APT-C-36
· Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
· Source: The MITRE Corporation
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 79 attack patterns (mitre), 10 malware, 4 sectors, 5 countries, 95 indicators, 1 vulnerabilities (cve), 5 tool
Aliases
Blind Eagle
Description
[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
10 MITREs 2 Malwares 3 Observables 1 APTPublished 29/05/2024 11:06 · Modified 29/05/2024 11:30
Attack patterns (MITRE) (79)
-
T1095 usesNon-Application Layer Protocol
-
T1112 usesModify Registry
-
T1534 usesInternal Spearphishing
-
Written Content uses
-
T1192 uses
-
T1053 usesScheduled Task/Job
-
T1027.003 usesSteganography
-
T1059.001 usesPowerShell
-
T1071 usesApplication Layer Protocol
-
T1218.011 usesRundll32
-
T1012 usesQuery Registry
-
T1055.012 usesProcess Hollowing
-
T1608.001 usesUpload Malware
-
T1588.002 usesTool
-
Junk Code Insertion uses
-
T1588.001 usesMalware
-
T1564.003 usesHidden Window
-
T1073 uses
-
T1583.006 usesWeb Services
-
T1571 usesNon-Standard Port
-
T1016 usesSystem Network Configuration Discovery
-
T1059.007 usesJavaScript
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
TA0037 uses
-
T1001 usesData Obfuscation
-
T1574.001 usesDLL
-
T1583.003 usesVirtual Private Server
-
T1036.004 usesMasquerade Task or Service
-
T1218.005 usesMshta
-
Time Providers usesT1547.003
-
T1053.007
-
Cloud Accounts uses
-
T1053.005 usesScheduled Task
-
T1036 usesMasquerading
-
T1593
-
T1584.005 usesBotnet
-
Multi-Stage Channels usesT1104
-
T1573 usesEncrypted Channel
-
T1218 usesSystem Binary Proxy Execution
-
T1548.003 usesSudo and Sudo Caching
-
T1218.009 usesRegsvcs/Regasm
-
Impersonation uses
-
T1587.001 usesMalware
-
T1562 usesImpair Defenses
-
T1583.001 usesDomains
-
T1057 usesProcess Discovery
-
T1204 usesUser Execution
-
T1583.005 usesBotnet
-
T1133 usesExternal Remote Services
-
T1586.002 usesEmail Accounts
-
TA0003 uses
-
T1059 usesCommand and Scripting Interpreter
-
T1105 usesIngress Tool Transfer
-
T1036.005 usesMatch Legitimate Resource Name or Location
-
T1027 usesObfuscated Files or Information
-
T1140 usesDeobfuscate/Decode Files or Information
-
T1566.001 usesSpearphishing Attachment
-
T1082 usesSystem Information Discovery
-
T1566 usesPhishing
-
T1218.007 usesMsiexec
-
T1193 uses
-
T1547 usesBoot or Logon Autostart Execution
-
T1498 usesNetwork Denial of Service
-
T1566.002 usesSpearphishing Link
-
T1204.002 usesMalicious File
-
T1497 usesVirtualization/Sandbox Evasion
-
T1568 usesDynamic Resolution
-
T1132 usesData Encoding
-
Audio-Visual Content uses
-
T1047 usesWindows Management Instrumentation
-
T1083 usesFile and Directory Discovery
-
T1059.005 usesVisual Basic
-
T1055 usesProcess Injection
-
T1102 usesWeb Service
-
T1480 usesExecution Guardrails
-
T1033 usesSystem Owner/User Discovery
-
T1205 usesTraffic Signaling
-
T1204.001 usesMalicious Link
Malware (10)
-
njRAT - S0385 usesFamilyPublished 16/09/2025 13:41 · Modified 16/09/2025 13:41
-
AsyncRAT usesFamilyPublished 11/06/2026 16:31 · Modified 11/06/2026 16:31
-
Hijackloader usesFamilyPublished 10/06/2026 11:58 · Modified 10/06/2026 11:58
-
Quasar RAT usesFamilyPublished 15/05/2026 15:23 · Modified 15/05/2026 15:23
-
Remcos RAT usesFamilyPublished 17/06/2026 18:20 · Modified 17/06/2026 18:20
-
NJRat usesFamilyPublished 05/03/2025 11:12 · Modified 05/03/2025 11:12
- Backdoor:MSIL/Quasar
-
PureCrypter usesFamilyPublished 10/10/2025 08:25 · Modified 10/10/2025 08:25
-
Caminho usesFamilyPublished 17/12/2025 02:49 · Modified 17/12/2025 02:49
-
HEARTCRYPT usesFamilyPublished 20/03/2025 15:17 · Modified 20/03/2025 15:17
Sectors (4)
