{
	"id": "a54403a3-7b0b-4e92-8398-9ed207a69ef8",
	"created_at": "2026-04-06T00:08:37.800344Z",
	"updated_at": "2026-04-10T03:35:20.373268Z",
	"deleted_at": null,
	"sha1_hash": "c1030d1d6faff27debe60ba517e4fa2ff1205304",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2783984,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-05 22:29:35 UTC\r\nBackground\r\nSince April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous\r\ntargeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum\r\nindustry, professional manufacturing, etc.\r\nTill this moment, 360 Threat Intelligence Center captured 29 bait documents, 62 Trojan samples and multiple related\r\nmalicious domains in total. Attackers are targeting Windows platform and aiming at government institutions as well as big\r\ncompanies in Colombia.\r\nThe first sample being captured was in April 2018 and since that we observed a lot more related ones. Attackers like to use\r\nspear-fishing email with password protected RAR attachment to avoid being detected by the email gateway. Decryption\r\npassword is provided in the mail body and inside the attachment it is a MHTML macro based document with the .doc suffix.\r\nIts purpose is to implant Imminent backdoor and gain a foothold into the target network which may make the follow up\r\nlateral movement easier to implement.\r\nAfter analyzing the last modified time of the encrypted documents, character set (locale) of the MHTML files, author names\r\nused by attackers, as well as elements like geopolitics in APT attacks, 360 Threat Intelligence Center suspect attackers come\r\nfrom South America and are in the UTC -4 time zone (or adjacent ones).\r\nTarget and Victim Analysis\r\nAfter performing investigations on the classified victims, we find the attacker targets big companies and government\r\nagencies in Colombia. The purpose is to implant Imminent backdoor to gain a foothold into the target network which may\r\nmake the follow up lateral movement easier to implement. Based upon victims’ backgrounds, the attacker is focusing on\r\nstrategic-level intelligence and may also have motivations to steal business intelligence and intellectual properties.\r\nSpoofed Source and Industry Distribution\r\nBased on the statistics of the attack information collected by 360 Threat Intelligence Center, the attacker disguised as\r\nColombian national institutions to attack government agencies, financial institutions, large domestic companies and\r\nmultinational corporation branches in Colombia.\r\nSpoofed Source Target\r\nColombian National Civil Registry INCI (Colombian National Institute for the Blind)\r\nNational Directorate of Taxes and Customs\r\nEcopetrol (Colombian Petroleum Co.)\r\nHocol (Subsidiary of Ecopetrol)\r\nWheel manufacturer in Colombia (IMSA)\r\nByington Colombia\r\nNational Administrative Department of Statistics Logistics company in Colombia (Almaviva)\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 1 of 32\n\nColombian National Cyber Police Bank in Colombia (Banco de Occidente)\r\nOffice of the Attorney General\r\nATH Columbia Division\r\nBank in Colombia (Banco de Occidente)\r\nColombia Migration Sun Chemical Columbia Branch\r\nSome malicious domains used by the attacker also masquerade as Colombian government websites. For example,\r\n“diangovcomuiscia.com” looks like the official one “muiscia.dian.gov.co” that belongs to the National Directorate of Taxes\r\nand Customs.\r\nThe attacker also forged the company information in the Imminent RAT:\r\nCompany Information in RAT Company Description\r\nAbbott Laboratories A healthcare company based in the United States\r\nChevron A multinational energy company in the United States\r\nEnergizer Holdings Inc. American battery manufacturer\r\nProgressive Corporation Auto insurance provider in America\r\nSimon Property Group Inc A commercial real estate company in America\r\nSports Authority Inc A sports goods retailer in the United States\r\nStrongeagle, Lda. A company related to law suit in Portugal\r\nAffected Targets\r\nAfter monitoring and correlating the APT attack, 360 Threat Intelligence Center discovered multiple related emails to attack\r\nColombian government agencies, financial institutions and large enterprises. Based upon the above work, we collected the\r\nfollowing spear-fishing emails, bait documents and the corresponding victims.\r\nEcopetrol\r\nInformation and Related Email of the Attacked Corporation\r\nEcopetrol, also known as Colombian Petroleum Co. (www.ecopetrol.com.co), is the largest and primary petroleum company\r\nin Colombia.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 2 of 32\n\nTargeted Email Attack Against Ecopetrol\r\nRelated Bait Document\r\nThe document was disguised as originating from the National Directorate of Taxes and Customs (www.dian.gov.co):\r\nDian Embargo Bancario # 609776.doc\r\nHocol Petroleum Limited\r\nInformation and Related Email of the Attacked Corporation\r\nHocol was founded in 1956. It is a subsidiary of Ecopetrol and offers hydrocarbon exploration and production services.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 3 of 32\n\nTargeted Email Attack Against Hocol\r\nRelated Bait Document\r\nThe attacker pretends to come from the National Directorate of Taxes and Customs:\r\nestado de cuenta.doc\r\nLogistics Company (Almaviva)\r\nInformation and Related Email of the Attacked Corporation\r\nAlmaviva is a Colombian logistics company, it optimizes the supply chain through the safe management of processes and\r\ntools to ensure the efficiency of logistics operations.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 4 of 32\n\nTargeted Email Attack Against Almaviva\r\nRelated Bait Document\r\nThe attacker masquerades as the National Administrative Department of Statistics to launch the attack.\r\nlistado de funcionarios autorizados para censo nacional 2018.doc\r\nFinancial Institution (Banco Agrario)\r\nInformation and Related Email of the Attacked Institution\r\nThe Banco Agrario is a Colombian state financial institution founded in 1999 to provide banking services in the rural\r\nsectors.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 5 of 32\n\nTargeted Email Attack Against Banco Agrario\r\nRelated Bait Document\r\nThe bait document was spoofed from the Colombian National Cyber Police (caivirtual.policia.gov.co):\r\nReporte fraude desde su dirrecion ip.doc\r\nWheel Manufacturer (IMSA)\r\nInformation and Related Email of the Attacked Corporation\r\nIMSA is a Colombian company and a leader in wheels.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 6 of 32\n\nTargeted Email Attack Against IMSA\r\nRelated Bait Document\r\nThe mail was disguised from the National Directorate of Taxes and Customs.\r\nDian Embargo Bancario # 609776.doc\r\nBank in Colombia (Banco de Occidente)\r\nInformation and Related Email of the Attacked Bank\r\nBanco de Occidente is one of the largest Colombian banks. It is part of the Grupo Aval conglomerate of financial services in\r\nColombia.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 7 of 32\n\nTargeted Email Attack Against Banco de Occidente\r\nRelated Bait Document\r\nThe bait document was spoofed from the Office of the Attorney General (www.fiscalia.gov.co):\r\nCitacion Fiscalia general de la Nacion Proceso 305351T.doc\r\nATH Columbia Division\r\nInformation and Related Email of the Attacked Corporation\r\nATH is a multinational financial institution with a branch in Colombia.