{ "id": "2c3e391b-b829-4888-9ac3-4a6360e8a59d", "created_at": "2026-04-06T00:10:53.728728Z", "updated_at": "2026-04-10T03:35:20.325436Z", "deleted_at": null, "sha1_hash": "db2baf6566aa0fe534fe739d34a599e4742411ff", "title": "Operation Spalax: Targeted malware attacks in Colombia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1564206, "plain_text": "Operation Spalax: Targeted malware attacks in Colombia\r\nBy Matías Porolli\r\nArchived: 2026-04-02 10:44:33 UTC\r\nIn 2020 ESET saw several attacks targeting Colombian entities exclusively. These attacks are still ongoing at the time of\r\nwriting and are focused on both government institutions and private companies. For the latter, the most targeted sectors are\r\nenergy and metallurgical. The attackers rely on the use of remote access trojans, most likely to spy on their victims. They\r\nhave a large network infrastructure for command and control: ESET observed at least 24 different IP addresses in use in the\r\nsecond half of 2020. These are probably compromised devices that act as proxies for their C\u0026C servers. This, combined\r\nwith the use of dynamic DNS services, means that their infrastructure never stays still. We have seen at least 70 domain\r\nnames active in this timeframe and they register new ones on a regular basis.\r\nThe attackers\r\nThe attacks we saw in 2020 share some TTPs with previous reports about groups targeting Colombia, but also differ in many\r\nways, thus making attribution difficult.\r\nOne of those reports was published in February 2019, by QiAnXin researchers. The operations described in that blogpost are\r\nconnected to an APT group active since at least April 2018. We have found some similarities between those attacks and the\r\nones that we describe in this article:\r\nWe saw a malicious sample included in IoCs of QiAnXin's report and a sample from the new campaign in the same\r\ngovernment organization. These files have fewer than a dozen sightings each.\r\nSome of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that\r\nbelongs to Powerhouse Management, a VPN service. The same IP address range was used for emails sent in the\r\nearlier campaign.\r\nThe phishing emails have similar topics and pretend to come from some of the same entities - for example, the Office\r\nof the Attorney General (Fiscalia General de la Nacion) or the National Directorate of Taxes and Customs (DIAN).\r\nSome of the C\u0026C servers in Operation Spalax use linkpc.net and publicvm.com subdomains, along with IP addresses\r\nthat belong to Powerhouse Management. This also happened in the earlier campaign.\r\nHowever, there are differences in the attachments used for phishing emails, the remote access trojans (RATs) used and in\r\nmost of the operator’s C\u0026C infrastructure.\r\nThere is also this report from Trend Micro, from July 2019. There are similarities between the phishing emails and parts of\r\nthe network infrastructure in that campaign and the one we describe here. The attacks described in that article were\r\nconnected to cybercrime, not espionage. While we have not seen any payload delivered by the attackers other than RATs,\r\nsome of the targets in the current campaign (such as a lottery agency) don’t make much sense for spying activities.\r\nThese threat actors show perfect usage of the Spanish language in the emails they send, they only target Colombian entities,\r\nand they use premade malware and don’t develop any themselves.\r\nAttack overview\r\nTargets are approached with emails that lead to the download of malicious files. In most cases, these emails have a PDF\r\ndocument attached, which contains a link that the user must click to download the malware. The downloaded files are\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 1 of 19\n\nregular RAR archives that have an executable file inside. These archives are hosted in legitimate file hosting services such\r\nas OneDrive or MediaFire. The target has to manually extract the file and execute it for the malware to run.\r\nWe’ve found a variety of packers used for these executables, but their purpose is always to have a remote access trojan\r\nrunning on the victimized computer, usually by decrypting the payload and injecting it into legitimate processes. An\r\noverview of a typical attack is shown in Figure 1. We have seen the attackers use three different RATs: Remcos, njRAT and\r\nAsyncRAT.\r\nFigure 1. Overview of the attack\r\nPhishing emails\r\nThe attackers use various topics for their emails, but in most cases they are not specially crafted for their victims. On the\r\ncontrary, most of these emails have generic topics that could be reused for different targets.