{ "id": "4cf4f6d9-d3da-4f11-a56a-1c32424c0587", "created_at": "2026-04-06T00:14:38.685558Z", "updated_at": "2026-04-10T03:35:20.323755Z", "deleted_at": null, "sha1_hash": "bcecea6cd429761694a5866c86664e167a247da8", "title": "APT-C-36 Updates Its Long-term Spam Campaign Against South American Entities With Commodity RATs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 199076, "plain_text": "APT-C-36 Updates Its Long-term Spam Campaign Against South\r\nAmerican Entities With Commodity RATs\r\nBy By: Daniel Lunghi Sep 13, 2021 Read time: 5 min (1483 words)\r\nPublished: 2021-09-13 · Archived: 2026-04-05 17:07:08 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe have continued tracking APT-C-36, also known as Blind Eagle, since our research on this threat actor in 2019.\r\nWe share new findings of APT-C-36’s ongoing spam campaign targeting South American entities.\r\nIn 2019, we wrote a blog entryopen on a new tab about a threat actor, likely based in Colombia, targeting entities\r\nin Colombia and other South American countries with spam emails. This threat actor is sometimes referred to as\r\nAPT-C-36 or Blind Eagle. Since then, we have continued tracking this threat actor. In this blog entry, we share our\r\nnew findings about APT-C-36’s ongoing spam campaign during that monitoring phase.\r\nAPT-C-36 has been known to send phishing emails to various entities in South America using publicly available\r\nremote access tools (RATs). Over time, the threat actor switches from one RAT to another. In the past, we have\r\nobserved that APT-C-36 makes use of RATs such as:\r\nnjRAT\r\nImminent Monitor\r\nA custom modified ProyectoRAT\r\nWarzone RAT\r\nAsync RAT\r\nLime RAT\r\nRemcos RAT\r\nBitRAT\r\nThe delivery emails\r\nAPT-C-36 utilizes different ruses for their targets: Many of the fraudulent emails impersonate Colombia’s national\r\ndirectorate of taxes and customs, Dirección de Impuestos y Aduanas Nacionales (DIAN), a lure that the threat\r\nactor has used before. Such emails claim that a “seizure order to bank account has been issued,” further details are\r\ncontained in the email attachment, and that the information is protected with password “dian” (Figure 1). In\r\nEnglish, the attachment means “seizure order.pdf” and the email body translates to the following:\r\n“Subject: we have sent a seizure order to the bank accounts matching your name\r\nDear taxpayer,\r\nhttps://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nPage 1 of 7\n\nFor your information, our intelligent IT system detected that your income statement at the Direccion de Impuestos\r\ny Aduanas DIAN has 180 days of arrears. For that reason, we will proceed as stated in the law, article 823 until\r\n843-2.\r\nWe attach the information and your debt with the password : dian\"\r\nFigure 1. A delivery email impersonating Colombia’s national directorate of taxes and customs\r\nOther fake emails in this campaign claim to contain a photo that would prove that the recipient’s partner is having\r\nan affair. In a similar fashion, the recipient is asked to open the email attachment named “attached picture.jpg” and\r\nuse the password “foto” to view its contents (Figure 2). These emails lack proper punctuation and are badly\r\nwritten, which is a common feature in phishing attempts. In English, the email translates to the following:\r\n“Hi how are you, I hope you're fine. I write this email to you as I don't dare telling you directly. Everyone knows\r\nexcept you, open your eyes, you are being cheated on and I don't like how others are laughing about you. I\r\nexperienced a similar situation, that's why I don't like someone doing it to another person. You know me well, I\r\nprefer not to make trouble. I attached a picture where they are kissing, I know it's hard to look at, but it is better\r\nthan to live a relationship where you believe it is all fine.\r\nThe picture was too big so I compressed it, you need Winzip or Winrar installed. I will write another email in the\r\nfollowing says, I have more things to tell you.\r\nI uploaded the picture with a password to avoid other people to look at it. The password is: foto\".”\r\nFigure 2. A delivery email pretending to share personal photos\r\nThe sender’s email address is either a spoofed address impersonating DIAN, or a Hotmail.com address\r\nimpersonating a fake female profile. The originating IP addresses always belong to a VPN provider.\r\nhttps://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nPage 2 of 7\n\nThe delivery documents\r\nThe delivery documents in these phishing emails are either a PDF file or DOCX file containing a link. We have\r\nfound samples of these documents impersonating DIAN (Figure 3), and others impersonating Google Photos\r\n(Figure 4).\r\nFigure 3. An email attachment with a link to a URL shortener\r\nFigure 4. The URL leads to a different destination\r\nHovering over the link will show that the link was generated from a URL shortener. As discussed in our last blog\r\nentry on this threat actor, APT-C-36 uses URL shorteners such as cort.as, acortaurl.com and gtly.to. These URL\r\nshorteners are capable of geographical targeting, so if a user from a country not targeted by the threat actors clicks\r\non the link, they will be redirected to a legitimate website. The URL shorteners also have the ability to detect the\r\nhttps://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nPage 3 of 7\n\nmajor VPN services, in which case, the shortened link leads the users to a legitimate website instead of redirecting\r\nthem to the malicious link, as illustrated in Figures 5 and 6.