TAG-144’s Persistent Grip on South American Organizations

Note: The analysis cut-off date for this report was July 21, 2025.

Executive Summary

Insikt Group has identified five distinct activity clusters linked to TAG-144 (also known as Blind Eagle). These clusters have operated at various times throughout 2024 and 2025, targeting a significant number of victims, primarily within the Colombian government across local, municipal, and federal levels. Although the clusters share similar tactics, techniques, and procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware deployment, and other operational methods. Insikt Group also found further evidence linking TAG-144 to Red Akodon and identified various compromised Colombian government email accounts likely used in spearphishing campaigns.

To protect against TAG-144, security defenders should block IP addresses and domains tied to associated RATs, flag and potentially block connections to unusual LIS, and deploy updated detection rules (YARA, Sigma, Snort) for current and historic infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and Appendix B for a complete list of IoCs. In the long term, analysts should continuously monitor the cybercriminal ecosystem for emerging threats and adapt controls accordingly.

Key Findings

• Insikt Group has tracked five distinct activity clusters associated with TAG-144 (Blind Eagle), each displaying overlapping yet varied TTPs and collectively targeting numerous victims, primarily within the Colombian government, throughout 2024 and 2025.
• TAG-144 appears to maintain an extensive operational infrastructure, comprising virtual private servers (VPS), IP addresses within Colombian ISP ranges, and servers that appear to function as VPN servers. These typically host domains registered through various dynamic DNS services such as duckdns[.]org, noip[.]com, and con-ip[.]com, among others.
• TAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT, among others. These payloads are typically deployed through a multi-stage infection chain that leverages an expanding set of LIS and uses steganography to obscure malicious content and evade detection.

Background

TAG-144, also known as Blind Eagle, AguilaCiega, APT-C-36, and APT-Q-98, is a threat group that has been active since at least 2018, primarily targeting South America, especially Colombia. While the threat group’s overall motivation remains ambiguous, its activity reflects both cyber-espionage and financially driven motivations. TAG-144’s primary focus appears to be on credential theft, evidenced by banking-related keylogging and browser monitoring, alongside indications of espionage, such as persistently targeting government entities and using modified RATs with surveillance functions (1, 2).

The group’s primary targets include government institutions, especially judiciary and tax authorities, alongside financial entities, petroleum and energy companies, and organizations within the education, healthcare, manufacturing, and professional services sectors (1, 2). Operations are mainly focused on Colombia, with additional activity in Ecuador, Chile, and Panama, and occasional campaigns in North America targeting Spanish-speaking users.

Initial access typically occurs through spearphishing campaigns impersonating local government agencies, most notably Colombian authorities. These campaigns leverage themes such as debt collection and judicial notifications to lure victims into opening malicious documents (1, 2). They have often used URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to to conceal malicious links and target users geographically. TAG-144 employs geo-fencing and other detection evasion measures that block access from outside Colombia or Ecuador, redirecting outsiders to official government websites. TAG-144 has consistently leveraged compromised email accounts in its spearphishing campaigns, including those associated with government entities and private individuals.

TAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS RAT, DcRAT, njRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar. Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”, with indicators pointing to the use of crypter-as-a-service offerings such as CryptersAndTools, which originates from Brazil. Additionally, it employs steganography techniques, embedding malicious payloads within image files to evade detection.

TAG-144’s command-and-control (C2) infrastructure often incorporates IP addresses from Colombian ISPs alongside virtual private servers (VPS) such as Proton666 and VPN services like Powerhouse Management, FrootVPN, and TorGuard (1, 2). This setup is further enhanced by the use of dynamic DNS services, including duckdns[.]org, ip-ddns[.]com, and noip[.]com. The threat group is suspected, though not definitively confirmed, to use compromised routers, which are then repurposed as reverse proxies to obscure the true locations of their C2 servers and complicate attribution.

The threat group has consistently leveraged LIS, particularly during the payload staging phase. These services include widely used platforms like Bitbucket, Discord, Dropbox, GitHub, Google Drive, Paste.ee, and lesser-known platforms such as undisclosed Brazilian image-hosting websites. Additionally, the group has been observed using compromised accounts to host malicious content, including a Google Drive folder tied to a compromised account associated with a regional Colombian government organization.

