Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0099: APT-C-36

APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]

EnterpriseG0099GroupObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

APT-C-36, also known as Blind Eagle, TAG-144, AguilaCiega, and APT-Q-98, is described by ATT&CK as a suspected South American threat group associated with espionage and financially motivated operations targeting government, financial, energy, and professional manufacturing entities in Colombia and other Latin American countries. The practical concern for leaders is not just the group name; it is the mix of user-driven execution, remote access tooling, obfuscation, and persistence techniques that can turn a phishing or remote-access event into a business disruption or sensitive-data incident.

Executive priority

Organizations with operations, suppliers, customers, or regulated data exposure in Latin America should treat this as a readiness test for identity controls, endpoint visibility, email/web defense, and incident response. Budget and audit conversations should focus on whether the organization can prove control coverage for malicious links, externally accessible remote services, Windows execution paths, scheduled tasks, WMI, and commodity RAT activity. Because the ATT&CK object includes both espionage and financially motivated operations, incident decision-making should account for confidentiality risk as well as operational continuity.

Technical view

ATT&CK does not provide an official detection section for this group, but relationships identify associated software and techniques. Defenders should validate telemetry and detections around Windows-heavy remote access tooling such as QuasarRAT, Remcos, njRAT, Imminent Monitor, AsyncRAT, DCRAT, PureCrypter, Caminho, and HeartCrypt, while noting the group object itself does not specify platforms. Technique relationships point to malicious links, PowerShell, Visual Basic, JavaScript, WMI, scheduled tasks, external remote services, ingress tool transfer, masquerading, process hollowing, and obfuscated or encoded files. SOC and IR teams should prioritize behavior-chain detection over single indicators because several related tools are commodity or dual-use and may be packed or obfuscated.

Likely telemetry

  • Email security and web proxy records for malicious-link delivery and click-through activity
  • Endpoint process creation telemetry, including PowerShell, script hosts, WMI, schtasks, and unusual child-process chains
  • Windows scheduled task creation, modification, and execution logs
  • Authentication and access logs for VPN, remote access gateways, and other external remote services
  • EDR telemetry for process injection or process hollowing behaviors

Detection direction

  • Validate whether detections correlate user link activity with subsequent script execution, payload download, scheduled task creation, or RAT-like network behavior.
  • Tune PowerShell, WMI, Visual Basic, and JavaScript detections to distinguish routine administration from unusual execution paths, encoded content, network retrieval, or suspicious parent-child processes.
  • Review monitoring of externally exposed remote services for anomalous logins, persistence use, and credential misuse; do not rely only on perimeter allow/block decisions.
  • Hunt for masqueraded tasks, services, files, and resource names that approximate legitimate Windows components or trusted locations.
  • Account for false positives from legitimate remote administration tools, scheduled enterprise jobs, software deployment systems, and administrative scripts.

Mitigation priorities

  • Harden external remote services first: enforce strong authentication, limit exposure, review access paths, and retain sufficient logs for investigation.
  • Reduce malicious-link execution risk through email/web controls, user reporting workflows, and safe handling of downloaded content.
  • Constrain script and administrative execution paths where operationally feasible, including PowerShell, WMI, scheduled tasks, and script interpreters.
  • Use least privilege and application control principles to limit installation and persistence of unauthorized remote access tools.
  • Ensure endpoint protection and logging are configured to retain evidence of obfuscation, process injection, task creation, and tool transfer behaviors.
Analyst notes and limits

The relationship set makes this object useful for validating enterprise defensive coverage even though the group-level ATT&CK entry has no official detection text. The strongest local use is to map the listed techniques and associated software to existing SOC content, IR collection plans, and control evidence, especially for organizations with Latin America exposure or sector overlap with the described targeting.

Platforms and tactics are not specified on the group object, and ATT&CK provides no official detection guidance for APT-C-36. Related software and techniques indicate relevant defensive areas but do not prove that every listed behavior appears in every campaign. Local telemetry, exposure, and incident evidence are required before assessing organizational impact or detection coverage.

Official MITRE ATT&CK definition

APT-C-36

APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

38 rows
Domain ID Name Relationship / procedure
Enterprise T1583.001 Domains Sub-technique

APT-C-36 has acquired domains to host malicious payloads.[2][3]CitationLevelBlue Blind Eagle Proton66 JUN 2025[4][4]CitationZscaler BlindEagle DEC 2025
Enterprise T1204.002 Malicious File Sub-technique

APT-C-36 has prompted victims to open attachments and to accept macros in order to execute the subsequent payload.[1][4] APT-C-36 has also lured victims into opening malicious files hosted on Google Drive that triggered WebDAV requests to download malware.[3]CitationZscaler BlindEagle DEC 2025
Enterprise T1683.001 Written Content Sub-technique

APT-C-36 has generated email content impersonating official notifications and documents that direct victims to execute malicious payloads.[2]
Enterprise T1027.016 Junk Code Insertion Sub-technique

