APT-C-36

Blind Eagle, also known as APT-C-36, APT-Q-98, AguilaCiega, and TAG-144, is a threat actor targeting entities in South America, particularly Colombia and Ecuador. Reporting in the provided content states that it has primarily targeted government entities in South American countries, notably Colombia, and has also conducted phishing attacks against banks and other financial entities across Colombia. Observed impersonation themes include Colombian banks such as Banco Davivienda, Bancolombia, and BBVA, as well as government institutions including Colombia’s National Directorate of Taxes and Customs, Ministry of Foreign Affairs, and Office of the Attorney General. The content describes campaigns blending espionage and financial motives. Documented tradecraft includes spearphishing emails with password-protected RAR attachments to evade email gateway detection, prompting victims to enable or accept macros to execute follow-on payloads, embedding VBScript within malicious Word documents, and using macro functions to create scheduled tasks disguised as Google tasks for persistence. The actor has used encoded and obfuscated files, images, and executables, and has used ConfuserEx to obfuscate a modified variant of Imminent Monitor, as well as compressed payloads, RAT packages, and password-protected encrypted email attachments to avoid detection. The content also states that APT-C-36 obtained and used a modified variant of Imminent Monitor, incorporated virtual private servers into its operational infrastructure, used port 4050 for C2 communications, and has weaponized a Microsoft vulnerability assessed as a variant of CVE-2024-43451 in attacks targeting Colombia. One report noted a possible relation between an UpCryptor artifact and Blind Eagle, but attribution was explicitly unconfirmed.