The threat group's origin remains uncertain, though multiple studies suggest it operates within the UTC-5 or UTC-4 time zones (1, 2), consistent with countries like Colombia and Ecuador, with some research specifically pointing to Colombia as its base. Notably, technical artifacts have contained both Spanish- and Portuguese-language comments. The Spanish observed in the comments closely resembles the regional dialects commonly spoken in the targeted countries. Additionally, the threat group has been observed using tools and services tied to the Brazilian cybercriminal underground, indicating a possible connection with Brazilian threat actors.

Three key factors set TAG-144 apart within the cybercriminal ecosystem. First, while globalization, cybercriminal collaboration, and hardware/software standardization have lowered barriers for threat actors to operate globally, threat actors, including TAG-144, often remain regionally focused due to cultural nuances, tacit knowledge, and persistence. Second, despite some tooling improvements, TAG-144 has largely relied on consistent techniques since its emergence. Their continued success, reflected in a high number of victims, underscores how well-established methods remain effective over time. Lastly, TAG-144 exemplifies the increasingly blurred lines between cybercrime and espionage, a trend that has become more prominent in the coming year. In this context, a comprehensive approach to tackling cyber threats becomes even more crucial, requiring improved defenses, deeper regional knowledge, and enhanced coordination.

Threat Analysis

Insikt Group identified five activity clusters associated with TAG-144 that were active between May 2024 and July 2025 (see Figure 1). Activity periods were determined based on domain resolutions, sample submissions, and victim traffic, as observed through Recorded Future® Network Intelligence.

Figure 1: Cluster activity timelines (Source: Recorded Future)

The following clusters have been observed:

• Cluster 1, active from February through July 2025, comprises C2 IPs primarily associated with TorGuard VPN and one Colombian ISP hosting duckdns[.]org and, starting in July 2025, noip[.]com domains with static resolution and minimal rotation. Cluster 1 is linked to DcRAT, AsyncRAT, and REMCOS RAT infections targeting Colombian government entities exclusively.
• Cluster 2, active between September and December 2024, included C2 IPs tied to AS-COLOCROSSING, Colombian ISPs, and VULTR hosting duckdns[.]org, con-ip[.]com, and kozow[.]com domains. Cluster 2 is associated with AsyncRAT activity targeting the Colombian government and entities in the education, defense, and retail sectors.
• Cluster 3, active from September 2024 to July 2025, consists of C2 IPs linked to Colombian ISP UNE EPM hosting duckdns[.]org and, occasionally, con-ip[.]com domains. Cluster 3 is associated with both AsyncRAT and REMCOS RAT deployments.
• Cluster 4, active from May 2024 to February 2025, is notable for combining malware and phishing infrastructure attributed to TAG-144.
• Cluster 5, active from March to July 2025, consists of C2 IPs linked to GLESYS (AS42708) hosting dynamically resolving duckdns[.]org domains. Cluster 5 is associated with LimeRAT and a cracked AsyncRAT variant seen in Clusters 1 and 2.

Insikt Group identified infrastructure overlaps between the clusters, establishing a connection among them. Additionally, the clusters share notable similarities in TTPs, including infrastructure choices, domain naming patterns, malware deployment, and the abuse of LIS. However, each cluster also exhibits distinct differences, which are explored in detail in the following sections of this report.

Cluster 1

Infrastructure Analysis

Cluster 1, active from at least February through July 2025, comprises C2 IP addresses primarily linked to TorGuard VPN servers and, in one case, a Colombian ISP. This cluster typically hosts duckdns[.]org and, more recently, noip[.]com domains with specific naming patterns; it has also been observed deploying DcRAT, AsyncRAT, and REMCOS RAT. The IP addresses linked to Cluster 1 are listed in Appendix A. The domains consistently resolve to the same static IP addresses over time, with minimal rotation observed within Cluster 1.

The subdomain names, likely generated by a domain generation algorithm (DGA), commonly include the word “envio” followed by a numeric part, as in, for example, envio16-05[.]duckdns[.]org. The names are detectable via the regex in Figure 2 and are detailed in Appendix B.

