{
	"id": "c04ef6ac-2ffa-42b1-b9ce-7ff29735b73a",
	"created_at": "2026-04-06T00:19:21.178918Z",
	"updated_at": "2026-04-12T02:21:48.521915Z",
	"deleted_at": null,
	"sha1_hash": "48b25595644b5faa2f836bfae0ba8f53854eb844",
	"title": "BlindEagle Deploys Caminho and DCRAT | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2530350,
	"plain_text": "BlindEagle Deploys Caminho and DCRAT | ThreatLabz\r\nBy Gaetano Pellegrino\r\nPublished: 2025-12-16 · Archived: 2026-04-05 13:23:30 UTC\r\nTechnical Analysis\r\nThe following sections explore how BlindEagle’s campaign leverages in-memory scripts, legitimate internet\r\nservices like Discord, steganography, and the deployment of Caminho and DCRAT. The analysis breaks down the\r\nmethods and tools used in the attack to provide a clear understanding of the execution flow.\r\nAttack chain\r\nThe figure below summarizes the attack chain from the initial phishing email to the final payload.\r\nFigure 1: A high-level overview of the BlindEagle attack chain leading to the execution of Caminho and DCRAT.\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 1 of 10\n\nCompromised email\r\nBlindEagle’s attack began with a phishing email targeting a shared email address likely used and monitored by the\r\nIT team of the organization. The phishing email was sent from another shared email address belonging to the same\r\nagency, making it appear legitimate and increasing its chances of being acted upon. ThreatLabz analyzed the email\r\nmetadata and the configuration of the email domain, and found the following:\r\nThe sender and receiver domains were properly configured for email security protocols (DMARC, DKIM,\r\nand SPF). No evident flaws were observed.\r\nThe trajectory of the phishing email from sender to recipient, appeared legitimate and didn’t include any\r\nsuspicious hops. All the “Received” headers referenced servers belonging to Microsoft 365 / Exchange,\r\nincluding the originating server.\r\nDespite the Microsoft 365 servers being authorized by the SPF policy, the DMARC, DKIM, and SPF\r\nchecks were not applied to the email.\r\nBased on these observations, ThreatLabz assesses that the attacker controlled the sender’s email account and used\r\nit to deliver a phishing attempt to another address within the same organization. DKIM and SPF checks were\r\nlikely not applied because the message was handled entirely within the organization’s Microsoft 365 tenant.\r\nFraudulent web portal\r\nThe phishing email used a legal-themed design to lure the recipient. The email was created to appear as an official\r\nmessage from the Colombian judicial system, referencing a labor lawsuit with an authentic-sounding case number\r\nand date. The email pressures the recipient to confirm receipt immediately, leveraging authority, fear of legal\r\nconsequences, and confidentiality warnings to trick the recipient into taking an action, namely opening the\r\nattachment.\r\nThe figure below shows the SVG image attached to the phishing email. \r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 2 of 10\n\nFigure 2: The SVG attachment included in BlindEagle’s phishing email. \r\nThe image above is fully clickable, and when clicked, a Base64-encoded HTML page embedded within the SVG\r\nimage is decoded and opened in a new tab. \r\nAs shown in the figure below, the HTML page mimics an official web portal from the Colombian judicial branch.\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 3 of 10\n\nFigure 3: Fraudulent web portal presented to the user during BlindEagle’s attack.\r\nThe fraudulent web portal is designed to deliver a JavaScript file named ESCRITO JUDICIAL AGRADECEMOS\r\nCONFIRMAR RECIBIDO NOTIFICACION DE ADMISION DEMANDA LABORAL ORDINARIA E S D.js, which\r\ndownloads automatically a few seconds after the user opens the portal.\r\nJavaScript files and PowerShell command\r\nAfter the user double-clicks on the fraudulent receipt downloaded from the fraudulent web portal, a file-less attack\r\nchain composed of three JavaScript code snippets followed by a PowerShell command is initiated.\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 4 of 10\n\nThe first two JavaScript files share the same structure and purpose: deobfuscating and executing the next step.\r\nEach script begins by defining a long array of integers that represents the obfuscated payload. This array is then\r\nprocessed using a simple deobfuscation algorithm, which reconstructs the executable code and launches the next\r\nscript in the chain.\r\nA Python translation of this deobfuscation algorithm is provided in the code sample below.\r\ndef deobfuscate(obf_code: List[int], step: int) -\u003e str:\r\n deobf_code = \"\"\r\n for i in obf_code:\r\n # int_to_char() is similar to chr() but it ignores surrogate characters.\r\n c = int_to_char(i - step)\r\n deobf_code += c\r\n return deobf_code\r\nThe third stage JavaScript file introduces added complexity by intermixing the executable code with sections\r\ncontaining Unicode-based comments. \r\nAs illustrated in the figure below, the deobfuscation procedure used in this step differs from the techniques applied\r\nin the previous scripts. To obtain the final payload, two replacement steps are performed. These steps strip out\r\nsequences of Unicode characters embedded in a dynamically composed string.\r\nFigure 4: Excerpt of the last JavaScript stage executed along the attack chain.\r\nThe goal of the third JavaScript stage is to execute a PowerShell command. Specifically, it leverages Windows\r\nManagement Instrumentation (WMI) to obtain a  Win32_Process instance. The PowerShell command is executed\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 5 of 10\n\nvia the  Create() method of the  Win32_Process object, while the  ShowWindow property of\r\nthe  Win32_ProcessStartup object is set to zero.