025)
-
[9]
mitre-attack G0099Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.