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 8 of 32\n\nTargeted Email Attack Against ATH Columbia Branch\r\nRelated Bait Document\r\nThe attacker pretends to come from the Office of the Attorney General (www.fiscalia.gov.co):\r\nFiscalia proceso 305351T.doc\r\nSun Chemical Columbia Branch\r\nInformation and Related Email of the Attacked Corporation\r\nSun Chemical is a multinational chemical company focusing on inks, paint, etc. It also has a branch in Colombia.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 9 of 32\n\nTargeted Email Attack Against Sun Chemical Columbia Branch\r\nRelated Bait Document\r\nThe bait document was spoofed from the Colombia Migration (www.migracioncolombia.gov.co):\r\nProceso Pendiente Migracion Colombia.doc\r\nByington Colombia\r\nInformation and Related Email of the Attacked Corporation\r\nByington Colombia provides business credit management and information solutions. Its business credit information services\r\ninclude business and credit information, commercial collection, and marketing services.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 10 of 32\n\nTargeted Email Attack Against Byington\r\nRelated Bait Document\r\nThe document was disguised as originating from the National Directorate of Taxes and Customs:\r\nestado de cuenta.doc\r\nTechnical Details\r\n360 Threat Intelligence Center conducted a detailed analysis of the attack process based on the common attack techniques\r\nused by the APT group.\r\nThe Latest Attack\r\nOn February 14, 2019, 360 Threat Intelligence Center monitored attacks by the APT group again. The corresponding mail\r\nwas not found by using the recently captured bait document (MD5:0c97d7f6a1835a3fe64c1c625ea109ed). However, after\r\ninvestigation we found another similar bait document (MD5: 3de286896c8eb68a21a6dcf7dae8ec97) and related target\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 11 of 32\n\nattack mail (MD5: f2d5cb747110b43558140c700dbf0e5e). The mail was disguised from the Colombian National Civil\r\nRegistry and attacked the Colombian National Institute for the Blind.\r\nRecently captured bait document, disguised from the Colombian National Civil Registry (MD5:\r\n0c97d7f6a1835a3fe64c1c625ea109ed)\r\nEmail attacking the Colombian National Institute for the Blind\r\nSpoofed Source and Detection Bypass\r\nWhen attacking different targets, attackers carefully consider how to spoof the source of the message to make it look more\r\ncredible. For example, by masquerading the National Civil Registry to attack the Institute for the Blind, pretending to be the\r\nTax and Customs Administration to attack companies with international trade, disguising as the judiciary and immigration\r\nauthorities against banks and multinational corporation branches located in Colombia.\r\nThe attacker also carefully constructs the content of the message to appear originating from the forged institution and\r\nrelating to the target. The following picture shows the translation of the corresponding mail disguised as originating from the\r\njudiciary of Colombia to attack the ATH Colombia branch.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 12 of 32\n\nThe email attachment is encrypted and stored in the compressed package, and a decryption password is provided in the mail\r\nbody to bypass the security detection of the email gateway.