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 2 of 19\n\nWe found phishing emails with these topics:\r\nA notification about a driving infraction\r\nA notification to take a mandatory COVID-19 test\r\nA notification to attend a court hearing\r\nAn open investigation against the recipient for misuse of public funds\r\nA notification of an embargo of bank accounts\r\nThe email shown in Figure 2 pretends to be a notification about a driving infraction for a value of around US$250. There is a\r\nPDF file attached that promises a photo of the infraction, as well as information about time and place of the incident. The\r\nsender has been spoofed to make the email look like it is coming from SIMIT (a system for paying transit violations in\r\nColombia).\r\nFigure 2. Example of a phishing email\r\nThe pdf file only contains an external link that has been shortened with the acortaurl service, as shown in Figure 3. The\r\nshortened URL is: https://acortaurl[.]com/httpsbogotagovcohttpsbogotagovcohttpsbogotagovco.\r\nAfter the shortened link is expanded, a RAR archive is downloaded from:\r\nhttp://www.mediafire[.]com/file/wbqg7dt604uwgza/SIMITcomparendoenlineasimitnumeroreferenciaComparendo2475569.uue/fil\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 3 of 19\n\nFigure 3. PDF attached to phishing email\r\nFigure 4 shows part of the email’s header. The spoofed sender is notificacionesmultas@simit.org[.]co but we can see that the\r\nreal sender is IP address 128.90.108[.]177, which is connected with the domain name julian.linkpc[.]net, as found in historic\r\nDNS data. It’s not a coincidence that the same domain name is used for contacting the C\u0026C server in the malicious sample\r\ncontained in the RAR archive. This IP address belongs to Powerhouse Management, a VPN service provider.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 4 of 19\n\nFigure 4. Header of a phishing email\r\nIn more recent emails, the shortened link in the PDF file resolves to https://bogota.gov[.]co (a legitimate site) when visited\r\nfrom outside of Colombia.\r\nAlso, in some cases the GetResponse service has been used to send the email. This is probably done to track whether the\r\nvictim has clicked on the link. In these cases there is no attachment: a link to the GetResponse platform leads to the\r\ndownload of malware.\r\nYou can see the other emails in the following gallery (click to enlarge):\r\nFigures 5 to 13. Various phishing emails and their attached files\r\nMalicious artifacts\r\nDroppers\r\nThe executable files contained in compressed archives that are downloaded via the phishing emails are responsible for\r\ndecrypting and running remote access trojans on a victimized computer. In the following sections, we describe the various\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 5 of 19\n\ndroppers we have seen.\r\nNSIS installers\r\nThe dropper that is most commonly used by these attackers comes as a file that was compiled with NSIS (Nullsoft\r\nScriptable Install System). To try to evade detection, this installer contains several benign files that are written to disk (they\r\nare not part of NSIS binaries and they are not used at all by the installer) and two files that are malicious: an encrypted RAT\r\nexecutable and a DLL file that decrypts and runs the trojan. An NSIS script for one of these installers is shown in Figure 14.\r\nThe benign files are usually different in different droppers used by the attackers.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 6 of 19\n\nFigure 14. NSIS script for one of the droppers; the malicious files are highlighted\r\nThe files Bonehead (encrypted RAT) and ShoonCataclysm.dll (dropper DLL) are written in the same folder and the DLL is\r\nrun with rundll32.exe using Uboats as its argument. The names of these files change between executables. Some more\r\nexamples are:\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 7 of 19\n\nrundll32.exe Blackface,Breathing\r\nrundll32.exe OximeLied,Hostage\r\nrundll32.exe Conservatory,Piggins\r\nWe used the name of the benign files contained in some of these NSIS installers to find more malicious installers used by the\r\nSpalax operators. Table 1 lists details of three different NSIS installers used by the attackers that contained all the same\r\nbenign files. The only difference among them was the encrypted file, which pointed to different C\u0026C servers.\r\nTable 1. NSIS installers with identical benign files used by this group\r\nSHA-1 C\u0026C\r\n6E81343018136B271D1F95DB536CA6B2FD1DFCD6 marzoorganigrama20202020.duckdns[.]org\r\n7EDB738018E0E91C257A6FC94BDBA50DAF899F90 ruthy.qdp6fj1uji[.]xyz\r\n812A407516F9712C80B70A14D6CDF282C88938C1 dominoduck2098.duckdns[.]org\r\nHowever, we also found malicious NSIS installers used by other unrelated groups that had the same benign files as the ones\r\nused by this group. Figure 15 lists the files contained in two different NSIS installers. The one on the left (SHA-1:\r\n3AC39B5944019244E7E33999A2816304558FB1E8) is an executable used by this group and the one on the right (SHA-1:\r\n6758741212F7AA2B77C42B2A2DE377D97154F860) is unrelated. The SHA-1 hashes for all the benign files are the same\r\n(and also the filenames) and even the malicious DLL is the same. However, the encrypted file Bonehead is different.