THREATOPS Actor Dossier
LIVE ← Dashboard

APT-C-36

G00992 reports
aliases · APT-C-36 · Blind Eagle · TAG-144 · AguilaCiega · APT-Q-98
Export dossier:
2
Reports
8
Techniques
5
Tactics
8
Countries
62%
Hunt coverage
5
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1059.007 (JavaScript), T1588.006 (Vulnerabilities), T1204 (User Execution).
  • Primary targeting: SE, CN, RU, IR.
  • Resurgent after a quiet period: 1 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 1 new technique(s), 1 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 62% of 8 observed techniques (3 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

ResurgentLast 30d: 1 vs 0 prior (+100%)· first reported 2025-11-10 · last 2026-06-25
0
7d
1
30d
1
90d
2
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1590.005
Dropped (90d+)
T1059.007T1588.006T1204T1059.001T1204.003T1027.003T1001.002
Targeting gained
CNIRKPRUSE
New infrastructure
https://hdsr.mitpress.mit.edu/pub/3rvlzj

Vulnerabilities in this actor's reporting · 2

Overview

Analyst triage
Intelligence summary

APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: Recorded Future TAG-144 AUG 2025)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected