Ethical Hacking News
Blind Eagle, a group linked to significant cyber-espionage and financially driven attacks in South America, has carried out campaigns employing dynamic DNS and remote access trojans (RATs) targeting government entities, educational institutions, financial sectors, and healthcare organizations across Colombia. This activity, monitored by Recorded Future Insikt Group, underscores the sophisticated tactics employed by this threat actor and highlights ongoing concerns over its true motivations.
Blind Eagle has been linked to persistent activity in South America, targeting government entities and private organizations across Colombia, Ecuador, Chile, and Panama. The group's C2 infrastructure incorporates IP addresses from Colombian ISPs, virtual private servers, and VPN services. Legitimate internet services like Bitbucket and Discord have been used by the attackers to stage payloads and evade detection. Blind Eagle has employed a Visual Basic Script file as a dropper to execute a dynamically generated PowerShell script that downloads an injector module for RATs. The group has targeted various sectors, including government entities exclusively with DCRat, AsyncRAT, and Remcos RAT between February and July 2025.
The threat landscape has witnessed numerous attacks by various groups over the years. However, a recent observation by Recorded Future Insikt Group sheds light on the tactics employed by a specific group known as Blind Eagle. The group has been linked to persistent activity in South America, particularly targeting government entities and private organizations across Colombia, Ecuador, Chile, and Panama.
According to the context data provided, Blind Eagle's command-and-control (C2) infrastructure often incorporates IP addresses from Colombian ISPs alongside virtual private servers (VPS) such as Proton666 and VPN services like Powerhouse Management, FrootVPN, and TorGuard. This setup is further enhanced by the use of dynamic DNS services, including duckdns[.]org, ip-ddns[.]com, and noip[.]com.
Furthermore, the threat group has taken advantage of legitimate internet services, such as Bitbucket, Discord, Dropbox, GitHub, Google Drive, the Internet Archive, lovestoblog.com, Paste.ee, Tagbox, and lesser-known Brazilian image-hosting websites, for staging payloads in order to obscure malicious content and evade detection. The attackers have consistently relied on well-established methods since their emergence, underscoring how these techniques continue to yield high success rates in the region.
Recent campaigns orchestrated by Blind Eagle have employed a Visual Basic Script file as a dropper to execute a dynamically generated PowerShell script at runtime, which, in turn, reaches out to an external server to download an injector module that's responsible for loading Lime RAT, DCRat, AsyncRAT, or Remcos RAT. The group has targeted various sectors, including government entities exclusively with DCRat, AsyncRAT, and Remcos RAT between February and July 2025.
Cluster 1 of Blind Eagle's activity, which spanned from February through July 2025, focused on targeting Colombian government entities exclusively using the aforementioned remote access trojans (RATs). Cluster 2 targeted Colombian government entities in addition to organizations within the education, defense, and retail sectors with AsyncRAT and XWorm. The third cluster was characterized by the deployment of AsyncRAT and Remcos RAT between September 2024 through July 2025.
Cluster 4 is associated with malware and phishing infrastructure attributed to Blind Eagle, which features phishing pages mimicking Banco Davivienda, Bancolombia, and BBVA. The fifth cluster, observed from March through July 2025, was linked to Lime RAT and a cracked AsyncRAT variant that appeared in clusters 1 and 2.
The digital missives used in these campaigns come with an SVG attachment, which then reaches out to Discord CDN to retrieve a JavaScript payload that fetches a PowerShell script from Paste.ee. The PowerShell script is designed to decode and execute another PowerShell payload that obtains a JPG image hosted on the Internet Archive and extracts from it an embedded .NET assembly.
Interestingly, the cracked version of AsyncRAT used in the attacks has been previously observed in connection with intrusion activity mounted by threat actors Red Akodon and Shadow Vector, both of which have targeted Colombia over the past year. Nearly 60% of the observed Blind Eagle activity during the analysis period has targeted the government sector, followed by education, healthcare, retail, transportation, defense, and oil verticals.
The threat actor's primary focus remains on Colombia, particularly government entities. This persistent targeting raises questions about the group's true motivations, such as whether it operates solely as a financially driven threat actor leveraging established tools, techniques, and monetization strategies, or whether elements of state-sponsored espionage are also at play.
Related Information:
https://www.ethicalhackingnews.com/articles/Blind-Eagles-Sophisticated-Campaigns-Target-Colombia-Employing-Dynamic-DNS-and-RATs-ehn.shtml
https://thehackernews.com/2025/08/blind-eagles-five-clusters-target.html
Published: Wed Aug 27 06:10:06 2025 by llama3.2 3B Q4_K_M