\r\nDecryption password provided in the email\r\nAfter analyzing the mail, we found that the attacker used approaches such as proxy and VPN to hide its IP address when\r\nsending emails. So the sender’s real IP has not yet been obtained, only to figure out that these messages are sent through\r\nIDCs in Florida, USA. Some related IP addresses are as follows:\r\n128.90.106.22\r\n128.90.107.21\r\n128.90.107.189\r\n128.90.107.236\r\n128.90.108.126\r\n128.90.114.5\r\n128.90.115.28\r\n128.90.115.179\r\nThe Bait Document\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 13 of 32\n\nAll of the bait documents are MHTML ones with malicious macro embedded and the .doc suffix to bypass detection. Below\r\nis an example of bait document captured by 360 Threat Intelligence Center in February 2019:\r\nFile Name Registraduria Nacional - Notificacion cancelacion cedula de ciudadania.doc\r\nMD5 0c97d7f6a1835a3fe64c1c625ea109ed\r\nForged Source The Colombian National Civil Registry\r\nMHTML macro based document with the .doc suffix\r\nThe document is disguised from the Colombian National Civil Registry and uses Spanish to prompt the victim to enable the\r\nmacro code in order to execute the subsequent payload.\r\nWhen the macro code gets executed, it calls the Document_Open function automatically.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 14 of 32\n\nFunction Document_Open first calls the Main function to download binary data from\r\nhxxp://diangovcomuiscia.com/media/a.jpg and save as %AppData%\\1.exe (MD5: ef9f19525e7862fb71175c0bbfe74247).\r\nThen calls the fcL4qOb4 function to set the scheduled task and disguise as the one used by Google:\r\nAuthor Google Inc\r\nDescription (after\r\ntranslation)\r\nThis task stops the Google Telemetry Agent, that examines and uploads information about the\r\nuse and errors of Google solutions when a user logs in to the system.\r\nTask Action Launch %AppData%\\1.exe\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 15 of 32\n\nTask Definition GoogleUpdate\r\nThe relevant code is shown below:\r\nPayload（Imminent）\r\nFile Name 1.exe\r\nMD5 ef9f19525e7862fb71175c0bbfe74247\r\nCompiler .NET\r\nThe backdoor payload (1.exe) get dropped out is in C# with obfuscation:\r\nAfter deobfuscation you can see “Imminent Monitor” string which may indicate it is related to Imminent Monitor RAT:\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 16 of 32\n\nWhen get executed, it first extracts resource named as \"application\" and decrypt to a legitimate lzma.dll library:\r\nThen extract resource named as \"_7z\", and decompress it with lzma.dll to get the Imminent Monitor RAT (MD5:\r\n4fd291e3319eb3433d91ee24cc39102e).\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 17 of 32\n\nCore Component\r\nMD5 4fd291e3319eb3433d91ee24cc39102e\r\nStatic Analysis\r\nIt is a variant of Imminent Monitor RAT while obfuscated by ConfuserEx and Eazfuscator.NET:\r\nAfter partially removing the obfuscation, it can be seen that the backdoor supports below functions:\r\nID Function\r\nbDfBqxDCINCfwSAfMnZwspLefnc Host management\r\nChatPacket User support\r\ncokLfFnjBwgKtzdTpdXSgQIPacR Registry management\r\nCommandPromptPacket Remote shell\r\nConnectionSocketPacket Network transmission channel management\r\nExecutePacket Upload, download, and execute PE files\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 18 of 32\n\nFastTransferPacket Fast transmission\r\nFilePacket File management\r\nFileThumbnailGallery Support file thumbnail library\r\nKeyLoggerPacket Keylogger\r\nMalwareRemovalPacket Malicious function management\r\nMessageBoxPacket Chat message\r\nMicrophonePacket Microphone chat\r\nMouseActionPacket Mouse action\r\nMouseButtonPacket Mouse button action\r\nNetworkStatPacket Host network management\r\nPacketHeader Packet header information\r\nPasswordRecoveryPacket Browser password recovery\r\nPluginPacket Plugin management\r\nProcessPacket Process management\r\nProxyPacket Proxy management\r\nRDPPacket Remote desktop\r\nRegistryPacket Registry operation\r\nRemoteDesktopPacket Mark remote desktop package\r\nScriptPacket Execute script (html, vbs and batch)\r\nSpecialFolderPacket Windows special folder\r\nStartupPacket Startup operation\r\nTcpConnectionPacket TCP refresh and shutdown\r\nThumbnailPacket Thumbnail related\r\nTransferHeader Connection operation\r\nWebcamPacket Webcam related\r\nWindowPacket Window operations (refresh, maximize, minimize, etc.)