Blind Eagle TAG-144 five-cluster campaign targeting Colombia
Campaign
Summary
Hide ▲
Show ▼
Blind Eagle ran a persistent five-cluster campaign from May 2024 to July 2025, keeping Colombian government entities and other South American sectors in scope and sustaining phishing-led intrusion risk. The operation used spear-phishing, compromised email accounts, URL shorteners, and geofencing to steer victims into attacker-controlled delivery paths. Its payload chain relied on dynamic DNS, legitimate internet services, and RAT deployment, including Lime RAT, DCRat, AsyncRAT, Remcos RAT, and XWorm. The breadth of the targeting shows a durable operation that extended beyond one victim class to multiple public and private sectors.
Related Happenings
PurpleBravo Contagious Interview campaign
Campaign
First: 21.01.2026 19:17
Last: 21.01.2026 19:17
Sources 1
About this happening:
The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
PurpleBravo Contagious Interview campaign
CampaignAbout this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.
APT28 UKR.net credential-harvesting campaign
Campaign
First: 17.12.2025 17:30
Last: 17.12.2025 17:30
Sources 1
About this happening:
The **APT28** operation intensified a **sustained credential-harvesting campaign** against **UKR[.]net users in Ukraine**, increasing the risk of stolen logins and **2FA codes**....
APT28 UKR.net credential-harvesting campaign
CampaignAbout this happening: The **APT28** operation intensified a **sustained credential-harvesting campaign** against **UKR[.]net users in Ukraine**, increasing the risk of stolen logins and **2FA codes**....
COLDRIVER BAITSWITCH and SIMPLEFIX ClickFix malware chain
Malware Activity
First: 26.09.2025 15:45
Last: 26.09.2025 15:45
Sources 1
About this happening:
**COLDRIVER** (aka **Star Blizzard/UNC4057/Callisto**) has shifted from **LOSTKEYS** to rapidly changing **NOROBOT/YESROBOT/MAYBEROBOT** tooling in a **ClickFix**-style campaign,...
COLDRIVER BAITSWITCH and SIMPLEFIX ClickFix malware chain
Malware ActivityAbout this happening: **COLDRIVER** (aka **Star Blizzard/UNC4057/Callisto**) has shifted from **LOSTKEYS** to rapidly changing **NOROBOT/YESROBOT/MAYBEROBOT** tooling in a **ClickFix**-style campaign,...
Timeline
-
27.08.2025 12:28 1 articles · 9mo ago
Blind Eagle TAG-144 five-cluster campaign targeting Colombia
Initial DisclosureThe earliest visible phase began in **May 2024** with phishing infrastructure tied to **TAG-144** and pages that mimicked **Banco Davivienda**, **Bancolombia**, and **BBVA**. That phase established the lure-and-staging pattern later reused across the campaign.
Show sources
- Blind Eagle’s Five Clusters Target Colombia Using RATs, Phishing Lures, and Dynamic DNS Infra — thehackernews.com — 27.08.2025 12:28