{"description": "Enterprise techniques used by APT-C-36, ATT&CK group G0099 (v2.0)", "name": "APT-C-36 (G0099)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has acquired domains to host malicious payloads.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.003", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has incorporated virtual private servers (VPS) into its operational infrastructure.(Citation: Recorded Future TAG-144 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) campaign architecture has included image hosting sites, Pastebin, Discord, GitHub, Google Drive, BitBucket, and Dropbox.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Zscaler BlindEagle DEC 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used PowerShell in malware execution including as part of fileless attack chains to download additional payloads.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Zscaler BlindEagle DEC 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used VBScript for initial malware deployment including within a malicious Word document which is executed upon the document opening.(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Kaspersky BlindEagle AUG 2024)(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": " [APT-C-36](https://attack.mitre.org/groups/G0099) has used a fileless attack chain composed of three JavaScript code snippets to execute subsequent payloads.(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.002", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has regularly used compromised email accounts in spearphishing campaigns.(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1586.003", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used compromised Google Drive accounts including one associated with a  Colombian government organization.(Citation: Recorded Future TAG-144 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.005", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used a botnet management interface to control large numbers of compromised hosts.(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has customized existing malware with new capabilities including [njRAT](https://attack.mitre.org/software/S0385), [AsyncRAT](https://attack.mitre.org/software/S1087), LimeRAT, and BitRAT.(Citation: Kaspersky BlindEagle AUG 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used DDNS services such as DuckDNS, noip[.]com, and con-ip[.]com to redirect victims to sites or repositories hosting malware implants.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used geolocation filtering in malware delivery to redirect traffic not coming from a targeted region or country, such as Ecuador or Colombia, to legitimate sites.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Recorded Future TAG-144 AUG 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used VPNs in their operational infrastructure.(Citation: Recorded Future TAG-144 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1683", "showSubtechniques": true}, {"techniqueID": "T1683.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has generated email content impersonating official notifications and documents that direct victims to execute malicious payloads.(Citation: Kaspersky BlindEagle AUG 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1683.002", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used phishing pages appearing like legitimate banking login portals to compromise credentials.(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has set the ShowWindow property of the Win32_ProcessStartup object to zero to hide PowerShell execution.(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used side-loading to execute the HijackLoader payload.(Citation: Kaspersky BlindEagle AUG 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1534", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used a compromised account to send a phishing email to an address likely used and monitored by the IT team within the same targeted organization.(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has disguised malicious executables to appear as legitimate files.(Citation: Kaspersky BlindEagle AUG 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1571", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used ConfuserEx to obfuscate its variant of [Imminent Monitor](https://attack.mitre.org/software/S0434), compressed payloads and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019) [APT-C-36](https://attack.mitre.org/groups/G0099) has also compressed initial droppers into ZIP, LHA and UUE formats.(Citation: Kaspersky BlindEagle AUG 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used steganography to hide malicious code, typically in the resource section of executable files.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used encoded and obfuscated files, images, and executables.(Citation: Kaspersky BlindEagle AUG 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used junk characters to obfuscate malicious scripts.(Citation: Recorded Future TAG-144 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has utilized well known malware including the Packer-as-a-Service HeartCrypt, PureCrypter, and open-source RATs such as [Remcos](https://attack.mitre.org/software/S0332).(Citation: Check Point Blind Eagle MAR 2025)(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)(Citation: Recorded Future TAG-144 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) utilizes tools well known in crime communities and has obtained and used a modified variant of [Imminent Monitor](https://attack.mitre.org/software/S0434).(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used spearphishing emails with malicious .pdf and .docx files and password protected RAR attachments to avoid being detected by the email gateway.(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Recorded Future TAG-144 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has sent emails containing a link that appear to lead to an urgent notification from a government institution, at times using URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: Check Point Blind Eagle MAR 2025)(Citation: Recorded Future TAG-144 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used process hollowing to execute malware in the memory of legitimate processes.(Citation: Kaspersky BlindEagle AUG 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used a macro function to set scheduled tasks, disguised as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1593", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has gathered information on Colombian financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda to craft phishing pages.(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1684", "showSubtechniques": true}, {"techniqueID": "T1684.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has impersonated banks including Banco Davivienda, Bancolombia, and BBVA as well as government institutions such as Colombia\u2019s National Directorate of Taxes and Customs, Ministry of Foreign Affairs, and Office of the Attorney General.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)(Citation: Recorded Future TAG-144 AUG 2025)(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has staged malware implants on group-owned repositories and sites.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: LevelBlue Blind Eagle Proton66 JUN 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used malicious links in emails, often impersonating official notifications and documents, to direct users to execute malicious payloads.(Citation: Kaspersky BlindEagle AUG 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has prompted victims to open attachments and to accept macros in order to execute the subsequent payload.(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Recorded Future TAG-144 AUG 2025) [APT-C-36](https://attack.mitre.org/groups/G0099) has also lured victims into opening malicious files hosted on Google Drive that triggered WebDAV requests to download malware.(Citation: Check Point Blind Eagle MAR 2025)(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[APT-C-36](https://attack.mitre.org/groups/G0099) has used WMI to execute PowerShell.(Citation: Zscaler BlindEagle DEC 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT-C-36", "color": "#66b1ff"}]}