Cybersecurity researchers have discovered five distinct activity clusters linked to a persistent threat actor known as Blind Eagle between May 2024 and July 2025.
These attacks, observed by Recorded Future Insikt Group, targeted various victims, but primarily within the Colombian government across local, municipal, and federal levels. The threat intelligence firm is tracking the activity under the name TAG-144.
"Although the clusters share similar tactics, techniques, and procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware deployment, and other operational methods," the Mastercard-owned company said.
Blind Eagle has a history of targeting organizations in South America since at least 2018, with the attacks reflecting both cyber espionage and financially driven motivations. This is evidenced in their recent campaigns, which have involved banking-related keylogging and browser monitoring as well as targeting government entities using various remote access trojans (RATs).
Targets of the group's attacks include the judiciary and tax authorities, along with entities in the financial, petroleum, energy, education, healthcare, manufacturing, and professional services sectors. The operations predominantly span Colombia, Ecuador, Chile, and Panama, and, in some cases, Spanish-speaking users in North America.
Attack chains typically involve the use of spear-phishing lures impersonating local government agencies to entice recipients into opening malicious documents or clicking on links concealed using URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to.
Blind Eagle makes use of compromised email accounts to send the messages and leverages geofencing tricks to redirect users to official government websites when attempting to navigate to attacker-controlled infrastructure outside of Colombia or Ecuador.
"TAG-144's command-and-control (C2) infrastructure often incorporates IP addresses from Colombian ISPs alongside virtual private servers (VPS) such as Proton666 and VPN services like Powerhouse Management, FrootVPN, and TorGuard," Recorded Future said. This setup is further enhanced by the use of dynamic DNS services, including duckdns[.]org, ip-ddns[.]com, and noip[.]com."
The threat group has also taken advantage of legitimate internet services, such as Bitbucket, Discord, Dropbox, GitHub, Google Drive, the Internet Archive, lovestoblog.com, Paste.ee, Tagbox, and lesser-known Brazilian image-hosting websites, for staging payloads in order to obscure malicious content and evade detection.
Recent campaigns orchestrated by the threat actor have employed a Visual Basic Script file as a dropper to execute a dynamically generated PowerShell script at runtime, which, in turn, reaches out to an external server to download an injector module that's responsible for loading Lime RAT, DCRat, AsyncRAT, or Remcos RAT.
The regional focus aside, the hacking group has consistently relied on the same techniques since its emergence, underscoring how "well-established methods" continue to yield high success rates in the region.
Recorded Future's analysis of Blind Eagle's campaigns have uncovered five clusters of activity -
- Cluster 1 (from February through July 2025), which has targeted Colombian government entities exclusively with DCRat, AsyncRAT, and Remcos RAT
- Cluster 2 (from September through December 2024), which has targeted Colombian government and entities in the education, defense, and retail sectors with AsyncRAT and XWorm
- Cluster 3 (from September 2024 through July 2025), which is characterized by the deployment of AsyncRAT and Remcos RAT
- Cluster 4 (from May 2024 through February 2025), which is associated with malware and phishing infrastructure attributed to TAG-144, with the phishing pages mimicking Banco Davivienda, Bancolombia, and BBVA
- Cluster 5 (from March through July 2025), which is associated with Lime RAT and a cracked AsyncRAT variant observed in Clusters 1 and 2
The digital missives used in these campaigns come with an SVG attachment, which then reaches out to Discord CDN to retrieve a JavaScript payload that, for its part, fetches a PowerShell script from Paste.ee. The PowerShell script is designed to decode and execute another PowerShell payload that obtains a JPG image hosted on the Internet Archive and extracts from it an embedded .NET assembly.
Interestingly, the cracked version of AsyncRAT used in the attacks has been previously observed in connection with intrusion activity mounted by threat actors Red Akodon and Shadow Vector, both of which have targeted Colombia over the past year.
Nearly 60% of the observed Blind Eagle activity during the analysis period has targeted the government sector, followed by education, healthcare, retail, transportation, defense, and oil verticals.
"Although TAG-144 has targeted other sectors and has occasionally been linked to intrusions in additional South American countries such as Ecuador, as well as Spanish-speaking victims in the US, its primary focus has consistently remained on Colombia, particularly on government entities," Recorded Future said.
"This persistent targeting raises questions about the threat group's true motivations, such as whether it operates solely as a financially driven threat actor leveraging established tools, techniques, and monetization strategies, or whether elements of state-sponsored espionage are also at play."