APT-C-36 has used junk characters to obfuscate malicious scripts.[4]
Enterprise T1047 Windows Management Instrumentation

APT-C-36 has used WMI to execute PowerShell.CitationZscaler BlindEagle DEC 2025
Enterprise T1059.007 JavaScript Sub-technique

APT-C-36 has used a fileless attack chain composed of three JavaScript code snippets to execute subsequent payloads.CitationZscaler BlindEagle DEC 2025
Enterprise T1684.001 Impersonation Sub-technique

APT-C-36 has impersonated banks including Banco Davivienda, Bancolombia, and BBVA as well as government institutions such as Colombia’s National Directorate of Taxes and Customs, Ministry of Foreign Affairs, and Office of the Attorney General.[2]CitationLevelBlue Blind Eagle Proton66 JUN 2025[4]CitationZscaler BlindEagle DEC 2025
Enterprise T1588.001 Malware Sub-technique

APT-C-36 has utilized well known malware including the Packer-as-a-Service HeartCrypt, PureCrypter, and open-source RATs such as Remcos.[3]CitationLevelBlue Blind Eagle Proton66 JUN 2025[4]
Enterprise T1584.005 Botnet Sub-technique

APT-C-36 has used a botnet management interface to control large numbers of compromised hosts.CitationLevelBlue Blind Eagle Proton66 JUN 2025
Enterprise T1583.006 Web Services Sub-technique

APT-C-36 campaign architecture has included image hosting sites, Pastebin, Discord, GitHub, Google Drive, BitBucket, and Dropbox.[2][3][4]CitationZscaler BlindEagle DEC 2025
Enterprise T1036.004 Masquerade Task or Service Sub-technique

APT-C-36 has disguised its scheduled tasks as those used by Google.[1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

APT-C-36 has used encoded and obfuscated files, images, and executables.[2]
Enterprise T1588.002 Tool Sub-technique

APT-C-36 utilizes tools well known in crime communities and has obtained and used a modified variant of Imminent Monitor.[1][3]
Enterprise T1587.001 Malware Sub-technique

APT-C-36 has customized existing malware with new capabilities including njRAT, AsyncRAT, LimeRAT, and BitRAT.[2]
Enterprise T1027 Obfuscated Files or Information

APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payloads and RAT packages, and password protected encrypted email attachments to avoid detection.[1] APT-C-36 has also compressed initial droppers into ZIP, LHA and UUE formats.[2]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

APT-C-36 has disguised malicious executables to appear as legitimate files.[2]
Enterprise T1534 Internal Spearphishing

APT-C-36 has used a compromised account to send a phishing email to an address likely used and monitored by the IT team within the same targeted organization.CitationZscaler BlindEagle DEC 2025
Enterprise T1204.001 Malicious Link Sub-technique

APT-C-36 has used malicious links in emails, often impersonating official notifications and documents, to direct users to execute malicious payloads.[2]
Enterprise T1683.002 Audio-Visual Content Sub-technique

APT-C-36 has used phishing pages appearing like legitimate banking login portals to compromise credentials.CitationLevelBlue Blind Eagle Proton66 JUN 2025
Enterprise T1586.002 Email Accounts Sub-technique

APT-C-36 has regularly used compromised email accounts in spearphishing campaigns.[4]CitationZscaler BlindEagle DEC 2025
Enterprise T1053.005 Scheduled Task Sub-technique

APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.[1]
Enterprise T1480 Execution Guardrails

APT-C-36 has used geolocation filtering in malware delivery to redirect traffic not coming from a targeted region or country, such as Ecuador or Colombia, to legitimate sites.[2][4]
Enterprise T1566.002 Spearphishing Link Sub-technique

APT-C-36 has sent emails containing a link that appear to lead to an urgent notification from a government institution, at times using URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to.[2][3][3][4]
Enterprise T1133 External Remote Services

APT-C-36 has used VPNs in their operational infrastructure.[4]
Enterprise T1583.003 Virtual Private Server Sub-technique

APT-C-36 has incorporated virtual private servers (VPS) into its operational infrastructure.[4]
Enterprise T1105 Ingress Tool Transfer

APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[1]
Enterprise T1608.001 Upload Malware Sub-technique

APT-C-36 has staged malware implants on group-owned repositories and sites.[2]CitationLevelBlue Blind Eagle Proton66 JUN 2025
Enterprise T1027.003 Steganography Sub-technique

APT-C-36 has used steganography to hide malicious code, typically in the resource section of executable files.[2][4][4]CitationZscaler BlindEagle DEC 2025
Enterprise T1059.005 Visual Basic Sub-technique

APT-C-36 has used VBScript for initial malware deployment including within a malicious Word document which is executed upon the document opening.[1][2]CitationLevelBlue Blind Eagle Proton66 JUN 2025
Enterprise T1568 Dynamic Resolution

