APT-C-36 Updates Its Long-term Spam Campaign Against South American Entities With Commodity RATs Threat Researcher Threat Researcher

Affected regions and industries

The majority of the targets we discovered were located in Colombia, although some were from other South American countries such as Ecuador, Spain, and Panama. This is consistent with the use of Spanish in spear-phishing emails.

Although APT-C-36’s objective remains unclear, we posit that the threat actor carried out this campaign for financial gain. The campaign has affected multiple industries, primarily government, financial, and healthcare entities. We have also seen the campaign affect the finance, telecommunications, and energy, oil and gas industries.


Over the course of this investigation, we have found various new tactics, techniques, and procedures (TTPs) used by APT-C-36.  Our research shows that they modify their methods frequently, as evidenced by their use of different link shorteners and RATs. While spear-phishing emails are the initial infection vector for this ongoing campaign, the threat actor is constantly changing their payloads and improving their techniques to avoid detection, such as their use of geolocation filtering.

APT-C-36 selects their targets based on location and most likely the financial standing of the email recipient. These, and the prevalence of the emails, lead us to conclude that the threat actor’s ultimate goal is financial gain rather than espionage.

Security Recommendations

Threat actors like APT-C-36 are constantly seeking new ways to deploy their malware and stay one step ahead of their victims’ defenses. To secure their data from spear-phishing attempts, companies can benefit from tools such as the Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security solutions, which protect end-users and businesses from these kinds of threats by detecting and blocking malicious files, spam messages, and malicious URLs. They can also turn to tools like Trend Micro™ Email Security, a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions. 

Indicators of Compromise

You can access the link here for the full list of IOCs.

Read More HERE