Figure 2: Regex for suspected DGA linked to Cluster 1 (Source: Recorded Future)

While prior research has suggested that the TorGuard VPN servers associated with Cluster 1 are used for port forwarding, the exposure of C2 components, such as default transport layer security (TLS) certificates tied to deployed malware families, indicates these IP addresses are likely dedicated VPN instances directly controlled by TAG-144.

In addition to the TorGuard VPN servers, Cluster 1 includes IP addresses associated with Colombian ISPs, such as Colombia’s primary provider, COLOMBIA TELECOMUNICACIONES S.A. E.S.P. While earlier reporting on Blind Eagle in 2020 suggested the possible use of compromised routers for C2 infrastructure, Insikt Group has not confirmed such activity for the observed IP addresses.

Notably, several domains hosted on TorGuard VPN servers listed in Appendix A were previously resolved to IP addresses belonging to Colombian ISPs, such as trabajonuevos[.]duckdns[.]org. These IP addresses and their associated domains are detailed in Appendix A. Similarly, certain domains, such as diazpool14[.]duckdns[.]org, were previously hosted on IP addresses linked to GLESYS (AS42708), an ASN identified in association with Cluster 5.

Abuse of Legitimate Internet Services, Including lovestoblog[.]com

As is typical for TAG-144, Cluster 1 has leveraged various LIS during staging, such as Tagbox, Archive, Paste.ee, Discord, and BitBucket, and for the first time in TAG-144 activity, the free hosting platform lovestoblog[.]com by InfinityFree. More specifically, the subdomain sudo102[.]lovestoblog[.]com hosted several text files that loaded an encoded PowerShell script, which retrieved the next stage of the infection chain from a JPG image hosted on archive[.]org. (See Figure 3 for the infection chain; line breaks were added for readability.)

Figure 3: Payload hosted on archive[.]org URL (Source: Recorded Future)

At least one text file hosted on sudo102[.]lovestoblog[.]com included comments in Portuguese (for example, “Junta os comandos,” which translates to “Add the commands”), a characteristic previously observed in connection with Blind Eagle (1, 2). This was suspected to indicate possible collaboration between the threat actor and external threat groups; however, it could also be explained by the presence of Portuguese-speaking members, code reuse, or intentional false flag operations.

Malware

Insikt Group observed Cluster 1 using both the “1.0.7” version of AsyncRAT and a variant labeled “CRACKED BY hxxps://t[.]me/xworm_v2”, which has the mutex AsyncMutex_6SI8OkPnk. xworm_v2 is an active Telegram channel with over 300 members, known for sharing and distributing cracked versions of paid software.

Figure 4: Telegram channel hxxps://t[.]me/xworm_v2 (Source: Recorded Future)

The cracked version observed in connection with TAG-144 was linked to a threat actor tracked as Red Akodon in May 2024; it appeared again in June 2025 in a report potentially referencing the same threat actor based on observed TTPs, though without formal attribution.

Victimology

Using Recorded Future Network Intelligence, Insikt Group identified a significant number of victims exclusively linked to the Colombian government associated with Cluster 1 (see Appendix C). Network communications, as observed by Recorded Future Network Intelligence, began in March 2025 and ended in June 2025. Notably, the cessation of activity may indicate that the threat actors were either evicted, completed their objectives and withdrew voluntarily, or transitioned to other tooling and egress points.

As shown in Appendix C, multiple victims were observed communicating with several C2 servers associated with Cluster 1. This activity likely resulted from changes in DNS resolution for the C2 domains over time. In some instances, Insikt Group assesses that multiple infections occurred within the same victim network, with all compromised systems communicating with the C2 infrastructure through a shared egress point. In some cases, Insikt Group was unable to conclusively identify the exact victim due to multiple entities sharing the same name.

Infrastructure Management

Although the exact infrastructure management methods used by TAG-144 for Cluster 1 remain unclear at this time, Insikt Group identified indications that the threat group may have leveraged a compromised Mikrotik router as a proxy to communicate with the C2 servers over a port.