\r\nFigure 15. Files contained in NSIS droppers from unrelated campaigns\r\nThis means that these installers were generated with the same builder, but by different actors. The builder is probably offered\r\nin underground forums and includes these benign files. This, along with a complete analysis of the dropper, was described\r\nearlier this year by Sophos in their RATicate article. There is also an article by Lab52 describing one of the NSIS installers\r\nused in Operation Spalax, which they attribute to APT-C-36.\r\nIn the vast majority of cases these NSIS droppers decrypt and run the Remcos RAT, but we have also seen cases where the\r\npayload is njRAT. These will be described later in the Payloads section.\r\nAgent Tesla packers\r\nWe have seen several droppers that are different variants of a packer that uses steganography and is known to be used in\r\nAgent Tesla samples. Interestingly, the attackers use various payloads, but none of them are Agent Tesla. Even though there\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 8 of 19\n\nare differences in all the samples regarding the layers of encryption, obfuscation or anti-analysis used, we can summarize the\r\nactions taken by the droppers as follows:\r\nThe dropper reads a string (or binary data) from its resource section and decrypts it. The result is a DLL that will be\r\nloaded and called in the same address space.\r\nThe DLL reads pixels from an image contained in the first binary and decrypts another executable. This one is loaded\r\nand executed in the same address space.\r\nThis new executable is packed with CyaX. It reads data from its own resource section and decrypts a payload. There\r\nare anti-analysis checks; if they pass, the payload can be injected into a new process or loaded in the same process\r\nspace.\r\nThe initial dropper is coded in C#. In all the samples that we have seen, the code for the dropper was hiding in non-malicious code, probably copied from other apps. The benign code is not executed; it’s there to evade detection.\r\nIn Figure 16 we see an example of the resources contained in one of these droppers. The text in green (only shown partially)\r\nis a string that will be decrypted to generate the next stage to be executed and the image that we see below the green text\r\nwill be decrypted by the second stage malware. The algorithm used for decryption of the string varies from sample to\r\nsample, but sometimes the resource is just an unencrypted binary.\r\nFigure 16. Resources contained in Agent Tesla's packer\r\nThe method to be executed in the DLL is always named StartGame or StartUpdate. It reads the image from the first\r\nexecutable, and stores every pixel as three numbers according to its red, green and blue components. Then it decrypts the\r\narray by doing a single-byte XOR operation, cycling through the key. After that, the array is gzip-decompressed and\r\nexecuted. Part of the code for the mentioned operations is shown in Figure 17.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 9 of 19\n\nFigure 17. Code to decrypt and run the third-stage malware\r\nThe third stage is in charge of decrypting and running the payload. The .NET packer known as CyaX is used to perform this\r\ntask. The version of the packer used by the attackers is v4, although they used v2 in some cases. Figure 18 shows the\r\nhardcoded configuration for one of their samples.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 10 of 19\n\nFigure 18. Hardcoded configuration in CyaX-Sharp packer\r\nThe decryption of the payload is based on XOR operations and is the same as the algorithm previously shown but with an\r\nextra step: the payload is XORed with its first 16 bytes as a key. Once it’s decrypted, it can be run in the same address space\r\nor injected into a different process, depending on the configuration.\r\nThis packer supports various anti-analysis operations such as disabling Windows Defender, checking for security products,\r\nand detecting virtual environments and sandboxes.\r\nThe majority of the payloads for these droppers are njRAT, but we have also seen AsyncRAT. We saw Remcos in one of\r\nthese droppers, but the code in the packer was different. Part of the main routine for the injection of the payload is shown in\r\nFigure 19.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 11 of 19\n\nFigure 19. Code for the last stage of a dropper\r\nWe have noticed that the configuration is contained in different variables. Values like #startup_method# or #bind# mean that\r\nthe configuration was not set for those options. The payload is read from an encrypted resource and XORed with a\r\nhardcoded password. The shellcode that performs the injection is contained in an array and is dynamically loaded. There are\r\nno anti-analysis checks or protection mechanisms.