TAG-144

TAG-144, also known as Blind Eagle, AguilaCiega, APT-C-36, and APT-Q-98, is a threat actor tracked by Recorded Future's Insikt Group and active since at least 2018. Insikt Group identified five distinct activity clusters linked to the group operating during 2024 and 2025. The actor primarily targets South America, especially Colombia, with victims concentrated in Colombian government entities at the local, municipal, and federal levels. Reported targets also include judiciary and tax authorities, financial entities, petroleum and energy companies, and organizations in education, healthcare, manufacturing, and professional services. Additional activity has been observed in Ecuador, Chile, and Panama, with occasional campaigns in North America targeting Spanish-speaking users. The group's motivation is described as ambiguous, reflecting both cyber-espionage and financially driven objectives. Its campaigns have been associated with credential theft, including banking-related keylogging and browser monitoring, as well as surveillance-oriented activity against government institutions. Reported outcomes include credential theft, data exfiltration, and extortion. TAG-144 commonly gains initial access through spearphishing, often impersonating local government agencies and using lures themed around debt collection and judicial notifications. The group has used compromised Colombian government email accounts in spearphishing campaigns. It uses URL shorteners such as cort[.]as, acortaurl[.]com, and gtly[.]to to conceal malicious links and target users geographically, and employs geo-fencing to block access from outside Colombia or Ecuador, sometimes redirecting non-targets to official government websites. Its tooling relies heavily on commodity, open-source, cracked, and modified remote access trojans, including AsyncRAT, DcRAT, REMCOS RAT, XWorm, LimeRAT, njRAT, QuasarRAT, BitRAT, and a Quasar variant called BlotchyQuasar. The actor also uses crypters including HeartCrypt, PureCrypter, and crypters developed by actors known as Roda and pjoao1578, with indicators also pointing to use of crypter-as-a-service offerings such as CryptersAndTools. TAG-144 uses multi-stage infection chains and legitimate internet services for payload staging, along with dynamic DNS providers. Its evasion and delivery techniques include steganography to embed payloads in image files, domain generation algorithms, and in-memory malware execution. Command-and-control infrastructure has incorporated IP space from Colombian ISPs and VPS providers and dynamic DNS services such as duckdns[.]org, ip-ddns[.]com, and noip[.]com. Insikt Group also reported further evidence linking TAG-144 to Red Akodon. The five identified clusters share similar TTPs but differ significantly in infrastructure, malware deployment, and other operational methods.