# Blind Eagle Intelligence Summary

# Adversary Overview

Blind Eagle, a.k.a. APT-C-36, Águila Ciega (ATT&CK Group ID: G0099), is a Spanish-speaking threat actor that has been active since at least 2018.¹ The group is believed to be based in South America, given their use of regional Spanish dialects and intimate knowledge of government agencies and other local institutions in the region. The group tends to target Colombia-based institutions, including entities in the financial, manufacturing, and petroleum sectors.² However, this threat actor has also executed operations against victims throughout South America, Europe, the US, and Australia.^{3 4} While Blind Eagle tends to be largely opportunistic in their motives, though they have conducted espionage operations as well.⁵

Blind Eagle generally relies on commodity RATs, including Imminent Monitor, BitRAT, QuasarRAT, AsyncRAT, LimeRAT, and RemcosRAT.^{6 7 8} This threat actor's campaigns often leverage spearphishing for initial access and the deployment of encrypted payloads.² Additional common TTPs used by this threat actor include: spearphishing, use of malicious macros, process injection, and other LOTL techniques.^{5 9} The group also employs relatively strict targeting, and has been known to link-shortening services that geoloate victims.³

# Group Overview Report References

ID	Report Links
1	https://attack.mitre.org/groups/G0099/\|
2	https://web.archive.org/web/20190625182633/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\|
3	https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\|
4	https://webcache.googleusercontent.com/search?q=cache:DTTI-wdD7KcJ:blog.la.trendmicro.com/proyecto-rat-una-campana-de-spam-dirigida-a-entidades-colombianas-a-traves-del-servicio-de-correo-electronico-yopmail/&cd=10&hl=en&ct=clnk&gl=us\|
5	https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia\|
6	https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf\|
7	https://lab52.io/blog/apt-c-36-recent-activity-analysis/\|
8	https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\|
9	https://blog.scilabs.mx/malware-campaign-attributed-to-apt-c-36-context-and-iocs-update-june-2022/\|

# Connect with us 🗨️

We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.

Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/

ID	Report Links
1	https://attack.mitre.org/groups/G0099/\|
2	https://web.archive.org/web/20190625182633/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\|
3	https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\|
4	https://webcache.googleusercontent.com/search?q=cache:DTTI-wdD7KcJ:blog.la.trendmicro.com/proyecto-rat-una-campana-de-spam-dirigida-a-entidades-colombianas-a-traves-del-servicio-de-correo-electronico-yopmail/&cd=10&hl=en&ct=clnk&gl=us\|
5	https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia\|
6	https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf\|
7	https://lab52.io/blog/apt-c-36-recent-activity-analysis/\|
8	https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\|
9	https://blog.scilabs.mx/malware-campaign-attributed-to-apt-c-36-context-and-iocs-update-june-2022/\|