Red Akodon
Red Akodon is a threat actor first identified by SCILabs in April 2024 and observed primarily targeting users and organizations in Colombia. The actor conducts phishing-driven campaigns that impersonate Colombian government and judicial entities, including Fiscalía General de la Nación and Bogotá civil courts, using lures related to lawsuits and judicial summonses. SCILabs reported the actor’s objective as theft of confidential information, including banking details, email accounts, social media credentials, and corporate portal access. Observed delivery chains use phishing emails sent from accounts on Colombian government and legitimate company domains, with no email spoofing identified in the reported campaigns. Two variants were described: one using links to DOCX files hosted on Google Drive or OneDrive, and another using attached SVG files containing malicious hyperlinks. Victims are ultimately directed to download ZIP or 7Z payloads from GitHub repositories. Red Akodon has used remote access trojans including AsyncRAT, RemcosRAT, QuasarRAT, and XWorm. SCILabs reported DLL hijacking involving a legitimate VMware Tools executable and a malicious glib-2.0.dll to inject AsyncRAT into MSBuild.exe. Follow-on behavior included PowerShell execution from C:\Users\Public, Windows Defender exclusion changes, execution of taskkill.exe /im cmstp.exe /f associated with UAC bypass or disablement, and persistence via Start Menu shortcuts and scheduled tasks. Additional observed activity included installation of RemcosRAT and QuasarRAT, and deployment of Neshta malware, which infects executables and establishes execution when EXE files are opened. SCILabs also listed kozow[.]com subdomains used as C2 infrastructure. SCILabs assessed with high confidence that Red Akodon was distinct from other Colombia-focused groups such as APT-C-36 and TA558 based on limited overlap and different infrastructure and delivery patterns. However, Insikt Group later reported further evidence linking TAG-144 to Red Akodon. TAG-144 is also known as Blind Eagle, AguilaCiega, APT-C-36, and APT-Q-98. Based on the provided content, the relationship is reported as a linkage by Insikt Group, but the content does not conclusively resolve whether Red Akodon is a distinct actor or part of TAG-144.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named activity cluster/group referenced as linked to TAG-144; no additional operational details provided in the excerpt beyond the asserted linkage.
Credential theft and remote-access operations primarily against Colombian users via phishing lures themed as lawsuits/judicial summons. Uses cloud/file-hosting (Google Drive/OneDrive) and GitHub for payload delivery, DLL hijacking to inject AsyncRAT into MSBuild.exe, establishes persistence (Start Menu shortcuts + scheduled task), weakens defenses (Defender exclusions, UAC bypass attempt via cmstp), and deploys multiple RATs (AsyncRAT, Remcos, Quasar, XWorm) plus Neshta to infect EXEs.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.