Cluster 2

Infrastructure Analysis

Cluster 2, active from at least September to December 2024, comprises C2 IP addresses primarily linked to AS-COLOCROSSING, Colombian ISP IP addresses, and, in at least one case, VULTR. It typically hosts duckdns[.]org or con-ip[.]com domains with specific naming patterns and has been observed deploying AsyncRAT. In a few cases, Insikt Group also observed domains linked to the free dynamic DNS provider kozow[.]com. The IP addresses linked to Cluster 2 are listed in Appendix D.

The subdomain names, likely generated by a DGA algorithm, often consist of Spanish words, as in pesosdepesoslibras[.]duckdns[.]org. Sometimes, they are followed by numbers, as in paseoencarro2024[.]con-ip[.]com. (For a detailed list of these subdomain names, see Appendix A.) Notably, many of the domains currently hosted on AS-COLOCROSSING IP addresses (see Appendix D) were previously associated with IPs from Colombian ISPs, such as 179[.]14[.]8[.]26, 181[.]131[.]217[.]255, 177[.]255[.]84[.]82, and 191[.]88[.]248[.]162, indicating they may have been reused across different hosting infrastructures.

In addition to the Spanish-themed domains, Insikt Group identified a large set of DuckDNS and CON-IP domains, likely generated by another DGA algorithm and all starting with the keyword “deadpoolstart,” followed by a four-digit number (see Appendix E). Notably, the con-ip[.]com domains resolve to the AS-COLOCROSSING IP address 64[.]188[.]9[.]172, while the duckdns[.]org domains all resolve to IP addresses belonging to Colombian ISPs.

Abuse of Legitimate Internet Services

Similar to Cluster 1, Cluster 2 has also been observed leveraging various LIS during staging, including GitHub, Archive, Paste.ee, and more recently, the free hosting platform lovestoblog[.]com by InfinityFree, which ultimately led to an XWorm infection using the C2 domain deadpoolstart2064[.]duckdns[.]org.

Insikt Group also identified a payload named RELACIÓN DE SALDOS - CUENTA DE COBRO.pdf.exe associated with Cluster 2, which staged its content via two GitHub Gist URLs linked to the account SmikeY666:

• hxxps://gist[.]githubusercontent[.]com/SmikeY666/50447c53097f8884ffc754a8779fa2a3/raw
• hxxps://gist[.]githubusercontent[.]com/SmikeY666/8504274482e8e688d9489b302bfbc45e/raw

The payload results in an AsyncRAT infection, with the malware reaching out to its C2 server, cococovid202420242024[.]duckdns[.]org, which resolved to IP address 64[.]188[.]9[.]175 as of December 26, 2024.

Notably, the GitHub account “SmikeY666” included a link to a 2024 Vimeo video demonstrating an allegedly cracked version of SilverRAT, a Windows-based RAT that first appeared in 2023. It has been distributed across various forums and appears to be developed by an individual or group using the alias Anonymous Arabic.

Malware

Insikt Group observed Cluster 2 using the AsyncRAT variant labeled “CRACKED BY hxxps://t[.]me/xworm_v2” with the mutex AsyncMutex_6SI8OkPnk. Additionally, the cluster deployed AsyncRAT samples featuring custom mutexes such as tempcookieess, tempcokies, tempcookiee, WinCookies, Cookies, and CookiesGoogleChrome, among others. These samples can be tracked via Recorded Future Malware Intelligence. At least some of the samples are encrypted using a crypter attributed to Roda, a tool associated with Blind Eagle activity.

Victimology

Using Recorded Future Network Intelligence, Insikt Group identified nine victims associated with Cluster 2, primarily linked to Colombian government entities, along with victims from the education, defense, and retail sectors, among others (see Appendix F). Network communications observed by Recorded Future began in early October 2024 and ended in December 2024.

As with Cluster 1, multiple infections were observed within some of the victim organizations linked to Cluster 2, suggesting broader targeting or possible lateral movement. There is also evidence of victim overlap between Clusters 1 and 2. Furthermore, based on high volumes of network traffic from Colombian ISP IP addresses to C2 ports during the relevant timeframes, the actual number of victims is likely higher than what has been confirmed.

