TAG-144's Persistent Grip on South American Organizations

SUMMARY :

Insikt Group has identified five distinct activity clusters linked to TAG-144 (Blind Eagle), targeting primarily Colombian government entities across local, municipal, and federal levels throughout 2024 and 2025. The clusters share similar tactics, techniques, and procedures (TTPs) such as using open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging. However, they differ in infrastructure, malware deployment, and operational methods. The group maintains an extensive operational infrastructure, employs various RATs, and uses multi-stage infection chains. TAG-144's primary focus appears to be credential theft and espionage, with evidence linking it to Red Akodon and compromised Colombian government email accounts used in spearphishing campaigns.

OPENCTI LABELS :

dcrat,xworm,asyncrat,remcos rat,njrat,bitrat,quasarrat,blotchyquasar,limerat,south america,tag-144


AI COMMENTARY :

1. TAG-144’s Persistent Grip on South American Organizations Insikt Group’s latest findings reveal an enduring and sophisticated campaign led by TAG-144, also known under the moniker Blind Eagle. This threat actor has set its sights primarily on Colombian government bodies at local, municipal, and federal levels, maintaining relentless pressure from 2024 through 2025. The operation’s reach extends across various regions in South America, underscoring TAG-144’s commitment to credential theft and long-term espionage. The group’s activities have been closely analyzed, shedding light on its evolving infrastructure and multi-stage infection chains.

2. Distinct Activity Clusters Researchers have identified five separate clusters of activity attributed to TAG-144, each demonstrating unique characteristics in infrastructure, malware deployment, and operational methods. While the clusters share a common objective—to harvest credentials and exfiltrate sensitive information—the way they stage attacks varies from one cluster to another. Some clusters rely on dynamic domain providers to evade detection, whereas others leverage legitimate internet services to mask their malicious payloads. Despite these differences, the clusters collectively form a cohesive network that allows rapid adaptation when defensive measures are introduced.

3. Tactics, Techniques, and Procedures TAG-144 consistently employs open-source and cracked remote access trojans such as asyncrat, dcrat, and xworm to gain and maintain unauthorized access. The actor also uses dynamic domain registration services to rotate command-and-control endpoints, making network-based detection far more challenging. Legitimate internet services act as staging grounds, offering a veneer of normalcy to their multi-stage infection chains. Spearphishing remains a cornerstone of initial compromise, with carefully crafted messages dispatched from compromised Colombian government email accounts. These messages often contain malicious attachments or links designed to deploy the first stage of the RAT.

4. Diverse Malware Arsenal The malware toolkit deployed by TAG-144 is both extensive and varied. In addition to asyncrat, xworm, and dcrat, the group leverages remcos rat, njrat, bitrat, quasarrat, blotchyquasar, and limerat to execute different phases of intrusion. Each RAT serves a specific role, from establishing persistence and capturing keystrokes to performing reconnaissance and exfiltrating data. The deployment of multiple RAT families ensures that even if one strain is detected and blocked, alternative channels remain available for the threat actor. This layered approach has enabled TAG-144 to maintain long-term persistence within targeted networks.

5. Strategic Impact on South American Entities The sustained campaigns have resulted in widespread compromise of government networks, with stolen credentials finding their way into follow-on espionage and further spearphishing operations. Attribution efforts link TAG-144 to Red Akodon, suggesting possible collaboration or shared resources between the two groups. The exploitation of Colombian government email infrastructure has facilitated highly targeted phishing campaigns, undermining trust in official communications and destabilizing critical public services. Beyond Colombia, neighboring nations must remain vigilant, as TAG-144’s tactics could easily migrate across borders.

6. Future Outlook and Mitigation Strategies As TAG-144 refines its operational playbook, defenders must prioritize robust email security, including multi-factor authentication and advanced threat detection for dynamic domains. Network segmentation and least-privilege access controls can limit lateral movement should an initial breach occur. Continuous monitoring for anomalous RAT activity and behavioral analysis of legitimate internet services used as staging grounds will be essential. By combining proactive defenses with rapid incident response, South American organizations can begin to disrupt TAG-144’s persistent grip on critical infrastructure and government networks.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


TAG-144's Persistent Grip on South American Organizations