"These attacks, observed by Recorded Future Insikt Group, targeted various victims, but primarily within the Colombian government across local, municipal, and federal levels. The threat intelligence firm is tracking the activity under the name TAG-144. "Although the clusters share similar tactics, techniques, and procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging,"
"they differ significantly in infrastructure, malware deployment, and other operational methods," the Mastercard-owned company said. Blind Eagle has a history of targeting organizations in South America since at least 2018, with the attacks reflecting both cyber espionage and financially driven motivations. This is evidenced in their recent campaigns, which have involved banking-related keylogging and browser monitoring as well as targeting government entities using various remote access trojans (RATs)."
"The operations predominantly span Colombia, Ecuador, Chile, and Panama, and, in some cases, Spanish-speaking users in North America. Attack chains typically involve the use of spear-phishing lures impersonating local government agencies to entice recipients into opening malicious documents or clicking on links concealed using URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to. Blind Eagle makes use of compromised email accounts to send the messages and leverages geofencing tricks to redirect users to official government websites when attempting to navigate to attacker-controlled infrastructure outside of Colomb"
Five distinct activity clusters were linked to Blind Eagle between May 2024 and July 2025, primarily targeting Colombian government at local, municipal, and federal levels and tracked as TAG-144. Clusters employed open-source and cracked remote access trojans, dynamic domain providers, and legitimate internet services for staging while differing in infrastructure, malware deployment, and operational methods. The actor has targeted South American organizations since at least 2018 with espionage and financially motivated operations, including banking keylogging and browser monitoring. Targets spanned judiciary, tax authorities, finance, petroleum, energy, education, healthcare, manufacturing, and professional services across Colombia, Ecuador, Chile, Panama, and Spanish-speaking users in North America. Attack chains relied on spear-phishing impersonating government agencies, URL shorteners, compromised email accounts, and geofencing to redirect users to official sites when users were outside Colombia.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]