Cluster 3

Cluster 3, active from at least September 2024 to July 2025, comprises C2 IP addresses primarily linked to the Colombian ISP UNE EPM, typically hosting DuckDNS or, in rare cases, con-ip[.]com, domains. Insikt Group has observed AsyncRAT as well as REMCOS RAT infections linked to Cluster 3. The IP addresses linked to Cluster 3 are listed in Appendix G.

The subdomain names, likely generated using a domain DGA, often incorporate Spanish names, as in sebastiancorrea905040[.]duckdns[.]org, sometimes appended with numerical sequences. (For a detailed list of these subdomain names, see Appendix B.) Notably, one of the domains associated with Cluster 3, sebastianguerrero5040[.]con-ip[.]com, was observed resolving to the Cluster 2 IP address 64[.]188[.]9[.]177 between at least September 11 and November 11, 2024.

Similar to Clusters 1 and 2, Cluster 3 has also been observed abusing multiple LIS, including Tagbox, Archive, and Paste.ee, among others.

Cluster 4

Cluster 4, active from at least May 2024 to February 2025, differs from the others in that it is not only associated with malware infrastructure but also with phishing activity attributed to TAG-144. The IP addresses linked to Cluster 4 are listed in Appendix H. The full list of domains linked to the IP addresses in Appendix H is listed in Appendix A.

The phishing pages linked to Cluster 4 have been observed impersonating multiple banks, including Banco Davivienda, Bancolombia, and BBVA (see Figure 5). Notably, these lures differ from earlier ones attributed to TAG-144, which primarily impersonated government entities such as tax authorities or judicial bodies. Previous campaigns also appeared to target government-affiliated individuals or organizations, as evidenced by the victims associated with Clusters 1 and 2.

Figure 5: Phishing pages linked to Cluster 4 (Source: URLScan, URLScan, URLScan)

Notably, a phishing page impersonating BBVA and hosted on the domain keepz[.]duckdns[.]org contained the IP address 181[.]131[.]217[.]139 in its document object model (DOM), as seen in Figure 6. This IP was hosting the domains env2023nue[.]duckdns[.]org and chichichi01[.]duckdns[.]org in 2023. The domain env2023nue[.]duckdns[.]org was publicly linked to APT-C-36 (Blind Eagle) and likely remained in use by the same threat actor, as it continued to host an open directory containing folders related to Banco Davivienda, Banco Colombia, Banco Caja Social, and others until at least March 14, 2024, while being hosted on IP address 179[.]14[.]9[.]152. The domain chichichi01[.]duckdns[.]org served as a C2 domain for AsyncRAT based on public reporting and was also hosted on IP address 179[.]14[.]9[.]152 between March 22 and May 8, 2024.

Figure 6: IP address left in the DOM of a phishing page (Source: URLScan)

Cluster 5

Cluster 5, which has been active since at least March to July 2025, comprises C2 IP addresses primarily linked to GLESYS (AS42708), typically hosting duckdns[.]org domains. The domains linked to Cluster 5 are listed in Appendix I. Cluster 5 is the only cluster associated with the deployment of LimeRAT, which in this case uses the mutex 1e97ead369. The AsyncRAT variant linked to Cluster 5 is the same cracked version identified in Clusters 1 and 2. Of note, the domains frequently resolve to changing IP addresses, with those observed by Insikt Group detailed in Appendix B.

Similar to the other clusters, Cluster 5 has also been observed leveraging various LIS during staging, including Archive, Paste.ee, and Tagbox.

Infection Chain

Phishing Email

Insikt Group identified an email sent to undisclosed recipients from a likely compromised domain, alcaldia[@]simacota-santander[.]gov[.]co, associated with the Mayor’s Office of Simacota in the Santander department of Colombia. Infections stemming from this email have been confirmed to result in AsyncRAT deployment, communicating with the C2 domain envio01[.]ddns[.]net, a domain previously linked to Cluster 1.

Figure 7: Text in phishing email linked to TAG-144 (left) and the English translation (right) (Source: Recorded Future)

SVG Attachment

The email included an attachment named Notificacion_electronica_sentencia_preliminar_Departamento_Juridico_sxyebfiv.svg, which has a SHA256 hash of 04878a5889e3368c2cf093d42006ba18a87c5054f1464900094e6864f4919899. A translated version of the attachment is presented in Figure 8, while the original Spanish version is available in Appendix J. The SVG content claims that a judicial process has been initiated against the recipient, outlines potential penalties, and contains a link purportedly leading to evidence and further legal details.