\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 19 of 32\n\nIt is consistent with the descriptions provided on the official website:\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 20 of 32\n\nDynamic Debugging\r\nThe core component will check whether it is located in the %temp%\\[appname] directory, otherwise it copies itself to\r\n%temp%\\[appname]\\[appname] and set the file attribute to hidden.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 21 of 32\n\nThen launch the copied file:\r\nFinally delete the original file and exit the process:\r\nWhen the copied file gets executed, it creates the Imminent directory in the %AppData% directory to save the encrypted log,\r\nnetwork information and system information. The file will be uploaded to C2 when related command is received.\r\nC2: mentes.publicvm.com:4050\r\nTTPs (Tactics, Techniques, and Procedures)\r\n360 Threat Intelligence Center summarized TTPs of the APT group as follows:\r\nAttack Target\r\nColombian government agencies, large domestic corporations, and Colombian branches of\r\nmultinational corporations\r\nEarliest Activity April 2018\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 22 of 32\n\nRisk Remote control of computer device and data exfiltration\r\nAttack Approach Email\r\nInitial Payload MHTML macro based document with the .doc suffix\r\nMalicious Code Imminent Backdoor\r\nCommunication Dynamic domain name\r\nAnti-detection\r\ncapability\r\nMedium\r\nAffected Platform Windows\r\nAttack Tactics\r\n1.Compromise website in Spanish or register privacy-protected domain to store payload for\r\ndelivery;\r\n2.Spear-fishing email with password protected attachment and MHTML macro based document\r\nto bypass detection;\r\n3.Disguised as national agencies in Colombia to attack Colombia’s government, financial\r\ninstitutions, large domestic companies or Colombian branches of multinational corporations;\r\n4.Commercial Trojan Imminent is used to remotely control the target;\r\nAttribution\r\nAfter analyzing the last modified time of the encrypted documents, character set (locale) of the MHTML files, as well as\r\nelements like geopolitics in APT attacks, 360 Threat Intelligence Center suspect attackers are in the UTC -4 time zone (or\r\nadjacent ones).\r\nThe Reliable Last Modified Time\r\nSince RAR will save the modified time of the file, the time of the document obtained after decryption is very reliable. Take\r\npassword protected RAR archive (Registraduria Nacional del Estado Civil -Proceso inicado.rar) as an example, the time\r\nafter decryption is the same as the left one located in the MHTML meta data (the last modified time on the right side needs\r\nto be reduced by 8 hours since we are in the UTC +8 time zone).\r\nBy comparing each last modified time of the RAR archive with the one located in the meta data, we have confidence to say\r\nthat the time is not spoofed. So it makes sense to perform related statistics of all the bait documents captured.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 23 of 32\n\nStatistics of the Last Modified Time\r\nAll of the last modified time from the captured bait documents are shown in the table below:\r\nUTC+00\r\n00:32\r\n01:15\r\n01:15\r\n01:17\r\n01:35\r\n01:59\r\n02:57\r\n03:28\r\n04:40\r\n04:55\r\n05:17\r\n12:27\r\n12:49\r\n12:50\r\n13:38\r\n13:42\r\n13:49\r\n14:21\r\n14:22\r\n15:19\r\n15:26\r\n15:30\r\n15:56\r\n17:22\r\n17:58\r\n18:31\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 24 of 32\n\n20:53\r\n21:31\r\n23:30\r\nFrom the above we could see that the time never distributed between 05:30 and 12:30, which supposed to be sleep hours.