\r\nAutoIt droppers\r\nFor some of their droppers, the attackers have used an AutoIt packer that comes heavily obfuscated. Unlike the cases that\r\nwere previously described, in this case the first-stage malware performs the injection and execution of the payload. It does\r\nso by using two shellcodes contained in the compiled AutoIt script: one to decrypt the payload and another to inject it into\r\nsome process.\r\nThe payload is constructed by concatenating several strings, as shown in Figure 20. By inspecting the last two characters, we\r\ncan see that the string is in reverse order.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 12 of 19\n\nFigure 20. Concatenation of the payload\r\nThe routine that decrypts the payload contains a small shellcode that is loaded with VirtualAlloc and executed. The\r\ndecryption done by the shellcode is based on a single-byte XOR algorithm. The code that loads the shellcode is shown in\r\nFigure 21.\r\nFigure 21. Execution of shellcode to decrypt the payload\r\nWe can see that the shellcode is stored encrypted. In fact, before deobfuscating the script, all strings were encrypted with this\r\nsame XOR-based algorithm. The decryption routine used is shown in Figure 22.\r\nFigure 22. Routine to decrypt strings\r\nOnce the payload is decrypted, a shellcode with RunPE code is used to perform the injection. The shellcode is concatenated\r\nin the same manner as the payload and executed like the previous shellcode.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 13 of 19\n\nTo achieve persistence, a VBS script is created to execute a copy of the dropper (which is renamed to aadauthhelper.exe).\r\nThen an Internet Shortcut (.url) file is created in the Startup folder to execute the script. The code that generates these files is\r\nshown in Figure 23.\r\nFigure 23. Code for persistence in AutoIt droppers\r\nThe dropper contains code that is not executed. It can:\r\nCheck for VMware and VirtualBox\r\nDelete the dropper executable\r\nRun the dropper continuously\r\nDownload and execute files\r\nTerminate if a “Program Manager” window is found\r\nRead a binary from its resource section, write it to disk and execute it\r\nModify the security descriptor (ACL) for the injected process\r\nFor more information see this analysis by Morphisec where similar AutoIt droppers were used with Frenchy shellcode.\r\nPayloads\r\nThe payloads used in Operation Spalax are remote access trojans. These provide several capabilities not only for remote\r\ncontrol, but also for spying on targets: keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to\r\ndownload and execute other malware, to name a few.\r\nThese RATs were not developed by the attackers. They are:\r\nRemcos, sold online\r\nnjRAT, leaked in underground forums\r\nAsyncRAT, open source\r\nThere is not a one-to-one relationship between droppers and payloads, as we have seen different types of droppers running\r\nthe same payload and also a single type of dropper connected to different payloads. However, we can state that NSIS\r\ndroppers mostly drop Remcos, while Agent Tesla and AutoIt packers typically drop njRAT.\r\nRemcos is a tool for remote control and surveillance. It can be purchased with a six-month license that includes updates and\r\nsupport. There is also a free version with limited functionalities. While the tool can be used for legitimate purposes, it is also\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 14 of 19\n\nused by criminals to spy on their victims.\r\nMost of the Remcos samples used by this group are v2.5.0 Pro, but we have also seen all versions that were released since\r\nSeptember 2019, which may indicate that the attackers bought a license after that month and have been actively using the\r\ndifferent updates that they received during their six month license period.\r\nRegarding njRAT, this group mostly uses v0.7.3 (also known as the Lime version). That version includes functionalities such\r\nas DDoS or ransomware encryption, but only spy features such as keylogging are used by the attackers. For a more complete\r\ndescription of this version, refer to this 2018 article by Zscaler.\r\nAnother njRAT version used by the attackers is v0.7d (the “green edition”) which is a simpler version focused on spying\r\ncapabilities: keylogging, taking screenshots, access to webcam and microphone, uploading and downloading files, and\r\nexecuting other binaries.\r\nThe final type of payload that we will mention is AsyncRAT. In all cases we have observed v0.5.7B, which can be found on\r\nGitHub, has been used. The functionalities in this RAT are similar to those in the previously mentioned RATs, which allow\r\nattackers to spy on their victims.