Figure 8: Translated SVG file sent via spearphishing email (Source: Recorded Future)

Staging Process Using LIS

The link embedded within the SVG file is:

hxxps://cdn[.]discordapp[.]com/attachments/1389692690454548634/1389692792590307338/Notificacion_electronica_sentencia_preliminar_Departamento_De-Justicia_01.js?ex=68658bc4&is=68643a44&hm=057a0e76212bdd4c2da95e51ac7542f60ecbd440482ee186d474e1d783afd288&?id=75e6ea37-63e5-491a-a5e2-ad4c92667144

A similar SVG sample was identified through a Malware Intelligence search for HTTP requests to cdn[.]discordapp[.]com that included “Notificacion” in the query string (see Figure 9).

Figure 9: Additional sample found in Recorded Future Malware Intelligence (Source: Recorded Future)

Although the cdn[.]discordapp[.]com link was inactive at the time of analysis, Insikt Group successfully extracted the downloaded JavaScript file from a PCAP capture. The file, named Notificacion_electronica_sentencia_preliminar_Departamento_De-Justicia_01.js, has the SHA256 hash 1226a8d066328a8b6f353c9d98f1dc8128bd84f3909ae1cc6811dc1adff33c81. The script contains a mix of malicious code and benign content related to the Microsoft Print Schema. The benign portion is displayed in Figure 10. The inclusion of benign content is likely an attempt to evade detection.

Figure 10: Benign code portion contained in the JavaScript script (Source: Recorded Future)

Obfuscation

Figure 11 shows the obfuscated malicious portion of the script. Notably, the code contains comments written in Portuguese, an aspect previously discussed in this report and also associated with activity linked to TAG-144.

Figure 11: Obfuscated malicious code portion contained in the JavaScript script (Source: Recorded Future)

The variables voicelessness and classe, unwellness, and isostasy are obfuscated using junk characters and later deobfuscated via string replacement operations. These variables resolve to the following:

• voicelessness and classe: MSXML2.ServerXMLHTTP.6.0
• unwellness: hxxp://paste[.]ee/d/TrxwtHcC/0 (as observed via URLScan)
• isostasy: GET

The script creates a ServerXMLHTTP object and issues a GET request to the specified paste[.]ee URL using the custom User-Agent MyCustomAgent/1.0. If the HTTP response returns a status code 200, the response body is executed as JavaScript.

The SHA256 hash of the response body is 591744244c7ca9cea69cde263187efde3f65a157f8e5eb885ccc1f9e078b5572. This payload contains similar string obfuscation techniques and ultimately reconstructs strings to instantiate a shell object and execute a deobfuscated command line.

Figure 12: Obfuscated payload with Portuguese comments (Source: Recorded Future)

PowerShell Script

The deobfuscated command line is shown in Figure 13.

Figure 13: Deobfuscated PowerShell command (Source: Recorded Future)

The executed command initiates PowerShell, decodes a Base64-encoded payload, and then runs the decoded content via the Invoke-Expression cmdlet. Figure 14 shows the deobfuscated string with line breaks added.

Figure 14: Deobfuscated string (Source: Recorded Future)

The PowerShell script retrieves a JPG image from hxxps://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg. It then employs steganographic techniques to scan the image’s pixel data for a specific byte marker, which it uses to locate and extract an embedded payload. The extracted content is a .NET assembly that the script loads directly into memory. Execution is carried out by invoking the VAI method within the ClassLibrary1.Home class, allowing the payload to run without ever being written to disk.

Notably, the same archive[.]org URL was observed in connection with XWorm samples associated with the domain deadpoolstart[.]lovestoblog[.]com and

deadpoolstart2064[.]duckdns[.]org, which also featured similarly named files, including (1, 2):

• NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_E.js (SHA256: aee42a6d8d22a421fd445695d8b8c8b3311fa0dc0476461ea649a08236587edd)
• NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_E.rar (SHA256: 0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1)

Victimology

Overall, Insikt Group identified a significant number of TAG-144 victims, all of which, where attribution was possible, were Colombian entities. Notably, as evidenced by victims associated with Clusters 1 and 2, the majority were directly tied to Colombian government institutions (see Figure 15). Beyond these, additional victims were identified across the healthcare, retail, transportation, defense, and oil sectors. Importantly, several of these non-governmental entities maintain some degree of affiliation with the state.

