Security researchers have identified five distinct activity clusters tied to the persistent threat actor known as Blind Eagle, observed between May 2024 and July 2025, according to Recorded Future‘s Insikt Group. The threat intelligence firm tracks the campaigns under the TAG-144 designation, noting that the clusters share similar Tactics, Techniques and Procedures (TTPs) but diverge in infrastructure and deployment.
Although the clusters employ common techniques – such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services for staging – their infrastructure and operational methods show meaningful variation. The analysis highlights a persistent focus on government-related targets in the region, with participation also seen across other sectors.
The campaigns have a regional footprint primarily centered on Colombia, with activity also observed in Ecuador, Chile, and Panama, and some Spanish-speaking victims in the United States. Targeted sectors include the judiciary, tax authorities, and financial, petroleum, energy, education, healthcare, manufacturing, and professional services. The bulk of documented activity has occurred within Colombia’s government ecosystem, according to Recorded Future.
Attack chains typically begin with spear-phishing lures impersonating local government agencies, prompting recipients to open malicious documents or click links obscured by URL shorteners. The group has historically used compromised email accounts to disseminate messages and employ geofencing to redirect victims to official government sites when accessing attacker-controlled infrastructure outside Colombia or Ecuador.
Recent campaigns reportedly rely on a Visual Basic Script dropper to execute a dynamically generated PowerShell payload, which then contacts external servers to download an injector module responsible for loading multiple RATs, including Lime RAT, DCRat, AsyncRAT, and Remcos RAT. Researchers cited a chain of fetches that travels from a script to a PowerShell payload and ultimately to a .NET assembly embedded within an image hosted on the Internet Archive, illustrating the evolving use of living-off-the-land techniques and legitimate services for evasion. These findings align with analyses by Censys, which highlights the toolchain’s evolution and the role of compromised infrastructure in these campaigns.
According to Recorded Future, five clusters have been identified, each associated with distinct infrastructure and deployment patterns:
- Cluster 1 (February–July 2025): targeted Colombian government entities exclusively with DCRat, AsyncRAT, and Remcos RAT.
- Cluster 2 (September–December 2024): Colombian government and entities in education, defense, and retail sectors, using AsyncRAT and XWorm.
- Cluster 3 (September 2024–July 2025): deployment of AsyncRAT and Remcos RAT.
- Cluster 4 (May 2024–February 2025): phishing infrastructure mimicking Banco Davivienda, Bancolombia, and BBVA.
- Cluster 5 (March–July 2025): Lime RAT and a cracked AsyncRAT variant observed in Clusters 1 and 2.
The campaigns have also employed SVG attachments that fetch a JavaScript payload from Discord CDN, which in turn retrieves a PowerShell script from Paste.ee. The PowerShell loader decodes and executes a secondary payload that extracts a .NET assembly from an image hosted on the Internet Archive, a technique aimed at evading detection and complicating attribution. A visual representation of the surrounding digital risk context accompanies these findings in Related coverage.
Nearly 60% of the observed Blind Eagle activity during the analysis period targeted the government sector, followed by education, healthcare, retail, transportation, defense, and oil. Recorded Future notes that the group’s primary focus has consistently been Colombia, particularly its government entities, raising questions about whether the activity signals state-sponsored espionage alongside financially motivated operations.
Experts caution that, while TAG-144 has primarily targeted Colombia, the scope has included other South American countries such as Ecuador and may extend to Spanish-speaking victims in the United States. The extent to which these campaigns reflect purely financial monetization versus potential state-aligned objectives remains a topic of ongoing study.