\r\nFigure 5. Geographical targeting detects a non-Colombian IP or VPN, so the user is led to the real\r\nDIAN website\r\nFigure 6. Geographical targeting detects a non-Colombian IP or VPN, so the user is led to the real\r\nGoogle Photos website\r\nHowever, if the location criteria are met, then the user is redirected to a file hosting server and a file is\r\nautomatically downloaded (Figure 7).\r\nhttps://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nPage 4 of 7\n\nFigure 7. File storage containing a password-protected archive\r\nThe downloaded file is a password-protected archive, the password for which is mentioned in the email, the email\r\nattachment, or both. These passwords are usually simple, such as “dian,” “foto,” or “1234.”\r\nPayload\r\nAfter deobfuscating the executable file within the password-protected archive, we are presented with a RAT called\r\nBitRAT. This RAT is not new, it has been previously analyzed by securityopen on a new tab researchersopen on a\r\nnew tab.\r\nUpon analyzing the RAT, the most interesting part of this RAT is its configuration settings seen as an encrypted\r\nblock of data (Figure 8). There are two hexadecimal strings within the main executable file in BitRAT: the longer\r\nstring is the encrypted configuration, the shorter one is the first part of the key.\r\nFigure 8. BitRAT's encrypted configuration\r\nUnlike most other malware, BitRAT uses the Camelliaopen on a new tab cipher with an initialization vector (IV)\r\nof 0000000000000000.\r\nhttps://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nPage 5 of 7\n\nSeveral computational steps are needed to obtain the final key. First, a magic value is computed from bytes found\r\non fixed addresses, as shown in Figures 9 and 10.\r\nFigure 9. The algorithm to compute for the magic value of BitRAT’s final key\r\nFigure 10. The input data to compute for the magic value of BitRAT’s final key\r\nEach byte is transformed using a simple computation formula, as shown below:\r\n((((value-0x 08)*0x25) %0x7f)+ 0x7f)% 0x7f\r\nThis formula can be used to compute for the magic value through the following process:\r\n1. For example, using the data from Figures 9 and 10 will result in the string “78hf326f87”.\r\n2. This string is appended to the hardcoded string “38325a784d6f5630”, forming the string\r\n“38325a784d6f563078hf326f87”.\r\n3. Afterward, a crc32 checksum is computed from “38325a784d6f563078hf326f87”, resulting in “d8e71d19”.\r\n4. A value of 0x08 is added to the checksum, which then becomes “d8e71d21”.\r\n5. The MD5 hash is computed from the checksum “d8e71d21”, forming\r\n“b50d97fb1e3d5fc9cc302384f5718714”.\r\n6. The first half of this MD5 hash, “b50d97fb1e3d5fc9”, is the key for the Camellia cipher.\r\nThe configuration is decrypted to the following string, as shown in Figure 11, including a command-and-control\r\n(C\u0026C) server and a port.\r\nFigure 11. Decrypted configuration of BitRAT\r\nAffected regions and industries\r\nThe majority of the targets we discovered were located in Colombia, although some were from other South\r\nAmerican countries such as Ecuador, Spain, and Panama. This is consistent with the use of Spanish in spear-phishing emails.\r\nAlthough APT-C-36’s objective remains unclear, we posit that the threat actor carried out this campaign for\r\nfinancial gain. The campaign has affected multiple industries, primarily government, financial, and healthcare\r\nhttps://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nPage 6 of 7\n\nentities. We have also seen the campaign affect the finance, telecommunications, and energy, oil and gas\r\nindustries.\r\nConclusion\r\nOver the course of this investigation, we have found various new tactics, techniques, and procedures (TTPs) used\r\nby APT-C-36.  Our research shows that they modify their methods frequently, as evidenced by their use of\r\ndifferent link shorteners and RATs. While spear-phishing emails are the initial infection vector for this ongoing\r\ncampaign, the threat actor is constantly changing their payloads and improving their techniques to avoid detection,\r\nsuch as their use of geolocation filtering.\r\nAPT-C-36 selects their targets based on location and most likely the financial standing of the email recipient.\r\nThese, and the prevalence of the emails, lead us to conclude that the threat actor’s ultimate goal is financial gain\r\nrather than espionage.\r\nSecurity Recommendations\r\nThreat actors like APT-C-36 are constantly seeking new ways to deploy their malware and stay one step ahead of\r\ntheir victims’ defenses. To secure their data from spear-phishing attempts, companies can benefit from tools such\r\nas the Trend Micro™ Smart Protection Suitesproducts and Worry-Free™ Business Security solutions, which\r\nprotect end-users and businesses from these kinds of threats by detecting and blocking malicious files, spam\r\nmessages, and malicious URLs. They can also turn to tools like Trend Micro™ Email Securityproducts, a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing,\r\nransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange,\r\nMicrosoft Office 365, Google Apps, and other hosted and on-premises email solutions. \r\nIndicators of Compromise\r\nYou can access the link here for the full list of IOCs.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nhttps://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html" ], "report_names": [ "apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434478, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bcecea6cd429761694a5866c86664e167a247da8.pdf", "text": "https://archive.orkl.eu/bcecea6cd429761694a5866c86664e167a247da8.txt", "img": "https://archive.orkl.eu/bcecea6cd429761694a5866c86664e167a247da8.jpg" } }