Figure 15: Breakdown of TAG-144 victims observed between May 2024 and July 2025 (Source: Recorded Future)

Although TAG-144 has targeted other sectors and has occasionally been linked to intrusions in additional South American countries such as Ecuador, as well as Spanish-speaking victims in the US, its primary focus has consistently remained on Colombia, particularly on government entities. This persistent targeting raises questions about the threat group’s true motivations, such as whether it operates solely as a financially driven threat actor leveraging established tools, techniques, and monetization strategies, or whether elements of state-sponsored espionage are also at play.

Overlap with Red Akodon

In May 2024, SCILabs reported on a threat actor it named Red Akodon, which closely resembled Blind Eagle in terms of TTPs. The threat actor primarily targeted Colombian government entities using RATs such as REMCOS RAT, QuasarRAT, AsyncRAT, and XWorm. The attacks were delivered via phishing emails posing as legal notices or judicial summonses, allegedly sent by Colombian institutions like the Fiscalía General de la Nación and the Juzgado 06 Civil del Circuito de Bogotá. Despite the similarities, SCILabs chose to track Red Akodon as a distinct threat actor at the time of writing.

Among others, the report identified four GitHub repository usernames: “jairpicc”, “santiagonasar”, “colombo08125”, and “mastermr02456”. Of note, jairpicc also appeared in association with a Pastebin account observed on August 23, 2024 (see Figure 16).

Figure 16: Pastebin account linked to jairpicc (Source: Recorded Future)

The Pastebin account was associated with multiple Pastebin links, at least two of which returned Bitbucket URLs hosting AsyncRAT payloads. These AsyncRAT payloads communicated with domains such as enviasept[.]duckdns[.]org, enviosep04[.]duckdns[.]org, sost2024ene[.]duckdns[.]org, and trabajo25[.]duckdns[.]org, all linked to TAG-144. Additionally, Insikt Group noted that the payloads hosted on these Bitbucket URLs followed file naming conventions consistent with those observed in TAG-144 infrastructure. For instance, one Pastebin link returned the URL hxxps://bitbucket[.]org/descargggt/servdifr/downloads/remcoss[.]txt, with the filename remcoss.txt matching file names found in open directories previously reported in association with TAG-144. Additional Bitbucket URLs hosting files with matching filenames that lead to AsyncRAT infections are provided in Appendix A.

Additionally, Red Akodon appears to have used at least two likely compromised email addresses associated with Colombian government entities: nomina[@]magdalena[.]gov[.]co and npereza[@]cendoj[.]ramajudicial[.]gov[.]co. Notably, on October 31, 2024, the Colombian cybersecurity blog ¡Mucho Hacker! reported on related activity involving similar abuse. This report highlighted the use of legitimate government-linked email addresses, including abogados[@]hujmb[.]gov[.]co and j03mpmixartado[@]cendoj[.]ramajudicial[.]gov[.]co. The blog speculated that the threat actor either had access to internal systems, allowing them to create legitimate-looking email accounts, or possessed an undisclosed capability to spoof official addresses.

Insikt Group confirmed that the email address j03mpmixartado[@]cendoj[.]ramajudicial[.]gov[.]co is legitimate and seems to belong to the Juzgado 003 Penal Municipal con Funciones Mixtas de Chiquinquirá. Furthermore, the address was found in malware logs associated with the Stealc infostealer, suggesting compromise. The email appears to be linked to a Colombian public official serving as Secretary of the Second Civil Circuit Court in Chiquinquirá.