- Defense targets
- Government targets
- Finance targets
- Manufacturing targets
Countries (5)
- Spain targets
- United States of America targets
- Ecuador targets
- Colombia targets
- Chile targets
Indicators (95)
-
87effdf835590f85db589768b14adae2f76b59b2f33fae0300aef50575e6340dindicates -
http://elyeso.ip-ddns.com:30204indicates -
servicioseguroenlineabb.comindicates -
b1d2f8d627af261a1556ba289a6d171e9eda3b9d9d28e330262dd9559e5a1da1indicates -
http://213.226.123.14/8bmeVwqx/index.phpindicates -
c067869ac346d007a17e2e91c1e04ca0f980e8e9c4fd5c7baa0cb0cc2398fe59indicates -
9b0d0284c48659a7d81399fc9e9174ba373363116e66a21ecf84246fa2591b8bindicates -
republicadominica2025.ip-ddns.comindicates -
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12indicates -
amuntgroupfree.ip-ddns.comindicates -
http://172.174.176.153/dll/Dll.ppam'indicates -
http://172.174.176.153/dll/Dll.ppamindicates -
http://213.226.123.14/8bmeVwqx/index.php?scr=1indicates -
46addee80c4c882b8a6903cced9b6c0130ec327ae8a59c5946bb954ccea64a12indicates -
comina998.ddns-ip.netindicates -
10fd1b81c5774c1cc6c00cc06b3ed181b2d78191c58b8e9b54fa302e4990b13dindicates -
donato.con-ip.comindicates -
http://21ene.ip-ddns.com:30204indicates -
http://213.226.123.14/8bmeVwqx/Plugins/cred.dllindicates -
cutty.lyindicates -
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50indicates -
https://cdn.discordapp.com/attachments/1067819339090243727/1071063499494666240/Asuntos_DIAN_N34000137L287004P08899997012-03-02-2023-pdf.uueindicates -
njnjnjs.duckdns.orgindicates -
laminascol.linkpc.netindicates -
c5b11f830602e641f7d86a756da6b745d80ef6431be3f373be6912cab5f7acf5indicates -
5399bf1f18afcc125007d127493082005421c5ddebc34697313d62d8bc88daecindicates -
http://213.226.123.14/8bmeVwqx/Plugins/clip.dllindicates -
19ad18ad0a128f690667c7239dbaf89629abe43a6bb365bac295b72a8cc26318indicates -
68af317ffde8639edf2562481912161cf398f0edba6e06745d90c1359554c76eindicates -
79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3indicates -
ce6f0090d1c38351a4a9dab52bf4ad817c3f2ea5a6e5cef4dd139311ea1e4c54indicates -
f28ffdb035e739806d6c9bfc9ef2cd86f7fac2656018c8d0f2706647bcf5332findicates -
http://213.226.123.14/8bmeVwqx/Plugins/clip64.dllindicates -
2702ea04dcbbbc3341eeffb494b692e15a50fbd264b1d676b56242aae3dd9001indicates -
http://62.60.226.64/file/9451_1380.exeindicates -
6d9d0eb5e8e69ffe9914c63676d293da1b7d3b7b9f3d2c8035abe0a3de8b9fcaindicates -
upxsystems.comindicates -
96791e52274fcb59709e8e705469934ea0feba59e96e6a60526fbd0da8bcebc3indicates -
405813d04b53574ab8c9721795e9fd705273487c852b7f4545fb875da09c7350indicates -
353406209dea860decac0363d590096e2a8717dd37d6b4d8b0272b02ad82472eindicates -
172.174.176.153indicates -
a03259900d4b095d7494944c50d24115c99c54f3c930bea08a43a8f0a1da5a2eindicates -
6587de22729bf3dd6f3632d67881fbc75275b9fd6d88597c7f04462ec1b2bcdfindicates -
5433726d3912a95552d16b72366eae777f5f34587e1bdaa0c518c5fcbc3d8506indicates -
https://cdn.discordapp.com/attachments/1066009888083431506/1070342535702130759/Asuntos_DIAN_N6440005403992837L2088970004-01-02-2023-pdf.uueindicates -
system88.duckdns.orgindicates -
http://62.60.226.64/file/1374_2790.exeindicates -
http://92.42.96.30/pdp.nacs.gov.ua/Certificate_Activate_45052389_005553.exeindicates -
77383eb5e1e6e0c4049ddcc359122adc39c13e5918c205ad71062bb441928f9bindicates -
c4ff3fb6a02ca0e51464b1ba161c0a7387b405c78ead528a645d08ad3e696b12indicates -
http://62.60.226.64/file/4025_3980.exeindicates -
17dic.ydns.euindicates -
newstaticfreepoint24.ddns-ip.netindicates -
https://gtly.to/dGBeBqd8zindicates -
75fed14fd61067a1c0c2a10d0eefcc349308e1f4a1993a075a9f0c768affab13indicates -