\r\nThe decoded PowerShell is shown in the figure below.\r\nFigure 5: Decoded BlindEagle PowerShell command.\r\nThis command is designed to download an image file from the Internet Archive. Once downloaded, the script\r\ncarves out a Base64-encoded payload embedded between two specific markers:  BaseStart- and  -BaseEnd . An\r\nexample of the first marker is shown in the figure below.\r\nFigure 6: Content deobfuscated by the PowerShell command.\r\nAfter isolating the payload, the script decodes it from Base64 format and dynamically loads it as a .NET assembly\r\nusing reflection. This process culminates with the invocation of the  VAI method within\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 6 of 10\n\nthe  ClassLibrary1.Home class of the loaded routine.\r\nCaminho\r\nThreatLabz identified the assembly loaded by the PowerShell command in the attack chain as a malware\r\ndownloader known as Caminho (and VMDetectLoader), which can be traced back to May 2025. BlindEagle was\r\none of the early adopters of Caminho, likely using it in a campaign documented in June 2025. Since that time,\r\nCaminho has been utilized by several threat actors to deliver a variety of malware, including XWorm.\r\nEvidence suggests that Caminho may have originated within the Brazilian cybercriminal ecosystem. Two key\r\nfactors support this hypothesis:\r\nThe widespread use of this malware in attacks against Brazilian organizations.\r\nThe presence of Portuguese words in the malware’s code, including argument names as shown below. \r\npublic static void VAI(\r\n string QBXtX,\r\n string startupreg,\r\n string caminhovbs,\r\n string namevbs,\r\n string netframework,\r\n string nativo,\r\n string nomenativo,\r\n string persitencia,\r\n string url,\r\n string caminho,\r\n string nomedoarquivo,\r\n string extençao,\r\n string minutos,\r\n string startuptask,\r\n string taskname,\r\n string vmName,\r\n string startup_onstart\r\n)\r\nThe export VAI invoked by the PowerShell script contains arguments written in Portuguese, such as “caminho”\r\nmeaning “path” and hence the malware’s name.\r\nThe codebase of the sample analyzed by ThreatLabz is heavily obfuscated, featuring techniques such as code\r\nflattening, junk code, and anti-debugging measures.\r\nThe main purpose of the  VAI method is to download a text file named AGT27.txt from the following Discord\r\nURL:\r\nhXXps://cdn.discordapp[.]com/attachments/1402685029678579857/1410251798123511808/AGT27.txt?ex=68b056d5\u0026is=68af0\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 7 of 10\n\nThe URL is obfuscated, encoded in Base64 and reversed before being passed to the VAI method. Caminho\r\ndeobfuscates the URL and downloads AGT27.txt using System.Net.WebClient.downloadString() . It is worth\r\nnoting that the file never touches the disk; instead, it is loaded directly in memory.\r\nOnce the file is downloaded, AGT27.txt, which contains Base64-encoded and reversed content, is deobfuscated by\r\nCaminho. The decoded payload is then executed using a technique known as process hollowing, where a\r\nlegitimate Windows utility, MSBuild.exe, is launched and hollowed out to host the malicious code. The payload\r\ninjected in this case is a DCRAT executable.\r\nDCRAT\r\nThe final stage of the attack chain delivers DCRAT, an open-source RAT developed in C# that offers a variety of\r\nfeatures including keylogging, disk access, and more. It is one of the prevalent variants of AsyncRAT, but\r\ndistinguishes itself with new capabilities, such as patching Microsoft’s Antimalware Scan Interface (AMSI) to\r\nevade detection.\r\nIn this campaign, the DCRAT configuration is encrypted using AES-256 encryption, with a symmetric key\r\nof  aPZ0ze9qOhazFFqspYVRZ8BW14nGuRUe . Additionally, the configuration includes a certificate having two critical\r\nfunctions:\r\n1. The certificate is used to ensure the integrity of the configuration and prevent tampering. This particular\r\nfeature is also present in DCRAT’s publicly available source code.\r\n2. The certificate is a key component for C2 server authentication. This functionality is not part of DCRAT’s\r\noriginal source code and was added later.\r\nThe use of certificate-based server authentication allowed ThreatLabz to identify 24 hosts worldwide that expose a\r\ncertificate with the same issuer, as listed in the table below. \r\nANALYST NOTE: Only a subset of these hosts are likely part of the infrastructure operated by the threat actor\r\nbehind this attack, as DCRAT is an open-source malware available for general use.\r\n45.74.34.32\r\n45.133.180.138\r\n45.133.180.154\r\n45.153.34.67\r\n46.246.6.9\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 8 of 10\n\n74.124.24.240\r\n83.147.37.31\r\n103.20.102.130\r\n103.20.102.151\r\n103.186.108.212\r\n103.236.70.158\r\n104.194.154.39\r\n146.70.49.42\r\n146.70.215.50\r\n178.16.54.45\r\n179.13.4.196\r\n179.13.11.235\r\n181.131.217.135\r\n181.206.158.190\r\n181.235.3.119\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 9 of 10\n\n185.18.222.5\r\n191.91.178.101\r\n191.93.118.254\r\n203.104.42.92\r\nTable 1: List of hosts exposing an X.509 certificate issued by the same source as the certificate embedded in the\r\nDCRAT sample used by BlindEagle.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat"
	],
	"report_names": [
		"blindeagle-targets-colombian-government-agency-caminho-and-dcrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434761,
	"ts_updated_at": 1775960508,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48b25595644b5faa2f836bfae0ba8f53854eb844.pdf",
		"text": "https://archive.orkl.eu/48b25595644b5faa2f836bfae0ba8f53854eb844.txt",
		"img": "https://archive.orkl.eu/48b25595644b5faa2f836bfae0ba8f53854eb844.jpg"
	}
}