\r\nNetwork infrastructure\r\nDuring our research we saw approximately 70 different domain names used for C\u0026C in the second half of 2020. This\r\namounts to at least 24 IP addresses. By pivoting on passive DNS data for IP addresses and known domain names, we found\r\nthat the attackers have used at least 160 additional domain names since 2019. This corresponds to at least 40 further IP\r\naddresses.\r\nThey’ve managed to operate at such scale by using Dynamic DNS services. This means that they have a pool of domain\r\nnames (and also register new ones on a regular basis) that are dynamically assigned to IP addresses. This way a domain\r\nname can be related to several IP addresses over a period of time and IP addresses can be related to many domain names.\r\nMost of the domain names we have seen were registered with Duck DNS, but they have also used DNS Exit for\r\npublicvm.com and linkpc.net subdomains.\r\nRegarding IP addresses, almost all of them are in Colombia. Most are IP addresses related to Colombian ISPs: 60% of them\r\nare Telmex and 30% EPM Telecomunicaciones (Tigo). As it is highly unlikely that the criminals own so many residential IP\r\naddresses, it is possible that they use some victims as proxies, or some vulnerable devices to forward communication to their\r\nreal C\u0026C servers.\r\nFinally, a subset of the IP addresses belongs to Powerhouse Management, a VPN service provider. They are used in\r\nconjunction with DNS Exit subdomains. Similar findings can be found in this analysis by Lab52.\r\nConclusion\r\nTargeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year.\r\nThe landscape has changed from a campaign that had a handful of C\u0026C servers and domain names to a campaign with very\r\nlarge and fast-changing infrastructure with hundreds of domain names used since 2019. Even though TTPs have seen\r\nchanges, not only in how malware is delivered in phishing emails but also in the RATs used, one aspect that remains the\r\nsame is that the attacks are still targeted and focused on Colombian entities, both in the public and private sectors. It should\r\nbe expected that these attacks will continue in the region for a long time, so we will keep monitoring these activities.\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 15 of 19\n\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 7 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nThe attackers have used emails with PDF or RTF\r\nfiles attached that contain a link to download\r\nmalware.\r\nT1566.002 Phishing: Spearphishing Link\r\nThe attackers have used emails with a link to\r\ndownload malware.\r\nExecution\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nThe attackers have used droppers that dump VBS\r\nfiles with commands to achieve persistence.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nThe attackers have used RATs that can launch a\r\ncommand shell for executing commands.\r\nT1106 Native API\r\nThe attackers have used API calls in their\r\ndroppers, such as CreateProcessA,\r\nWriteProcessMemory and ResumeThread, to load\r\nand execute shellcode in memory.\r\nT1204.001 User Execution: Malicious Link\r\nThe attackers have attempted to get users to open a\r\nmalicious link that leads to the download of\r\nmalware.\r\nT1204.002 User Execution: Malicious File\r\nThe attackers have attempted to get users to\r\nexecute malicious files masquerading as\r\ndocuments.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Initialization\r\nScripts: Registry Run Keys /\r\nStartup Folder\r\nThe attackers have used RATs that persist by\r\ncreating a Run registry key or by creating a copy\r\nof the malware in the Startup folder.\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nThe attackers have used scheduled tasks in their\r\ndroppers and payloads to achieve persistence.\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control\r\nMechanism: Bypass User Access\r\nControl\r\nThe attackers have used RATs that implement\r\nUAC bypassing.\r\nDefense\r\nEvasion T1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe attackers have used various encryption\r\nalgorithms in their droppers to hide strings and\r\npayloads.\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nThe attackers have used CyaX packer, which can\r\ndisable Windows Defender.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 16 of 19\n\nTactic ID Name Description\r\nT1070.004\r\nIndicator Removal on Host: File\r\nDeletion\r\nThe attackers have used malware that deletes itself\r\nfrom the system.\r\nT1112 Modify Registry\r\nThe attackers have used RATs that allow full\r\naccess to the Registry, for example to clear traces\r\nof their activities.\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nThe attackers have used various layers of packers\r\nfor obfuscating their droppers.