| |

TAG-144: Innovative Tactics, Techniques, and Procedures Used by Actors Targeting Government Entities

ByAdmin

Over the past year, a shadowy threat actor known as TAG-144, also tracked under aliases Blind Eagle and APT-C-36, has intensified operations against South American government institutions. First observed in 2018, this group has adopted various commodity Remote Access Trojans (RATs) such as AsyncRAT, REMCOS RAT, and XWorm. These RATs are often delivered through highly targeted spearphishing campaigns that masquerade as official judicial or tax notifications. In mid-2025, Recorded Future analysts noted a significant uptick in activity, with five distinct clusters deploying new infrastructure and exploiting legitimate internet services to stage malware payloads. Initial access typically leverages compromised or spoofed email accounts from local government agencies, luring users into opening malicious documents or SVG attachments. These attachments frequently contain embedded JavaScript that, when executed, retrieves a second-stage loader from services like Paste.ee or Discord’s CDN.

The impact of TAG-144’s campaigns has been particularly severe in Colombia’s federal and municipal agencies, where the exfiltration of credentials and sensitive data poses both espionage and financial extortion risks. Despite sharing core tactics across clusters—such as dynamic DNS domains, open-source RATs, and stolen crypters—the group’s evolving use of steganography and Domain Generation Algorithms (DGAs) marks a notable shift toward more resilient operations. Recorded Future analysts have observed that this evolution complicates traditional defences and underscores the blurred line between cybercrime and state-level espionage. One of TAG-144’s most sophisticated techniques involves embedding a Base64-encoded .NET assembly within the pixel data of a benign JPEG image hosted on Archive.org. Upon execution of the initial PowerShell script, the loader scans for a predefined byte marker before extracting and invoking the payload directly in memory, thereby bypassing disk writes and evading antivirus detection. 

Categories: Cyber Espionage, Phishing Attacks, Malware Delivery Techniques 

Tags: TAG-144, Remote Access Trojans, Spearphishing, Malware, Social Engineering, Steganography, Cybercrime, Espionage, Credential Exfiltration, Domain Generation Algorithms 

Similar Posts

|

**Splunk Release Guide: Empowering Defenders to Identify Suspicious Activity and Prevent ESXi Ransomware Attacks** In this comprehensive guide, we delve into how Splunk can be utilized to enhance your cybersecurity posture against ESXi ransomware threats. Learn effective strategies for detecting suspicious activities that may indicate an impending attack. Our insights will equip defenders with the tools and knowledge necessary to proactively safeguard their environments. Stay ahead of cybercriminals by leveraging Splunk’s powerful analytics to monitor, analyze, and respond to potential threats before they escalate into full-blown ransomware incidents. Explore our step-by-step approach to

Leave a Reply

Your email address will not be published. Required fields are marked *