{ "id": "8e82c64c-4eec-4f06-9c88-ad0ade17b148", "created_at": "2026-04-06T00:18:35.136918Z", "updated_at": "2026-04-10T13:11:36.561414Z", "deleted_at": null, "sha1_hash": "560b0c22ba82252a8e1d75ed12936f7522ba8e37", "title": "BlindEagle flying high in Latin America", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 531944, "plain_text": "BlindEagle flying high in Latin America\r\nBy GReAT\r\nPublished: 2024-08-19 · Archived: 2026-04-05 19:22:18 UTC\r\nBlindEagle, also known as “APT-C-36”, is an APT actor recognized for employing straightforward yet impactful\r\nattack techniques and methodologies. The group is known for their persistent campaigns targeting entities and\r\nindividuals in Colombia, Ecuador, Chile, Panama and other countries in Latin America. They have been targeting\r\nentities in multiple sectors, including governmental institutions, financial companies, energy and oil and gas\r\ncompanies, among others.\r\nBlindEagle has demonstrated adaptability in shaping the objectives of its cyberattacks and the versatility to switch\r\nbetween purely financially motivated attacks and espionage operations.\r\nThere is evidence that the group has been active since at least 2018. At GReAT, we have been closely tracking\r\ntheir campaigns. This blog aims to give an introduction to the group, detail its TTPs, and provide insights into\r\ntheir recent operations.\r\nThe eagle goes phishing\r\nThe spreading method used by BlindEagle is via phishing emails. Depending on the type of cyberoperation they\r\nconduct, it could be spear phishing (used in targeted espionage attacks) or more generalized phishing (particularly\r\nused in financial attacks).\r\nThe phishing emails typically impersonate governmental institutions, such as Colombia’s National Directorate of\r\nTaxes and Customs, Ministry of Foreign Affairs or Office of the Attorney General, among others. Spam\r\ncampaigns impersonating financial and banking entities are also common.\r\nhttps://securelist.com/blindeagle-apt/113414/\r\nPage 1 of 7\n\nPhishing impersonating the Attorney General’s Office\r\nhttps://securelist.com/blindeagle-apt/113414/\r\nPage 2 of 7\n\nThe campaigns involve sending deceptive emails containing a notification about an issue that requires immediate\r\naction by the user. Each email contains a link in its body that appears to lead to the official website of the entity\r\nbeing impersonated, and an attached file (particularly PDF or Word documents). The attached document mirrors\r\nthe email’s message, contains the same URL and, in some cases, adds extra details and a heightened sense of\r\nurgency to make the phishing attempt sound more convincing. The links usually point to DDNS services and\r\nredirect victims to public repositories or sites owned by the attackers where they host malware implants, also\r\nknown as “the initial dropper”.\r\nA distinctive aspect of the malware delivery is geolocation filtering. The group often uses URL shorteners that are\r\ncapable of geographical detection and redirection. That means that, if a connection is detected to be coming from a\r\ncountry which is not among the group’s targets, the attack is called off, and the victim is redirected to the site of\r\nthe organization the attackers are impersonating. This geographical redirection prevents new malicious sites from\r\nbeing flagged, and thwarts hunting and analysis of these attacks.\r\nHow the eagles attack\r\nOnce an email is delivered, it paves the way for the group’s final malicious implant. BlindEagle is well known for\r\nusing publicly available or open-source Remote Access Trojans (RATs), with the primary goal of spying on\r\nvictims and stealing financial information. The group constantly switches from one RAT to another, using\r\ndifferent tools in different campaigns. We have observed BlindEagle running operations using njRAT, LimeRAT,\r\nBitRAT and AsyncRAT, among others. They usually modify the samples to add customization them and new\r\ncapabilities.\r\nTo deploy the final implant, the group uses a multi-stage process that is consistently similar across their\r\ncampaigns. Unlike the final payload, the tools they use at the intermediate stages are custom built. The initial\r\ndropper, downloaded from malicious links, is typically a compressed file that tricks the victim by pretending to be\r\nan official document from the government or financial entity being spoofed in the phishing attack. We have\r\nobserved the use of popular compression formats like ZIP, but also older and less known formats, such as LHA\r\nand UUE. Many threat actors exploit these lesser-known formats to deceive their victims into opening the file,\r\ntaking advantage of their lack of knowledge about these formats.