BlindEagle’s Advanced Cyber Assaults on Colombian Government Agencies
In September 2025, the South American cyber threat group known as BlindEagle launched a sophisticated attack targeting a Colombian government agency under the Ministry of Commerce, Industry, and Tourism (MCIT). This operation marked a significant escalation in the group’s tactics, showcasing a complex, multi-stage malware deployment designed to evade detection and exploit internal trust mechanisms.
Phishing Tactics and Initial Compromise
The attack commenced with meticulously crafted phishing emails that impersonated the Colombian judicial system. These emails employed official legal terminology and formatting to create a sense of urgency, urging recipients to acknowledge receipt of a fabricated labor lawsuit notification. Notably, the emails originated from a compromised account within the targeted organization, enhancing their credibility and effectively bypassing standard email security protocols that typically flag external threats.
Sophisticated Infection Chain
Upon interacting with the phishing email, recipients were directed to open an attached SVG (Scalable Vector Graphics) file. This file contained encoded HTML that redirected users to a fraudulent web portal designed to mimic the legitimate Colombian judicial branch. This deceptive portal initiated a complex infection chain involving multiple stages:
1. JavaScript Execution: The portal delivered three JavaScript files, each employing intricate deobfuscation routines. These scripts converted encoded integer arrays into executable code, progressively unveiling the next stage of the attack.
2. PowerShell Command: The final JavaScript triggered a PowerShell command that downloaded an image file from the Internet Archive. This image concealed a Base64-encoded malicious payload, which was extracted and executed directly in memory using .NET reflection techniques. This fileless execution method ensured that no malicious files were written to disk, significantly complicating detection by traditional security solutions.
Payload Deployment and Persistence
The in-memory execution led to the deployment of Caminho, a downloader malware exhibiting Portuguese language artifacts in its code. Caminho subsequently retrieved DCRAT (a Remote Access Trojan) through Discord’s content delivery network. DCRAT is equipped with advanced evasion capabilities, including the ability to patch Microsoft’s Antimalware Scan Interface (AMSI), effectively disabling certain detection mechanisms.
To maintain persistent access to the compromised systems, the malware established scheduled tasks and modified registry entries. These actions ensured that the attackers retained control over the infected systems, allowing for prolonged surveillance and potential data exfiltration.
Technical Analysis and Implications
Zscaler analysts conducted a thorough examination of the attack chain, highlighting BlindEagle’s use of sophisticated techniques such as steganography and the abuse of legitimate services for payload delivery. The attackers’ ability to execute a fileless infection chain, combined with their use of trusted platforms like the Internet Archive and Discord, underscores a strategic shift towards more covert and resilient attack methodologies.
This campaign exemplifies BlindEagle’s maturation as a threat actor, blending social engineering prowess with technical sophistication. By exploiting internal trust relationships and employing advanced obfuscation techniques, the group has demonstrated a heightened capability to conduct targeted attacks against government infrastructure with minimal risk of detection.
Broader Context and Historical Activity
BlindEagle, also known as APT-C-36, has been active since 2018, primarily targeting governmental, financial, and energy sectors in Latin America, including countries like Colombia, Ecuador, Chile, and Panama. The group’s operations have evolved from basic phishing campaigns to more complex attacks involving multi-stage malware delivery and the use of various Remote Access Trojans (RATs) such as njRAT, LimeRAT, BitRAT, and AsyncRAT.
In previous campaigns, BlindEagle has demonstrated versatility by switching between financially motivated attacks and espionage operations. Their tactics have included the use of weaponized emails with malicious attachments, geolocation-based filtering to target specific regions, and the exploitation of vulnerabilities like CVE-2024-43451 to extract user authentication hashes.
Recommendations for Mitigation
Given the advanced nature of BlindEagle’s tactics, organizations, especially those within government sectors, should implement comprehensive security measures to mitigate the risk of such attacks:
1. Enhanced Email Security: Deploy advanced email filtering solutions capable of detecting and blocking phishing attempts, even those originating from compromised internal accounts.
2. User Training and Awareness: Conduct regular training sessions to educate employees about the dangers of phishing attacks and the importance of verifying the authenticity of unexpected emails, even from known contacts.
3. Endpoint Detection and Response (EDR): Implement EDR solutions that can identify and respond to fileless malware and in-memory execution techniques.
4. Network Monitoring: Establish continuous monitoring of network traffic to detect unusual patterns that may indicate malicious activity, such as unauthorized data exfiltration or communication with known command-and-control servers.
5. Regular Software Updates: Ensure that all systems and software are up to date with the latest security patches to protect against known vulnerabilities.
By adopting a multi-layered security approach and fostering a culture of vigilance, organizations can better defend against the evolving threats posed by groups like BlindEagle.
