The Blind Eagle: APT-C-36

← Home·Gallery·Techniques

Threat Intelligence Tarot

wands · 12

South America (Colombia-linked, suspected)

G0099

★★★★★

risk 3/5

✦ The Blind Eagle ✦

APT-C-36

Blind Eagle · AguilaCiega

Colombia governmentEcuadorPanamaFinancial institutionsOil sector

Active since ~2018 · Colombian government surveillance, Financial sector targeting, South American espionage

The Blind Eagle hunts by region and by language. Its lures are in Spanish, its targets are in Bogota, Quito, and Panama City. It is one of the few known South American APT groups - operating in a region where cyber espionage has historically been underreported and underinvestigated.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1059.001

PowerShell

Execution

T1547.001

Registry Run Keys

Persistence

T1056.001

Keylogging

Collection

T1071.001

Web Protocols

Command and Control

Notable Operations

◆Colombian government and financial institutions targeting
◆NjRAT and Imminent Monitor RAT deployment
◆Ecuador and Panama targeting for regional espionage
◆Spanish-language lure documents targeting local officials

Defenses

▸
Email sandboxing for Spanish-language documents and archives
CIS Control 9 ↗
▸
Endpoint protection with RAT detection capabilities
NIST CSF: DE.CM ↗
▸
PowerShell logging and AMSI integration
CIS Control 8 ↗
▸
Network monitoring for commodity RAT C2 traffic patterns
CIS Control 13 ↗

Reversed: Their Weakness

Blind Eagle's heavy reliance on commodity RATs - NjRAT, Imminent Monitor - widely available on criminal forums makes attribution difficult and defenses more achievable; standard endpoint protection catches its tools more reliably than custom malware.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Affiliate Next →The Mercenary Wing

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.