APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT-C-36 has acquired domains to host malicious payloads.[2][3][5][4][4][6] |
| .003 | Acquire Infrastructure: Virtual Private Server |
APT-C-36 has incorporated virtual private servers (VPS) into its operational infrastructure.[4] |
||
| .006 | Acquire Infrastructure: Web Services |
APT-C-36 campaign architecture has included image hosting sites, Pastebin, Discord, GitHub, Google Drive, BitBucket, and Dropbox.[2][3][4][6] |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT-C-36 has used PowerShell in malware execution including as part of fileless attack chains to download additional payloads.[2][6] |
| .005 | Command and Scripting Interpreter: Visual Basic |
APT-C-36 has used VBScript for initial malware deployment including within a malicious Word document which is executed upon the document opening.[1][2][5] |
||
| .007 | Command and Scripting Interpreter: JavaScript |
APT-C-36 has used a fileless attack chain composed of three JavaScript code snippets to execute subsequent payloads.[6] |
||
| Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
APT-C-36 has regularly used compromised email accounts in spearphishing campaigns.[4][6] |
| .003 | Compromise Accounts: Cloud Accounts |
APT-C-36 has used compromised Google Drive accounts including one associated with a Colombian government organization.[4] |
||
| Enterprise | T1584 | .005 | Compromise Infrastructure: Botnet |
APT-C-36 has used a botnet management interface to control large numbers of compromised hosts.[5] |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
APT-C-36 has customized existing malware with new capabilities including njRAT, AsyncRAT, LimeRAT, and BitRAT.[2] |
| Enterprise | T1568 | Dynamic Resolution |
APT-C-36 has used DDNS services such as DuckDNS, noip[.]com, and con-ip[.]com to redirect victims to sites or repositories hosting malware implants.[2][3][5][4][6] |
|
| Enterprise | T1480 | Execution Guardrails |
APT-C-36 has used geolocation filtering in malware delivery to redirect traffic not coming from a targeted region or country, such as Ecuador or Colombia, to legitimate sites.[2][4] |
|
| Enterprise | T1133 | External Remote Services |
APT-C-36 has used VPNs in their operational infrastructure.[4] |
|
| Enterprise | T1683 | .001 | Generate Content: Written Content |
APT-C-36 has generated email content impersonating official notifications and documents that direct victims to execute malicious payloads.[2] |
| .002 | Generate Content: Audio-Visual Content |
APT-C-36 has used phishing pages appearing like legitimate banking login portals to compromise credentials.[5] |
||
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
APT-C-36 has set the ShowWindow property of the Win32_ProcessStartup object to zero to hide PowerShell execution.[6] |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
APT-C-36 has used side-loading to execute the HijackLoader payload.[2] |
| Enterprise | T1105 | Ingress Tool Transfer |
APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[1] |
|
| Enterprise | T1534 | Internal Spearphishing |
APT-C-36 has used a compromised account to send a phishing email to an address likely used and monitored by the IT team within the same targeted organization.[6] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
APT-C-36 has disguised its scheduled tasks as those used by Google.[1] |
| .005 | Masquerading: Match Legitimate Resource Name or Location |
APT-C-36 has disguised malicious executables to appear as legitimate files.[2] |
||
| Enterprise | T1571 | Non-Standard Port | ||
| Enterprise | T1027 | Obfuscated Files or Information |
APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payloads and RAT packages, and password protected encrypted email attachments to avoid detection.[1] APT-C-36 has also compressed initial droppers into ZIP, LHA and UUE formats.[2] |
|
| .003 | Steganography |
APT-C-36 has used steganography to hide malicious code, typically in the resource section of executable files.[2][4][4][6] |
||
| .013 | Encrypted/Encoded File |
APT-C-36 has used encoded and obfuscated files, images, and executables.[2] |
||
| .016 | Junk Code Insertion |
APT-C-36 has used junk characters to obfuscate malicious scripts.[4] |
||
| Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
APT-C-36 has utilized well known malware including the Packer-as-a-Service HeartCrypt, PureCrypter, and open-source RATs such as Remcos.[3][5][4] |
| .002 | Obtain Capabilities: Tool |
APT-C-36 utilizes tools well known in crime communities and has obtained and used a modified variant of Imminent Monitor.[1][3] |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT-C-36 has used spearphishing emails with malicious .pdf and .docx files and password protected RAR attachments to avoid being detected by the email gateway.[1][2][4][4] |
| .002 | Phishing: Spearphishing Link |
APT-C-36 has sent emails containing a link that appear to lead to an urgent notification from a government institution, at times using URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to.[2][3][3][4] |
||
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
APT-C-36 has used process hollowing to execute malware in the memory of legitimate processes.[2] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.[1] |
| Enterprise | T1593 | Search Open Websites/Domains |
APT-C-36 has gathered information on Colombian financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda to craft phishing pages.[5] |
|
| Enterprise | T1684 | .001 | Social Engineering: Impersonation |
APT-C-36 has impersonated banks including Banco Davivienda, Bancolombia, and BBVA as well as government institutions such as Colombia’s National Directorate of Taxes and Customs, Ministry of Foreign Affairs, and Office of the Attorney General.[2][5][4][6] |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
APT-C-36 has staged malware implants on group-owned repositories and sites.[2][5] |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT-C-36 has used malicious links in emails, often impersonating official notifications and documents, to direct users to execute malicious payloads.[2] |
| .002 | User Execution: Malicious File |
APT-C-36 has prompted victims to open attachments and to accept macros in order to execute the subsequent payload.[1][4] APT-C-36 has also lured victims into opening malicious files hosted on Google Drive that triggered WebDAV requests to download malware.[3][6] |
||
| Enterprise | T1047 | Windows Management Instrumentation | ||
Software
References
- QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
- Global Research & Analysis Team, Kaspersky. (2024, August 19). BlindEagle flying high in Latin America. Retrieved April 16, 2026.
- Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026.
- Insikt Group. (2025, August 26). TAG-144’s Persistent Grip on South American Organizations. Retrieved April 16, 2026.
- Melnyk, S. (2025, June 27). Tracing Blind Eagle to Proton66. Retrieved April 16, 2026.
- Pellegrino, G. (2025, December 16). BlindEagle Targets Colombian Government Agency with Caminho and DCRAT. Retrieved April 16, 2026.