\r\nThe victim is persuaded to extract and run the files within the archive allegedly to solve the issue mentioned in the\r\nphishing email. The extracted files are typically Visual Basic Scripts that use WScript, XMLHTTP objects, or\r\nPowerShell commands to contact another server to download a malicious artifact for the next stage. The server\r\naddress is usually hardcoded in the VBS file.\r\nDuring the monitored campaigns, we have observed various server options chosen by BlindEagle, including\r\nservers controlled by the group and public infrastructure, such as image hosting sites, text storage sites like\r\nPastebin, CDN services like Discord or developer platforms like GitHub repositories.\r\nAs the second-stage artifact, the threat actor employs various files, with the most common types being text files,\r\nimages and .NET executables. These are usually encoded or obfuscated.\r\nhttps://securelist.com/blindeagle-apt/113414/\r\nPage 3 of 7\n\nSteganography used in a BlindEagle campaign\r\nThe text files often contain a payload encoded in base64, ASCII or a combination of both. For images, the group\r\nhas explored using steganography techniques to hide similarly encoded malicious code. The executable files\r\ntypically masquerade as legitimate and contain the next malicious payload within their resource section.\r\nIn the next phase, the malicious code is extracted if needed and decoded by the initial dropper, yielding an\r\nintermediate file that, judging by the campaigns we have monitored, can be either a DLL or a .NET injector. This\r\nfile calls yet another malicious server, whose address is, too, hardcoded in the executable, to download the final\r\npayload: the open-source RAT.\r\nDuring this intermediate phase, the group often uses process injection techniques to execute the RAT in the\r\nmemory of a legitimate process, thereby evading process-based defenses. The group’s preferred technique is\r\nprocess hollowing. This technique consists in creating a legitimate process in a suspended state, then unmapping\r\nits memory, replacing it with a malicious payload, and finally resuming the process to start execution.\r\nCyber-espionage or a financial attack: Actually, both\r\nBlindEagle uses open-source RATs as the final link in their attack chain, which they modify in a way that suits\r\ntheir campaign objectives. This approach gives them the flexibility to adapt their malware with minimal efforts, as\r\nthey do not need to develop implants from scratch. We have observed a wide variety of RATs used by the group,\r\nwith notable examples including AsyncRAT, njRAT, Lime-RAT, Quasar RAT and BitRAT.\r\nThe group demonstrates great adaptability between campaigns. For example, in some of its financial attacks, the\r\nthreat actor utilized a modified version of the Quasar RAT, a malware primarily used for espionage but in this\r\ncase, repurposed as a banking Trojan to specifically target customers of financial institutions in Colombia.\r\nhttps://securelist.com/blindeagle-apt/113414/\r\nPage 4 of 7\n\nThe group modified the RAT by adding functionality to capture information from the victim’s browser to intercept\r\ncredentials for banking services. After execution, the malware monitored newly opened browser windows. If the\r\ntitles of any of these windows returned a match with a list of strings relating to ten Colombian financial entities,\r\nthe RAT initiated keylogging to capture the login credentials for these entities’ online services.\r\nA version of Quasar RAT modified to steal financial credentials\r\nWhen it comes to espionage campaigns, the group turns to Trojans like njRAT. Modified versions of this malware\r\nallow them to capture sensitive information from their victims through keylogging and application monitoring.\r\nAdditionally, the RAT exfiltrates system information and screenshots to C2 servers and can create RDP sessions or\r\neven install additional plugins. In one of the recent campaigns we have detected, the group modified this RAT to\r\nadd the capability to install plugins sent from the C2 in the form of .NET assemblies or other binary files.\r\nImproving flight precision\r\nThe group has always been known for using simple yet highly effective tactics and techniques: straightforward\r\nphishing, basic encoding and obfuscation methods, and the use of publicly available malware. However, during\r\nthe latest campaigns, we have observed changes in the group’s techniques, reinforcing the idea of “adapt or\r\nperish”.