APT-C-36
G00992 reportsaliases · APT-C-36 · Blind Eagle · TAG-144 · AguilaCiega · APT-Q-98
2
Reports
8
Techniques
5
Tactics
8
Countries
62%
Hunt coverage
5
Aliases
Analyst assessment — key judgments
- Signature techniques: T1059.007 (JavaScript), T1588.006 (Vulnerabilities), T1204 (User Execution).
- Primary targeting: SE, CN, RU, IR.
- Resurgent after a quiet period: 1 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 1 new technique(s), 1 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 62% of 8 observed techniques (3 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
ResurgentLast 30d: 1 vs 0 prior (+100%)· first reported 2025-11-10 · last 2026-06-25
0
7d
1
30d
1
90d
2
All
0.1
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1590.005Dropped (90d+)
T1059.007T1588.006T1204T1059.001T1204.003T1027.003T1001.002Targeting gained
CNIRKPRUSENew infrastructure
https://hdsr.mitpress.mit.edu/pub/3rvlzjVulnerabilities in this actor's reporting · 2
- CVE-2017-0199KEV1 rpt
- CVE-2017-11882KEV1 rpt
Overview
Analyst triage
Intelligence summary
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: Recorded Future TAG-144 AUG 2025)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1059.007 · JavaScriptconf 601
- T1588.006 · Vulnerabilitiesconf 601
- T1204 · User Executionconf 601
- T1059.001 · PowerShellconf 601
- T1204.003 · Malicious Imageconf 601
- T1027.003 · Steganographyconf 601
- T1001.002 · Steganographyconf 601
- T1590.005 · IP Addressesconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|