Cybersecurity researchers have found 5 distinct exercise clusters linked to a persistent risk actor referred to as Blind Eagle between Could 2024 and July 2025.
These assaults, noticed by Recorded Future Insikt Group, focused numerous victims, however primarily throughout the Colombian authorities throughout native, municipal, and federal ranges. The risk intelligence agency is monitoring the exercise underneath the title TAG-144.
“Though the clusters share comparable techniques, strategies, and procedures (TTPs) equivalent to leveraging open-source and cracked distant entry trojans (RATs), dynamic area suppliers, and legit web providers (LIS) for staging, they differ considerably in infrastructure, malware deployment, and different operational strategies,” the Mastercard-owned firm mentioned.
Blind Eagle has a historical past of concentrating on organizations in South America since no less than 2018, with the assaults reflecting each cyber espionage and financially pushed motivations. That is evidenced of their current campaigns, which have concerned banking-related keylogging and browser monitoring in addition to concentrating on authorities entities utilizing numerous distant entry trojans (RATs).
Targets of the group’s assaults embody the judiciary and tax authorities, together with entities within the monetary, petroleum, power, training, healthcare, manufacturing, {and professional} providers sectors. The operations predominantly span Colombia, Ecuador, Chile, and Panama, and, in some circumstances, Spanish-speaking customers in North America.
Assault chains sometimes contain using spear-phishing lures impersonating native authorities businesses to entice recipients into opening malicious paperwork or clicking on hyperlinks hid utilizing URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to.
Blind Eagle makes use of compromised e-mail accounts to ship the messages and leverages geofencing methods to redirect customers to official authorities web sites when making an attempt to navigate to attacker-controlled infrastructure outdoors of Colombia or Ecuador.
“TAG-144’s command-and-control (C2) infrastructure usually incorporates IP addresses from Colombian ISPs alongside digital non-public servers (VPS) equivalent to Proton666 and VPN providers like Powerhouse Administration, FrootVPN, and TorGuard,” Recorded Future mentioned. This setup is additional enhanced by way of dynamic DNS providers, together with duckdns[.]org, ip-ddns[.]com, and noip[.]com.”
The risk group has additionally taken benefit of respectable web providers, equivalent to Bitbucket, Discord, Dropbox, GitHub, Google Drive, the Web Archive, lovestoblog.com, Paste.ee, Tagbox, and lesser-known Brazilian image-hosting web sites, for staging payloads in an effort to obscure malicious content material and evade detection.
Latest campaigns orchestrated by the risk actor have employed a Visible Primary Script file as a dropper to execute a dynamically generated PowerShell script at runtime, which, in flip, reaches out to an exterior server to obtain an injector module that is answerable for loading Lime RAT, DCRat, AsyncRAT, or Remcos RAT.
The regional focus apart, the hacking group has constantly relied on the identical strategies since its emergence, underscoring how “well-established strategies” proceed to yield excessive success charges within the area.
Recorded Future’s evaluation of Blind Eagle’s campaigns have uncovered 5 clusters of exercise –
Cluster 1 (from February by July 2025), which has focused Colombian authorities entities completely with DCRat, AsyncRAT, and Remcos RAT
Cluster 2 (from September by December 2024), which has focused Colombian authorities and entities within the training, protection, and retail sectors with AsyncRAT and XWorm
Cluster 3 (from September 2024 by July 2025), which is characterised by the deployment of AsyncRAT and Remcos RAT
Cluster 4 (from Could 2024 by February 2025), which is related to malware and phishing infrastructure attributed to TAG-144, with the phishing pages mimicking Banco Davivienda, Bancolombia, and BBVA
Cluster 5 (from March by July 2025), which is related to Lime RAT and a cracked AsyncRAT variant noticed in Clusters 1 and a couple of
The digital missives utilized in these campaigns include an SVG attachment, which then reaches out to Discord CDN to retrieve a JavaScript payload that, for its half, fetches a PowerShell script from Paste.ee. The PowerShell script is designed to decode and execute one other PowerShell payload that obtains a JPG picture hosted on the Web Archive and extracts from it an embedded .NET meeting.
Apparently, the cracked model of AsyncRAT used within the assaults has been beforehand noticed in reference to intrusion exercise mounted by risk actors Crimson Akodon and Shadow Vector, each of which have focused Colombia over the previous yr.
Practically 60% of the noticed Blind Eagle exercise throughout the evaluation interval has focused the federal government sector, adopted by training, healthcare, retail, transportation, protection, and oil verticals.
“Though TAG-144 has focused different sectors and has sometimes been linked to intrusions in extra South American international locations equivalent to Ecuador, in addition to Spanish-speaking victims within the US, its main focus has constantly remained on Colombia, significantly on authorities entities,” Recorded Future mentioned.
“This persistent concentrating on raises questions in regards to the risk group’s true motivations, equivalent to whether or not it operates solely as a financially pushed risk actor leveraging established instruments, strategies, and monetization methods, or whether or not components of state-sponsored espionage are additionally at play.”