\r\nCombining with the fact that most of the activities are between 13:00 and 2:00, we suspect attackers are in the UTC -4 time\r\nzone (or adjacent ones).\r\nPE Timestamp\r\nWe also performed statistics of timestamps in the dumped PE samples and figure out they are not far from the one in the bait\r\ndocuments:\r\nLast Modified Time of Bait Document Timestamp in PE Dump\r\n2019/2/11 17:58 2019/2/14 3:28\r\n2018/12/3 15:30 2018/12/3 23:26\r\n2018/11/26 18:31 2018/10/17 22:29\r\n2018/11/15 12:49 2018/10/17 22:29\r\n2018/11/8 14:21 2018/10/17 22:29\r\n2018/10/26 13:49 2018/10/17 22:29\r\n2018/10/22 17:22 2018/10/17 22:29\r\n2018/10/12 15:56 2018/10/17 22:29\r\n2018/10/4 5:17\r\n2018/9/13 13:42 2018/8/27 22:08\r\n2018/9/9 0:32\r\n2018/9/2 20:53 2018/8/27 22:08\r\n2018/8/27 15:19 2018/8/27 22:08\r\n2018/8/6 1:35 2018/8/1 11:25\r\n2018/8/1 2:57 2018/8/1 11:25\r\n2018/7/31 1:59 2018/8/1 11:25\r\n2018/7/30 1:17 2018/8/1 11:25\r\n2018/7/26 3:28 2018/8/27 22:08\r\n2018/7/10 4:55 2018/7/11 11:47\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 25 of 32\n\n2018/6/19 21:31\r\n2018/6/14 1:15\r\n2018/6/14 1:15\r\n2018/5/29 13:38\r\n2018/5/18 14:22 2018/5/22 20:11\r\n2018/4/28 12:27 2018/5/22 20:11\r\n2018/4/25 23:30 2018/5/22 20:11\r\n2018/4/24 12:50\r\n2018/4/17 15:26 2018/5/22 20:11\r\n2018/4/6 4:40\r\nLanguage and Charset\r\nWe also perform statistics on the language and charset of the bait documents (MHTML) and find they are created on\r\nWestern European language environment (Spanish, etc.).\r\nCharset：windows-1252\r\nSome of the author information are also Spanish.\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 26 of 32\n\nCentro de Servicios Judiciales\r\nAttacker Profile\r\nBased on the time zone of the attacker, the language being used, and the geopolitical factors of the APT attack, we come up\r\nwith following findings:\r\n1. The time zone (UTC -4) is related to countries in South America.\r\n2. Most of the countries in South America use Spanish (except Brazil), which matches the attacker’s locale and user\r\nnames in the bait documents.\r\n3. APT attack could probably be carried out by neighboring countries.\r\n4. The background of the victims and the duration of the attack indicate the attacker keeps concerned with strategic-level intelligence for a long time.\r\nAbove all, 360 Threat Intelligence Center suspect the APT group probably comes from South American countries with\r\ngovernment support.\r\nIOC\r\nBait Document MD5s File Name\r\n0c97d7f6a1835a3fe64c1c625ea109ed Registraduria Nacional - Notificacion cancelacion cedula de ciudadania.doc\r\n16d3f85f03c72337338875a437f017b4 estado de cuenta.doc\r\n27a9ca89aaa7cef1ccb12ddefa7350af 455be8a4210b84f0e93dd96f7a0eec4ef9816d47c11e28cf7104647330a03f6d.bin\r\n3a255e93b193ce654a5b1c05178f7e3b estado de cuenta.doc\r\n3be90f2bb307ce1f57d5285dee6b15bc Reporte Datacredito.doc\r\n3de286896c8eb68a21a6dcf7dae8ec97 egistraduria Nacional del Estado Civil -Proceso inicado.doc\r\n46665f9b602201f86eef6b39df618c4a Orden de comparendo N\\xc2\\xb0 5098.doc\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 27 of 32\n\n476657db56e3199d9b56b580ea13ddc0 Reporte Negativo como codeudor.doc\r\n4bbfc852774dd0a13ebe6541413160bb listado de funcionarios autorizados para censo nacional 2018.doc\r\n51591a026b0962572605da4f8ecc7b1f Orden de comparendo multa detallada.doc\r\n66f332ee6b6e6c63f4f94eed6fb32805 Codigo Tarjeta Exito Regalo.doc\r\n688b7c8278aad4a0cc36b2af7960f32c fotos.doc\r\n7fb75146bf6fba03df81bf933a7eb97d Dian su deuda a la fecha.doc\r\n91cd02997b7a9b0db23f9f6377315333 credito solicitado.doc\r\n9a9167abad9fcab18e02ef411922a7c3 comparendo electronico.doc\r\na91157a792de47d435df66cccd825b3f\r\nC:\\Users\\kenneth.ubeda\\Desktop\\Migracion colombia proceso pendiente\r\n509876.doc\r\nb4ab56d5feef2a35071cc70c40e03382 Reporte fraude desde su dirrecion ip.doc\r\nb6691f01e6c270e6ff3bde0ad9d01fff Dian Embargo Prima de Navidad.doc\r\ncbbd2b9a9dc854d9e58a15f350012cb6 IMPORTANTE IMPORTANT.doc\r\ncf906422ad12fed1c64cf0a021e0f764 Migracion colombia Proceso pendiente.doc - copia.nono.txt\r\ne3050e63631ccdf69322dc89bf715667 Citacion Fiscalia general de la Nacion Proceso 305351T.doc\r\nea5b820b061ff01c8da527033063a905 Fiscalia proceso 305351T.doc\r\neb2ea99918d39b90534db3986806bf0c Proceso Pendiente Migracion Colombia (2).doc\r\necccdbb43f60c629ef034b1f401c7fee Dian Embargo Bancario\r\nee5531fb614697a70c38a9c8f6891ed6 BoardingPass.doc\r\nfd436dc13e043122236915d7b03782a5 text.doc\r\nbf95e540fd6e155a36b27ad04e7c8369 Migracion colombia Proceso pendiente.mht\r\nce589e5e6f09b603097f215b0fb3b738 estado de cuenta.mht\r\nPayload MD5s\r\n0915566735968b4ea5f5dadbf7d585cc\r\n0a4c0d8994ab45e5e6968463333429e8\r\n0e874e8859c3084f7df5fdfdce4cf5e2\r\n1733079217ac6b8f1699b91abfb5d578\r\n19d4a9aee1841e3aee35e115fe81b6ab\r\n1bc52faf563eeda4207272d8c57f27cb\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 28 of 32\n\n20c57c5efa39d963d3a1470c5b1e0b36\r\n2d52f51831bb09c03ef6d4237df554f3\r\n30ecfee4ae0ae72cf645c716bef840a0\r\n3155a8d95873411cb8930b992c357ec4\r\n3205464645148d393eac89d085b49afe\r\n352c40f10055b5c8c7e1e11a5d3d5034\r\n42f6f0345d197c20aa749db1b65ee55e\r\n4354cb04d0ac36dab76606c326bcb187\r\n43c58adee9cb4ef968bfc14816a4762b\r\n4daacd7f717e567e25afd46cbf0250c0\r\n4e7251029eb4069ba4bf6605ee30a610\r\n50064c54922a98dc1182c481e5af6dd4\r\n519ece9d56d4475f0b1287c0d22ebfc2\r\n53774d4cbd044b26ed09909c7f4d32b3\r\n5be9be1914b4f420728a39fdb060415e\r\n5dee0ff120717a6123f1e9c05b5bdbc2\r\n60daac2b50cb0a8bd86060d1c288cae2\r\n6d1e586fbbb5e1f9fbcc31ff2fbe3c8c\r\n763fe5a0f9f4f90bdc0e563518469566\r\n7a2d4c22005397950bcd4659dd8ec249\r\n7b69e3aaba970c25b40fad29a564a0cf\r\n8518ad447419a4e30b7d19c62953ccaf\r\n8ec736a9a718877b32f113b4c917a97a\r\n940d7a7b6f364fbcb95a3a77eb2f44b4\r\n9b3250409072ce5b4e4bc467f29102d2\r\n9db2ac3c28cb34ae54508fab90a0fde7\r\na1c29db682177b252d7298fed0c18ebe\r\na3f0468657e66c72f67b7867b4c03b0f\r\na7cc22a454d392a89b62d779f5b0c724\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 29 of 32\n\naaf04ac5d630081210a8199680dd2d4f\r\nac1988382e3bcb734b60908efa80d3a5\r\nad2c940af4c10f43a4bdb6f88a447c85\r\nafb80e29c0883fbff96de4f06d7c3aca\r\nb0ed1d7b16dcc5456b8cf2b5f76707d6\r\nb3be31800a8fe329f7d73171dd9d8fe2\r\nb5887fc368cc6c6f490b4a8a4d8cc469\r\nb9d9083f182d696341a54a4f3a17271f\r\nc654ad00856161108b90c5d0f2afbda1\r\nccf912e3887cae5195d35437e92280c4\r\nd0cd207ae63850be7d0f5f9bea798fda\r\ndf91ac31038dda3824b7258c65009808\r\ne2771285fe692ee131cbc072e1e9c85d\r\ne2f9aabb2e7969efd71694e749093c8b\r\ne3dad905cecdcf49aa503c001c82940d\r\ne4461c579fb394c41b431b1268aadf22\r\ne770a4fbada35417fb5f021353c22d55\r\ne7d8f836ddba549a5e94ad09086be126\r\ne9e4ded00a733fdee91ee142436242f4\r\nedef2170607979246d33753792967dcf\r\nef9f19525e7862fb71175c0bbfe74247\r\nf1e85e3876ddb88acd07e97c417191f4\r\nf2776ed4189f9c85c66dd78a94c13ca2\r\nf2d81d242785ee17e7af2725562e5eae\r\nf3d22437fae14bcd3918d00f17362aad\r\nf7eb9a41fb41fa7e5b992a75879c71e7\r\nf90fcf64000e8d378eec8a3965cff10a\r\nMalicious Domain\r\nceoempresarialsas.com\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 30 of 32\n\nceosas.linkpc.net\r\nceoseguros.com\r\ndiangovcomuiscia.com\r\nismaboli.com\r\nmedicosco.publicvm.com\r\nmentes.publicvm.com\r\nMalicious URL\r\nhttp://ceoempresarialsas.com/js/d.jpg\r\nhttp://ceoseguros.com/css/c.jpg\r\nhttp://ceoseguros.com/css/d.jpg\r\nhttp://diangovcomuiscia.com/media/a.jpg\r\nhttp://dianmuiscaingreso.com/css/w.jpg\r\nhttp://dianportalcomco.com/bin/w.jpg\r\nhttp://ismaboli.com/dir/i.jpg\r\nhttp://ismaboli.com/js/i.jpg\r\nRAR Archive MD5s Password\r\n592C9B2947CA31916167386EDD0A4936 censonacionaldepoblacion2018307421e68dd993c4a8bb9e3d5e6c066946ro\r\nA355597A4DD13B3F882DB243D47D57EE documentoadjuntodian876e68dd993c4a8bb9e3d5e6c066946deudaseptiembre\r\n77FEC4FA8E24D580C4A3E8E58C76A297 procesofiscalia30535120180821e68dd993c4a8bb9e3d5e6c066946se\r\n0E6533DDE4D850BB7254A5F3B152A623 migracioncolombia\r\nF486CDF5EF6A1992E6806B677A59B22A credito\r\nFECB2BB53F4B51715BE5CC95CFB8546F 421e68dd993c4a8bb9e3d5e6c066946r\r\n19487E0CBFDB687538C15E1E45F9B805 centrociberneticoenviosipfraude876e68dd993c4a8bb9e3d5e6c066946octubre\r\n99B258E9E06158CFA17EE235A280773A fiscaliadocumentos421e68dd993c4a8bb9e3d5e6c066946agosto\r\nB6E43837F79015FD0E05C4F4B2F30FA5 20180709registraduria421e68dd993c4a8bb9e3d5e6c066946r\r\nReferences\r\n[1].https://cloudblogs.microsoft.com/microsoftsecure/2018/05/10/enhancing-office-365-advanced-threat-protection-with-detonation-based-heuristics-and-machine-learning/\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 31 of 32\n\n[2].http://www.pwncode.club/2018/09/mhtml-macro-documents-targeting.html\r\nSource: https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-instit\r\nutions-and-corporations-en/\r\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\nPage 32 of 32\n\nhttps://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/      \nWhen get executed, it first extracts resource named as \"application\" and decrypt to a legitimate lzma.dll library:\nThen extract resource named as \"_7z\", and decompress it with lzma.dll to get the Imminent Monitor RAT (MD5:\n4fd291e3319eb3433d91ee24cc39102e).      \n   Page 17 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/"
	],
	"report_names": [
		"apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en"
	],
	"threat_actors": [
		{
			"id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813",
			"created_at": "2022-10-25T15:50:23.688973Z",
			"updated_at": "2026-04-10T02:00:05.390055Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"APT-C-36",
				"Blind Eagle"
			],
			"source_name": "MITRE:APT-C-36",
			"tools": [
				"Imminent Monitor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "be597b07-0cde-47bc-80c3-790a8df34af4",
			"created_at": "2022-10-25T16:07:23.407484Z",
			"updated_at": "2026-04-10T02:00:04.58656Z",
			"deleted_at": null,
			"main_name": "Blind Eagle",
			"aliases": [
				"APT-C-36",
				"APT-Q-98",
				"AguilaCiega",
				"G0099"
			],
			"source_name": "ETDA:Blind Eagle",
			"tools": [
				"AsyncRAT",
				"BitRAT",
				"Bladabindi",
				"BlotchyQuasar",
				"Imminent Monitor",
				"Imminent Monitor RAT",
				"Jorik",
				"LimeRAT",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"Warzone",
				"Warzone RAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bd43391b-b835-4cb3-839a-d830aa1a3410",
			"created_at": "2023-01-06T13:46:38.925525Z",
			"updated_at": "2026-04-10T02:00:03.147197Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"Blind Eagle"
			],
			"source_name": "MISPGALAXY:APT-C-36",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775792120,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1030d1d6faff27debe60ba517e4fa2ff1205304.pdf",
		"text": "https://archive.orkl.eu/c1030d1d6faff27debe60ba517e4fa2ff1205304.txt",
		"img": "https://archive.orkl.eu/c1030d1d6faff27debe60ba517e4fa2ff1205304.jpg"
	}
}