\r\nT1027.003\r\nObfuscated Files or Information:\r\nSteganography\r\nThe attackers have used packers that read pixel\r\ndata from images contained in PE files’ resource\r\nsections and build the next layer of execution from\r\nthe data.\r\nT1055.002\r\nProcess Injection: Portable\r\nExecutable Injection\r\nThe attackers have used droppers that inject the\r\npayload into legitimate processes such as\r\nRegAsm.exe, MSBuild.exe and more.\r\nT1497.001\r\nVirtualization/Sandbox Evasion:\r\nSystem Checks\r\nThe attackers have used droppers and payloads\r\nthat perform anti-analysis checks to detect virtual\r\nenvironments and analysis tools.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nThe attackers have used various RATs with\r\nmodules that steal passwords saved in victim web\r\nbrowsers.\r\nDiscovery\r\nT1010 Application Window Discovery\r\nThe attackers have used droppers and RATs that\r\ngather information about opened windows.\r\nT1083 File and Directory Discovery\r\nThe attackers have used various RATs that can\r\nbrowse file systems.\r\nT1120 Peripheral Device Discovery\r\nThe attackers have used njRAT, which attempts to\r\ndetect if the victim system has a camera during the\r\ninitial infection.\r\nT1057 Process Discovery\r\nThe attackers have used various RATs with\r\nmodules that show running processes.\r\nT1012 Query Registry\r\nThe attackers have used various RATs that can\r\nread the Registry.\r\nT1018 Remote System Discovery\r\nThe attackers have used njRAT, which can identify\r\nremote hosts on connected networks.\r\nT1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nThe attackers have used droppers that check for\r\nsecurity software present in a victim’s computer.\r\nT1082 System Information Discovery The attackers have used various RATs that gather\r\nsystem information such as computer name and\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 17 of 19\n\nTactic ID Name Description\r\noperating system during the initial infection.\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nThe attackers have used various RATs that can\r\ncollect the IP address of the victim machine.\r\nT1049\r\nSystem Network Connections\r\nDiscovery\r\nThe attackers have used various RATs that can list\r\nnetwork connections on a victim’s computer.\r\nT1033 System Owner/User Discovery\r\nThe attackers have used various RATs that retrieve\r\nthe current username during initial infection.\r\nT1007 System Service Discovery\r\nThe attackers have used various RATs that have\r\nmodules to manage services on the system.\r\nT1021.001\r\nRemote Services: Remote\r\nDesktop Protocol\r\nThe attackers have used various RATs that can\r\nperform remote desktop access.\r\nT1091\r\nReplication Through Removable\r\nMedia\r\nThe attackers have used njRAT, which can be\r\nconfigured to spread via removable drives.\r\nCollection\r\nT1123 Audio Capture\r\nThe attackers have used various RATs that can\r\ncapture audio from the system’s microphone.\r\nT1115 Clipboard Data\r\nThe attackers have used various RATs that can\r\naccess and modify data from the clipboard.\r\nT1005 Data from Local System\r\nThe attackers have used various RATs that can\r\naccess the local file system and upload, download\r\nor delete files.\r\nT1056.001 Input Capture: Keylogging\r\nThe attackers have used various RATs that have\r\nkeylogging capabilities.\r\nT1113 Screen Capture\r\nThe attackers have used various RATs that can\r\ncapture screenshots of victim machines.\r\nT1125 Video Capture\r\nThe attackers have used various RATs that can\r\naccess the victim’s webcam.\r\nCommand\r\nand Control\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nThe attackers have used njRAT, which uses base64\r\nencoding for C\u0026C traffic.\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nThe attackers have used Remcos RAT, which uses\r\nRC4 for encrypting C\u0026C communications.\r\nT1095 Non-Application Layer Protocol\r\nThe attackers have used various RATs that use\r\nTCP for C\u0026C communications.\r\nT1571 Non-Standard Port\r\nThe attackers have used various RATs that\r\ncommunicate over different port numbers.\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 18 of 19\n\nTactic ID Name Description\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nThe attackers have used various RATs that\r\nexfiltrate data over the same channel used for\r\nC\u0026C.\r\nSource: https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nhttps://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" ], "report_names": [ "operation-spalax-targeted-malware-attacks-colombia" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434253, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db2baf6566aa0fe534fe739d34a599e4742411ff.pdf", "text": "https://archive.orkl.eu/db2baf6566aa0fe534fe739d34a599e4742411ff.txt", "img": "https://archive.orkl.eu/db2baf6566aa0fe534fe739d34a599e4742411ff.jpg" } }