https://subirfact.com/onLyofFicED.batindicates -
cd89c8c9bb614fac779491b98ed425f90b01412381e02392fb27b36db3568b0findicates -
21ene.ip-ddns.comindicates -
1dd7ae853911217095d2254337bedecee7267eea1ac9d0840eaf13506f40c9abindicates -
61685ea4dc4ca4d01e0513d5e23ee04fc9758d6b189325b34d5b16da254cc9f4indicates -
http://62.60.226.64/file/3819_5987.exeindicates -
https://gtly.to/QvlFV_zghindicates -
http://newstaticfreepoint24.ddns-ip.net:3020indicates -
613fb5ffbce15d7c71a019dd0f80256b2d05772e4f62c2fbf7c74164f1227755indicates -
navy3466.duckdns.orgindicates -
http://172.174.176.153/rump/Rump.xlsindicates -
systemwin.linkpc.netindicates -
8e864940a97206705b29e645a2c2402c2192858357205213567838443572f564indicates -
7a413732944fe4101f589e9ae49cd1b48c42c1287606b6badf4ce582cd8dedb5indicates -
b2b220098532bf8ec449cb133bd636d9991690e59d189133e2ea42881c9a2067indicates -
dian.server.tlindicates -
5.42.199.235indicates -
35612c79bde985c957ba521bbc7aa8541c31fb235ca7a91d0ee225f988921eb4indicates -
fc85d3da6401b0764a2e8a5f55334a7d683ec20fb8210213feb6148f02a30554indicates -
f80eb2fcefb648f5449c618e83c4261f977b18b979aacac2b318a47e99c19f64indicates -
ac1ea54f35fe9107af1aef370e4de4dc504c8523ddaae10d95beae5a3bf67716indicates -
53e05479979358110027cba571da6517ccb56c7ca321cf47c3ace1bbe2e1bd8dindicates -
03b7d19202f596fe4dc556b7da818f0f76195912e29d728b14863dda7b91d9b5indicates -
d31cf64cee89b83bf36a52cd28408ce4d2e9e584f66e2c397e8578cb01ecf2ebindicates -
c63d15fe69a76186e4049960337d8c04c6230e4c2d3d3164d3531674f5f74cdfindicates -
elyeso.ip-ddns.comindicates -
remcosos.duckdns.orgindicates -
8b6a909110ca907eb279cfb8f6db432af5564263e49c6982001b83fcffe04c07indicates -
http://website.org/s8Xwt2indicates -
64a08714bd5d04da6e2476a46ea620e3f7d2c8a438eda8110c3f1917d63dfcfcindicates -
rxms.duckdns.orgindicates -
430be2a37bac2173cf47ca1376126a3e78a94904dbc5f304576d87f5a17ed366indicates -
https://gtly.to/cuOv3gNDiindicates -
7e3a48c52da00a4dd8669103f0ba941aa824fcc097a18e7ea29f730492ba2a07indicates -
asy1543.duckdns.orgindicates -
http://website.org/render/s8Xwt2related -
2cedf60566ee524440c85a8779d5e12a203d1dff140f4c3d32374b7eab547ef6related -
http://213.226.123.14/8bmeVwqx/Plugins/cred64.dllrelated -
http://92.42.96.30/Activation/Certificate+AF8hFgBf-45052389+AF8-005553.exerelated -
35c7eb685fa4b03fd1e852c936768f003f8284ca96b1e1c73082053cd41fe63arelated
Vulnerabilities (CVE) (1)
CVE-2024-43451
KEV
6.5
Medium
Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …
- Attack vector
- Network
- Published
- 12/11/2024
- Modified
- 27/05/2026
Tool (5)
-
DCRAT usesThe MITRE Corporation Confidence 75
[DCRAT](https://attack.mitre.org/software/S9017) is a variant of the open-source [AsyncRAT](https://attack.mitre.org/software/S1087) developed in C# with additional capabilities such as patching Microsoft’s Antimalware Scan Interface (AMSI).(Citation: Zscaler BlindEagle DEC 2025)
Published 16/04/2026 20:23 · Modified 04/05/2026 16:31 -
Remcos usesThe MITRE Corporation Confidence 100
[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in …
Published 29/01/2019 19:55 · Modified 27/03/2026 01:07 -
QuasarRAT usesThe MITRE Corporation Confidence 100
[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity …
Published 17/10/2018 02:14 · Modified 27/03/2026 01:07 -
AsyncRAT usesThe MITRE Corporation Confidence 100
[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover …
Published 20/09/2023 19:32 · Modified 27/03/2026 01:07 -
Imminent Monitor usesThe MITRE Corporation Confidence 100
[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. …
Published 05/05/2020 20:45 · Modified 27/03/2026 01:07