Threat Research

TAG-144’s Persistent Grip on South American Organizations

RecordedFuture
TAG-144’s Persistent Grip on South American Organizations

Insikt Group identified five distinct TAG-144 (Blind Eagle) activity clusters active during 2024–2025 that primarily targeted Colombian government entities using open-source and cracked RATs, dynamic DNS domains, and extensive abuse of legitimate internet services for staging and steganographic payload delivery. The report also documents overlaps with Red Akodon, widespread use of compromised Colombian government email accounts for spearphishing, and a large set of IoCs including domains, IPs, and file hashes. #TAG-144 #BlindEagle #RedAkodon #AsyncRAT #REMCOS #LimeRAT

Keypoints

  • Insikt Group tracked five activity clusters (Clusters 1–5) linked to TAG-144 active between May 2024 and July 2025, each using overlapping but distinct infrastructure and malware.
  • Primary victims were Colombian government entities at local, municipal, and federal levels, with additional victims in healthcare, education, retail, transport, oil, and defense sectors.
  • TAG-144 consistently abused Legitimate Internet Services (LIS) — e.g., Archive.org, GitHub, Discord, Paste.ee, Bitbucket, and lovestoblog[.]com — to stage payloads and employ steganography to hide .NET assemblies in images for in-memory execution.
  • Malware families observed include AsyncRAT (including a cracked variant), DcRAT, REMCOS RAT, XWorm, LimeRAT, QuasarRAT/BlotchyQuasar, njRAT, and various crypters (HeartCrypt, PureCrypter, Roda).
  • Infrastructure included TorGuard VPN servers, Colombian ISP IP ranges, VPS providers (GLESYS, VULTR), and dynamic DNS providers (duckdns[.]org, noip[.]com, con-ip[.]com, kozow[.]com), with many domains apparently generated by DGAs (e.g., envio* and deadpoolstart* patterns).
  • Multiple confirmed spearphishing campaigns used compromised Colombian government email accounts; a representative phishing chain delivered an SVG that loaded obfuscated JavaScript from cdn[.]discordapp[.]com and ultimately a PowerShell script that extracted and loaded a payload from an Archive.org JPG.
  • Insikt Group observed overlaps with Red Akodon through shared tooling, hosting patterns, and specific repositories/accounts used to stage RAT payloads, suggesting collaboration or shared resources within the regional cybercriminal ecosystem.

MITRE Techniques

  • [T1071.001 ] Application Layer Protocol: Web Protocols – Used for C2 communications and staging via web hosts and LIS such as cdn[.]discordapp[.]com and archive[.]org; quoted: ‘…the link embedded within the SVG file is: hxxps://cdn[.]discordapp[.]com/attachments/…’
  • [T1573.002 ] Encrypted Channel: Asymmetric Cryptography – Used to secure C2 channels (report lists encrypted channel technique in Appendix K). Quote: ‘…Encrypted Channel: Asymmetric Cryptography’
  • [T1573.001 ] Encrypted Channel: Symmetric Cryptography – Used to secure C2 communications for RATs and tooling. Quote: ‘…Encrypted Channel: Symmetric Cryptography’
  • [T1105 ] Ingress Tool Transfer – Staging of payloads via LIS (GitHub Gist, Paste.ee, Archive.org, Bitbucket, Discord) to retrieve next-stage scripts and payloads; quoted: ‘…the script creates a ServerXMLHTTP object and issues a GET request to the specified paste[.]ee URL…’
  • [T1112 ] Modify Registry – Registry modification observed as part of persistence and defense evasion in malware families linked to TAG-144 (listed in Appendix K). Quote: ‘…Defense Evasion: Modify Registry’
  • [T1082 ] System Information Discovery – Malware gathered system info as part of discovery phases (listed in Appendix K). Quote: ‘…Discovery: System Information Discovery’
  • [T1012 ] Query Registry – Threat activity included querying registry keys for discovery and configuration (listed in Appendix K). Quote: ‘…Discovery: Query Registry’
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Executed obfuscated PowerShell to download JPG from archive[.]org, extract embedded .NET assembly via steganography, and execute in memory; quoted: ‘…The PowerShell script retrieves a JPG image from hxxps://archive[.]org/… It then employs steganographic techniques…’
  • [T1566.002 ] Initial Access: Spearphishing Link – Initial access via spearphishing emails impersonating government agencies delivering SVG/JS/PowerShell chains; quoted: ‘…A likely compromised domain, alcaldia[@]simacota-santander[.]gov[.]co… resulted in AsyncRAT deployment…’
  • [T1583.001 ] Acquire Infrastructure: Domains – Use of dynamic DNS domains (duckdns[.]org, con-ip[.]com, ddns[.]net) and DGA-like naming patterns to provision C2 domains; quoted: ‘…hosts domains registered through various dynamic DNS services such as duckdns[.]org, noip[.]com, and con-ip[.]com…’
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Use of VPS and VPN services (TorGuard, GLESYS, VULTR, Proton666) to host C2 and staging infrastructure; quoted: ‘…comprises virtual private servers (VPS), IP addresses within Colombian ISP ranges, and servers that appear to function as VPN servers.’
  • [T1583.004 ] Acquire Infrastructure: Server – Use and reuse of servers and Colombian ISP-hosted IPs as part of C2 infrastructure; quoted: ‘…IP addresses linked to Cluster 1 are listed in Appendix A… Colombian ISP hosting…’
  • [T1583.008 ] Acquire Infrastructure: Malvertising – Use of legitimate web services and free hosting (lovestoblog[.]com) to host staging text files and payload references; quoted: ‘…the free hosting platform lovestoblog[.]com… sudo102[.]lovestoblog[.]com hosted several text files that loaded an encoded PowerShell script…’
  • [T1584.004 ] Compromise Infrastructure: Server – Indications of compromised routers and repurposed devices used as reverse proxies and proxies for C2 obfuscation; quoted: ‘…suspected to use compromised routers, which are then repurposed as reverse proxies…’

Indicators of Compromise

  • [IP Address ] Cluster C2 and proxy IPs – 146[.]70[.]137[.]90, 64[.]188[.]9[.]172 (examples; many more listed in Appendix B)
  • [Domain ] Dynamic DNS C2 and staging domains – envio16-05[.]duckdns[.]org, deadpoolstart2064[.]duckdns[.]org (examples; many more duckdns/.con-ip/.kozow entries)
  • [File Hash – SHA256 ] Malicious attachments and staged payloads – 04878a5889e3368c2cf093d42006ba18a87c5054f1464900094e6864f4919899 (SVG), 1226a8d066328a8b6f353c9d98f1dc8128bd84f3909ae1cc6811dc1adff33c81 (JS), and 0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1 (RAR) among many hashes
  • [File Name ] Lures and staged filenames – Notificacion_electronica_sentencia_preliminar_Departamento_Juridico_sxyebfiv.svg (phishing attachment), RELACIÓN DE SALDOS – CUENTA DE COBRO.pdf.exe (malicious payload example)
  • [URL ] Staging via free hosting – hxxp://deadpoolstart[.]lovestoblog[.]com/arquivo_175c782b52a345e9b408a8449e64f766[.]txt and Archive.org JPG URL used for steganography: https://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg

Read more: https://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint