APT-C-36
Blind Eagle, also known as APT-C-36, APT-Q-98, AguilaCiega, and TAG-144, is a threat actor active in South America, particularly Colombia and Ecuador. The content states that it primarily targets government entities in South American countries, notably Colombia, and has also conducted phishing attacks against banks and other financial entities across Colombia, indicating campaigns with both espionage and financial motives. The actor has used spearphishing emails with password-protected RAR attachments to evade email gateway detection and has prompted victims to enable macros to execute follow-on payloads. It embedded VBScript within malicious Word documents, used macro functions to create scheduled tasks disguised as Google tasks, and incorporated virtual private servers into its operational infrastructure. The group obtained and used a modified variant of Imminent Monitor as a RAT, used ConfuserEx to obfuscate its Imminent Monitor variant, and relied on compressed payloads, encoded and obfuscated files, images, executables, and password-protected encrypted email attachments to avoid detection. The content also notes reporting linking Blind Eagle infrastructure to Proton66 and states that the group weaponized a Microsoft vulnerability variant related to CVE-2024-43451 in attacks targeting Colombia.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
13 malware families attributed to this actor across reporting.
8 additional families tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
"...Colombian organizations were reported by Darktrace to have been targeted by Blind Eagle in an attack campaign involving the abuse of the Windows vulnerability, tracked as CVE-2024-43451, that has been ongoing since November."
A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates. The security flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.
Observables
6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Targeted government entities in South America, especially Colombia, using spearphishing and RATs in campaigns combining espionage and financial motives.
Threat actor targeting Colombian government/judicial and other institutions using NTLM-related abuse and RAT delivery, including GitHub-based attack elements.
Persistent actor operating in multiple clusters targeting Colombian government entities using RATs, phishing lures, and dynamic DNS infrastructure.
Uses Proton66 bulletproof hosting; conducts phishing and RAT deployment activity against Colombian banks (as referenced by the headline).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.