\r\nIn May this year, for instance, the group conducted a new espionage campaign targeting Colombia. During this\r\noperation, BlindEagle employed an infection process featuring artifacts with strings and variable names entirely in\r\nPortuguese (instead of Spanish they had predominantly used before) and utilized Brazilian image hosting sites.\r\nAlthough not definitive, these elements could hint at the involvement of third parties with the group, either\r\nthrough collaboration or outsourcing to increase their attack capacity.\r\nhttps://securelist.com/blindeagle-apt/113414/\r\nPage 5 of 7\n\nMore recently, in June, we observed an espionage campaign that also targeted Colombia in which the group\r\nintroduced a new technique into their arsenal. The campaign followed all the group’s usual TTPs, but this time,\r\nadded a DLL sideloading twist and a new modular malware loader dubbed “HijackLoader”.\r\nThe attack was initiated through phishing emails impersonating Colombia’s judicial institutions and containing\r\nmalicious PDF or DOCX files masquerading as a demand notice or a court summons. The victims were tricked\r\ninto opening the attached files and clicking embedded links to download fictitious lawsuit documents, allegedly to\r\nresolve the previously mentioned legal issues. These documents were actual legitimate executable files signed by\r\nASUS or IObit. They invoked malicious DLLs through sideloading, ultimately executing a version of\r\nHijackLoader that injected the spy RAT: in this case, AsyncRAT.\r\nVictims\r\nSince its inception, BlindEagle has been conducting persistent campaigns targeting entities and individuals,\r\nparticularly in Colombia and other Latin American, countries such as Ecuador, Chile and Panama.\r\nIn the espionage campaigns we observed in May and June this year, the group primarily targeted individuals and\r\norganizations in Colombia, which accounted for 87% of the detected victims. These attacks involved entities\r\nacross various sectors, notably government, education, health and transportation.\r\nTactics, techniques and procedures (TTPs)\r\nAlthough the group’s toolset varies greatly, as do their goals, they employ a range of tactics, techniques, and\r\nprocedures that are consistently used across their various campaigns. Below are some key TTPs that frequently\r\nrecur:\r\nPhishing impersonating governmental entities as the spreading method. In some campaigns, particularly\r\nthose involving financial attacks, the group impersonates banking institutions.\r\nAttached PDFs and DOCX files containing embedded links.\r\nURL shortener services employed for geolocation filtering.\r\nDynamic DNS services utilized for resolving the addresses of servers hosting the group’s malicious\r\nartifacts.\r\nPublic infrastructure used to host some of the malicious artifacts (image hosting services, pastebin sites,\r\nGitHub repositories and the Discord CDN, among others).\r\nProcess hollowing applied for injecting malicious code into legitimate processes during intermediate stages\r\nof the attack.\r\nVBS scripts and .NET assemblies employed as intermediate artifacts.\r\nOpen-source RATs used as the final payload in the attack.\r\nConclusions\r\nAs simple as BlindEagle’s techniques and procedures may appear, their effectiveness allows the group to sustain a\r\nhigh level of activity. By consistently executing cyber-espionage and financial credential theft campaigns,\r\nBlindEagle remains a significant threat in the region.\r\nhttps://securelist.com/blindeagle-apt/113414/\r\nPage 6 of 7\n\nAdditionally, the group is exploring alternative strategies within their infection processes and adding new\r\ntechniques to their arsenal to sustain their operations and maintain their impact. BlindEagle continues to fly high,\r\nand we will maintain vigilant monitoring of their activity.\r\nIoCs\r\n18eb0a413b80a548d2b615e11fc580cd\r\n53231da42b6f19d2a6b59700f822be6a\r\n69d218a3cd86a194d8fbc22c487096bc\r\n7b72f2775b7bf33c9778533480d34e04\r\nSource: https://securelist.com/blindeagle-apt/113414/\r\nhttps://securelist.com/blindeagle-apt/113414/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/blindeagle-apt/113414/" ], "report_names": [ "113414" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434715, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/560b0c22ba82252a8e1d75ed12936f7522ba8e37.pdf", "text": "https://archive.orkl.eu/560b0c22ba82252a8e1d75ed12936f7522ba8e37.txt", "img": "https://archive.orkl.eu/560b0c22ba82252a8e1d75ed12936f7522ba8e37.jpg" } }