The malware logs also contain email addresses believed to be leveraged for phishing purposes, including:

• ftorreshe[@]cendoj[.]ramajudicial[.]gov[.]co
• j01pmpalchiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co
• j02cctochiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co
• jcmpalchoconta[@]cendoj[.]ramajudicial[.]gov[.]co
• raccionestutj02cctochiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co
• repchiquinquiraboy[@]cendoj[.]ramajudicial[.]gov[.]co
• silay.salamanca699[@]educacionbogota[.]edu[.]co

Insikt Group assesses that TAG-144 considers the use of compromised government email accounts to deliver spearphishing emails a standard part of its toolkit and is likely to continue employing this tactic.

Mitigations

• Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate threats by operationalizing data from the Intelligence Cloud. Leverage continuously updated Risk Lists to blocklist IP addresses associated with TAG-144, thereby preventing internal communication with known malicious infrastructure.
• Recorded Future Detections: Recorded Future provides Sigma, YARA, and Snort rules that can be integrated into your SIEM or endpoint detection and response (EDR) tools. These rules detect the presence or execution of malware families linked to TAG-144 and similar threats.
• Recorded Future Network Intelligence: Recorded Future’s Malicious Traffic Analysis (MTA) events help identify servers engaged in exfiltration activity with known malicious infrastructure. These insights are powered by proprietary methodologies. Use general MTA event queries for broad monitoring, or targeted queries to focus specifically on malware families associated with TAG-144.
• Recorded Future Monitoring: Use Recorded Future to detect, flag, and block inbound and outbound traffic involving email addresses or domains that show signs of compromise, such as those appearing in data leaks, malware logs, or underground forums.
• Monitoring for Potential Network Device-Based Threat Activity: Monitor traffic from the IP addresses listed in Appendix A, which are associated with potentially compromised devices, including Mikrotik routers, and which have been observed communicating with known TAG-144 C2 infrastructure.
• LIS Flagging and Blocking: Consider blocking the use of specific LIS on your corporate network if not required for legitimate purposes. Network defenders must strike a balance between mitigating malicious communication via LIS and excessively restricting access to services that are allowed or necessary on their network. Previous Insikt Group reports, such as “Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses,” as well as this report on TAG-144, can help inform those decisions.
• Email Traffic Filtering: Implement a robust email filtering system to detect and flag messages containing malicious attachments or links. Ensure that suspicious emails are quarantined for detailed inspection, reducing the risk of phishing attacks and credential compromise.

Outlook

Insikt Group has identified five distinct activity clusters linked to TAG-144, active at various points throughout 2024 and 2025. These clusters have primarily targeted Colombian government entities at the local, municipal, and federal levels, while also affecting private sector and non-governmental organizations. Although they share common TTPs such as the use of open-source or cracked RATs, dynamic domain providers, and LIS for staging, each cluster demonstrates distinct infrastructure, malware deployment methods, and operational approaches. TAG-144 has also been linked to Red Akodon and has been observed using compromised Colombian government email accounts in spearphishing campaigns.

TAG-144 is part of a growing cybercriminal ecosystem in South America, where rapid digitalization and limited cyber defenses have contributed to more cybercrime. Looking ahead, Insikt Group assesses that TAG-144 will likely continue to focus on Colombian government targets, while maintaining its current operational patterns. This includes continued use of compromised email addresses, dynamic DNS services, abuse of LIS, and deployment of customized tools such as the previously observed BlotchyQuasar variant of QuasarRAT. TAG-144 is also expected to adapt by integrating new cracked or open-source tools and identifying additional LIS platforms to exploit. Furthermore, the threat group is likely to deepen its involvement in the broader cybercriminal ecosystem through collaboration with tool developers and affiliated threat actors. Given its persistent targeting, technical adaptability, and operational success, Insikt Group assesses that TAG-144 will remain a significant threat to its typical victim profile for the foreseeable future.

Appendix A: Cluster 1 IP Addresses

Appendix B: Indicators of Compromise (IoCs)

Appendix C: Cluster 1 Victims

Appendix D: Cluster 2 IP Addresses

Appendix E: “deadpoolstart”-Themed Domains Linked to Cluster 2

Appendix F: Cluster 2 Victims

Appendix G: Cluster 3 IP Addresses

Appendix H: Cluster 4 IP Addresses

Appendix I: Cluster 5 Domains

Appendix J: Original SVG Attachment

Appendix K: MITRE ATT&CK Techniques