Introduction
APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing. QiAnXin APT-C-36 Feb2019
Activities and Tactics
Targeted Sectors: Petroleum, Manufacturing, Financial, Private sector, Government
Incident Type: Espionage
Suspected Victims: Ecuador, Colombia, Spain, Panama, Chile
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1583.001 Domains
- T1204.002 Malicious File
- T1683.001 Written Content
- T1027.016 Junk Code Insertion
- T1047 Windows Management Instrumentation
- T1059.007 JavaScript
- T1684.001 Impersonation
- T1588.001 Malware
- T1584.005 Botnet
- T1583.006 Web Services
- T1036.004 Masquerade Task or Service
- T1027.013 Encrypted/Encoded File
- T1588.002 Tool
- T1587.001 Malware
- T1027 Obfuscated Files or Information
- T1036.005 Match Legitimate Resource Name or Location
- T1534 Internal Spearphishing
- T1204.001 Malicious Link
- T1683.002 Audio-Visual Content
- T1586.002 Email Accounts
- T1053.005 Scheduled Task
- T1480 Execution Guardrails
- T1566.002 Spearphishing Link
- T1133 External Remote Services
- T1583.003 Virtual Private Server
- T1105 Ingress Tool Transfer
- T1608.001 Upload Malware
- T1027.003 Steganography
- T1059.005 Visual Basic
- T1568 Dynamic Resolution
- T1564.003 Hidden Window
- T1571 Non-Standard Port
- T1586.003 Cloud Accounts
- T1593 Search Open Websites/Domains
- T1566.001 Spearphishing Attachment
- T1055.012 Process Hollowing
- T1059.001 PowerShell
- T1574.001 DLL
ATT&CK technique IDs (denormalized)
- T1027
- T1027.003
- T1027.013
- T1027.016
- T1036.004
- T1036.005
- T1047
- T1053.005
- T1055.012
- T1059.001
- T1059.005
- T1059.007
- T1105
- T1133
- T1204.001
- T1204.002
- T1480
- T1534
- T1564.003
- T1566.001
- T1566.002
- T1568
- T1571
- T1574.001
- T1583.001
- T1583.003
- T1583.006
- T1584.005
- T1586.002
- T1586.003
- T1587.001
- T1588.001
- T1588.002
- T1593
- T1608.001
- T1683.001
- T1683.002
- T1684.001
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Imminent RAT:
MITRE ATT&CK Software
- njRAT (S0385) — malware
- Imminent Monitor (S0434) — tool
- DCRAT (S9017) — tool
- PureCrypter (S9019) — malware
- Caminho (S9016) — malware
- Remcos (S0332) — tool
- AsyncRAT (S1087) — tool
- QuasarRAT (S0262) — tool
- HeartCrypt (S9018) — malware
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [6] Check Point Blind Eagle MAR 2025 Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026. [7] Kaspersky BlindEagle AUG 2024 Global Research & Analysis Team, Kaspersky. (2024, August 19). BlindEagle flying high in Latin America. Retrieved April 16, 2026. [8] Recorded Future TAG-144 AUG 2025 Insikt Group. (2025, August 26). TAG-144’s Persistent Grip on South American Organizations. Retrieved April 16, 2026. [9] QiAnXin APT-C-36 Feb2019 QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.