An ongoing spam campaign by APT-C-36 is targeting South American entities with commodity RATs for financial benefits. It is reportedly deploying multiple RATs such as njRAT, BitRAT, Async RAT, and Lime RAT. Apart from potential financial gains, the group’s motives are not yet clear.

What's new?

In an ongoing phishing campaign, APT-C-36 is using fraudulent emails disguised to be from Colombia’s national directorate of taxes and customs.
  • The emails state that a seizure order has been issued for a bank account and further details are provided inside the email attachment. The information is protected with the password ‘dian’.
  • Other spam emails used in the campaign claim to have a photo as proof of the recipient's partner’s affair. Just like other emails, recipients are urged to open the email attachment named attached picture[.]jpg, and ‘foto’ is the password provided by hackers.
  • The sender’s email address is spoofed and disguised as DIAN or a Hotmail address portrayed as a fake female profile.
  • Moreover, these emails use PDF/DOCX files including a link (generated from a URL shortener) as delivery documents. When clicked, recipients are taken to a file hosting site that automatically downloads an archive laden with BitRAT.

Who are on the target?

  • Most of the targets are based in Colombia, however, some were based in Ecuador, Spain, and Panama. Some of the spear-phishing emails were written in Spanish.
  • The group has targeted mainly the financial, government, and healthcare sectors. 
  • Some of the attacks were also observed in the energy, oil and gas, and telecommunications sectors.


APT-C-36, over time, appears to have become efficient in using different link shorteners and RATs within phishing emails. It has worked on improving its techniques of spreading malware while avoiding detection. Therefore, it is important to keep an eye on this threat group to avoid any unpleasant surprises.

Cyware Publisher