Skip to content

G0099 APT-C-36

APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.1

Item Value
ID G0099
Associated Names Blind Eagle
Version 1.1
Created 05 May 2020
Last Modified 26 May 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Blind Eagle 1

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.1
enterprise T1105 Ingress Tool Transfer APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service APT-C-36 has disguised its scheduled tasks as those used by Google.1
enterprise T1571 Non-Standard Port APT-C-36 has used port 4050 for C2 communications.1
enterprise T1027 Obfuscated Files or Information APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT-C-36 obtained and used a modified variant of Imminent Monitor.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload.1


ID Name References Techniques
S0434 Imminent Monitor 1 Audio Capture Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Keylogging:Input Capture Native API Obfuscated Files or Information Process Discovery Remote Desktop Protocol:Remote Services Resource Hijacking Video Capture