APT-C-36 has used DDNS services such as DuckDNS, noip[.]com, and con-ip[.]com to redirect victims to sites or repositories hosting malware implants.[2][3]CitationLevelBlue Blind Eagle Proton66 JUN 2025[4]CitationZscaler BlindEagle DEC 2025
Enterprise T1564.003 Hidden Window Sub-technique

APT-C-36 has set the ShowWindow property of the Win32_ProcessStartup object to zero to hide PowerShell execution.CitationZscaler BlindEagle DEC 2025
Enterprise T1571 Non-Standard Port

APT-C-36 has used port 4050 for C2 communications.[1]
Enterprise T1586.003 Cloud Accounts Sub-technique

APT-C-36 has used compromised Google Drive accounts including one associated with a Colombian government organization.[4]
Enterprise T1593 Search Open Websites/Domains

APT-C-36 has gathered information on Colombian financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda to craft phishing pages.CitationLevelBlue Blind Eagle Proton66 JUN 2025
Enterprise T1566.001 Spearphishing Attachment Sub-technique

APT-C-36 has used spearphishing emails with malicious .pdf and .docx files and password protected RAR attachments to avoid being detected by the email gateway.[1][2][4][4]
Enterprise T1055.012 Process Hollowing Sub-technique

APT-C-36 has used process hollowing to execute malware in the memory of legitimate processes.[2]
Enterprise T1059.001 PowerShell Sub-technique

APT-C-36 has used PowerShell in malware execution including as part of fileless attack chains to download additional payloads.[2]CitationZscaler BlindEagle DEC 2025
Enterprise T1574.001 DLL Sub-technique

APT-C-36 has used side-loading to execute the HijackLoader payload.[2]
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0385: njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[1]

Windows
Tool Enterprise

S0434: Imminent Monitor

Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[1]

Windows
Tool Enterprise

S9017: DCRAT

DCRAT is a variant of the open-source AsyncRAT developed in C# with additional capabilities such as patching Microsoft’s Antimalware Scan Interface (AMSI).[1]

Windows
Malware Enterprise

S9019: PureCrypter

PureCrypter is a fully-featured malware loader, developed by a threat actor called “PureCoder," that has been in use since at least 2021 to distribute a variety of remote access trojans and information stealers.[1]

Windows
Malware Enterprise

S9016: Caminho

Caminho is a downloader that has been used by threat actors since at least 2025 to deliver various strains of malware such as XWorm.[1]

Windows
Tool Enterprise

S0332: Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[1][2]

Windows
Tool Enterprise

S1087: AsyncRAT

AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[1][2][3]

Windows
Malware Enterprise

S9018: HeartCrypt

HeartCrypt is a packer-as-a-service (PaaS) used to protect malware that has been available since at least 2024. HeartCrypt has been used to pack a variety of malware including Lumma Stealer, Remcos, and Rhadamanthys. In the HeartCrypt PaaS model, customers submit malware via private messaging services and it is then packed and returned by the operator as a new binary.[1]

LinuxWindows
Relationship explorer

All related ATT&CK context

uses · Malware S0385: njRAT Enterprise uses · Technique T1583.001: Domains Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1683.001: Written Content Enterprise uses · Technique T1027.016: Junk Code Insertion Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Tool S0434: Imminent Monitor Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Technique T1684.001: Impersonation Enterprise uses · Tool S9017: DCRAT Enterprise uses · Technique T1588.001: Malware Enterprise uses · Technique T1584.005: Botnet Enterprise uses · Technique T1583.006: Web Services Enterprise uses · Malware S9019: PureCrypter Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Malware S9016: Caminho Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1587.001: Malware Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1534: Internal Spearphishing Enterprise uses · Technique T1204.001: Malicious Link Enterprise uses · Technique T1683.002: Audio-Visual Content Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
81a0329b9c455ab9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 81a0329b9c45…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    QiAnXin APT-C-36 Feb2019

    QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.

    Open source URL
  2. [2]
    Kaspersky BlindEagle AUG 2024

    Global Research & Analysis Team, Kaspersky. (2024, August 19). BlindEagle flying high in Latin America. Retrieved April 16, 2026.

    Open source URL
  3. [3]
    Check Point Blind Eagle MAR 2025

    Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026.

    Open source URL
  4. [4]
    Recorded Future TAG-144 AUG 2025

    Insikt Group. (2025, August 26). TAG-144’s Persistent Grip on South American Organizations. Retrieved April 16, 2026.

    Open source URL
  5. [5]
    APT-Q-98

    (Citation: Recorded Future TAG-144 AUG 2025)

  6. [6]
    AguilaCiega

    (Citation: Recorded Future TAG-144 AUG 2025)

  7. [7]
    Blind Eagle

    (Citation: QiAnXin APT-C-36 Feb2019)(Citation: Recorded Future TAG-144 AUG 2025)

  8. [8]
    TAG-144

    (Citation: Recorded Future TAG-144 AUG 2025)

  9. [9]
    mitre-attack G0099
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use