Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ APT-C-36

🌐APT-C-36

🌐 APT-C-36 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 38 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0099) ↗
14Use cases
0Articles
38Techniques
0IOCs

About this actor (MITRE)

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. [APT-C-36](https://attack.mitre.org/groups/G0099) has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.(Citation: QiAnXin APT-C-36 Feb2019)(Citation: Kaspersky BlindEagle AUG 2024)(Citation: Check Point Blind Eagle MAR 2025)(Citation: Recorded Future TAG-144 AUG 2025)

Known aliases

APT-C-36Blind EagleTAG-144AguilaCiegaAPT-Q-98

Top techniques

T1027 · Obfuscated Files or InformationT1027.003 · SteganographyT1027.013 · Encrypted/Encoded File

All other tracked techniques

T1027.016 · Junk Code InsertionT1036.004 · Masquerade Task or ServiceT1036.005 · Match Legitimate Resource Name or LocationT1047 · Windows Management InstrumentationT1053.005 · Scheduled TaskT1055.012 · Process HollowingT1059.001 · PowerShellT1059.005 · Visual BasicT1059.007 · JavaScriptT1105 · Ingress Tool TransferT1133 · External Remote ServicesT1204.001 · Malicious LinkT1204.002 · Malicious FileT1480 · Execution GuardrailsT1534 · Internal SpearphishingT1564.003 · Hidden WindowT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1568 · Dynamic ResolutionT1571 · Non-Standard PortT1574.001 · DLLT1583.001 · DomainsT1583.003 · Virtual Private ServerT1583.006 · Web ServicesT1584.005 · BotnetT1586.002 · Email AccountsT1586.003 · Cloud AccountsT1587.001 · MalwareT1588.001 · MalwareT1588.002 · ToolT1593 · Search Open Websites/DomainsT1608.001 · Upload MalwareT1683.001 · Written ContentT1683.002 · Audio-Visual ContentT1684.001 · Impersonation

Detection use cases (14)

APT-C-36 (Blind Eagle) staged loader: LOLBin fetch from public hosting → .NET utility process hollowing AI · profile S APT-C-36 (Blind Eagle) AsyncRAT/Remcos beacon to dynamic-DNS C2 from non-browser process AI · profile SΣ Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match