{ "id": "cc58b1e1-c14d-4e40-93b1-53500f881835", "created_at": "2026-04-06T00:22:31.160723Z", "updated_at": "2026-04-10T03:36:47.81644Z", "deleted_at": null, "sha1_hash": "67a7e63baf71300341926bcebb9745fa9d716cc1", "title": "BlindEagle Leveraging BlotchyQuasar | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1351955, "plain_text": "BlindEagle Leveraging BlotchyQuasar | ThreatLabz\r\nBy Gaetano Pellegrino\r\nPublished: 2024-09-05 · Archived: 2026-04-02 10:56:19 UTC\r\nTechnical Analysis\r\nOverview\r\nA BlindEagle attack chain typically originates with a phishing email that contains a PDF attachment and a URL that points\r\nto a ZIP archive file. The PDF attachment contains the same URL as the one provided in the email body. In other words, the\r\nZIP file can be either downloaded from the PDF or directly from the email.\r\nUpon clicking the URL (in either the email body or PDF), the victim downloads a ZIP archive from a Google Drive folder.\r\nThis specific folder is under the ownership of a compromised account belonging to a regional government organization in\r\nColombia. The ZIP archive contains a .NET BlotchyQuasar executable.\r\nThe figure below provides for a high-level overview of the attack chain.\r\nFigure 1: A high-level overview of a BlindEagle attack chain, where the initial phishing email includes a download URL for\r\na password-protected compressed archive and the final payload is a packed BlotchyQuasar sample.\r\nPhishing email as initial vector\r\nIn the phishing email, the threat actor impersonated the Dirección de Impuestos y Aduanas Nacionales (DIAN), which is the\r\nColombian National Tax and Customs Authority. The lure used by BlindEagle involved sending a notification to the victim,\r\nclaiming to be a seizure order due to outstanding tax payments. This is intended to create a sense of urgency and pressure the\r\nvictim into taking immediate action. Our observations indicate that a substantial number of the targeted individuals are\r\nemployees within the Colombian insurance industry.\r\nThe figure below shows the phishing email, which includes the PDF and download URL, spoofing the Colombian tax\r\nauthority. \r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 1 of 8\n\nFigure 2: Example BlindEagle phishing email spoofing DIAN with a PDF attachment and malicious link in the email body.\r\nThe download URL directs the victim to a password-protected ZIP archive. The password necessary to open the archive is\r\nprovided within the email body. \r\nThis ZIP archive is hosted on a Google Drive folder, which is associated with a compromised Gmail account owned by a\r\ngovernment organization with a \".gov.co\" top-level domain. \r\nBased on analysis of the phishing email's metadata, the threat actor likely sent the emails from their own infrastructure.\r\nSpecifically, the first header received in the email indicates that the message originated from the IP address  69.167.8.118 ,\r\nwhich is associated with Powerhouse Management VPN. Powerhouse Management is a VPN service known to be utilized\r\nby BlindEagle to obfuscate the true source of their malicious activities and acquire IP addresses that are geographically close\r\nto their intended targets.\r\nBlotchyQuasar\r\nBlotchyQuasar is a powerful RAT that possesses a wide range of capabilities. It can log keystrokes, execute shell commands,\r\nand perform various other functions. Since BlotchyQuasar is a variant of QuasarRAT, we will not delve into a detailed\r\nanalysis of its functionalities. Instead, in the following sections, we will concentrate on specific aspects that have not been\r\nextensively covered in previous publications.\r\nLoader\r\nAs shown in the figure below, BlotchyQuasar is concealed within multiple layers of protection. Each layer consists of a\r\n.NET executable that has been safeguarded using either commercial or open-source obfuscators like DeepSea or\r\nConfuserEx. These obfuscators are employed to make the code more complex and challenging to analyze, hindering reverse\r\nengineering attempts.\r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 2 of 8\n\nFigure 3: Nested structure of the BlotchyQuasar sample.\r\nLayer 1 is the outer executable file that is contained within the ZIP archive. It decrypts the Layer 2  data that is contained in\r\na resource named  vh by utilizing a custom XOR-based algorithm. Layer 2 consists of a DLL with the\r\nname  SimpleLogin.dll . When executed,  SimpleLogin.dll loads and extracts the contents of a GZip-compressed\r\nresource named  key0 . Within this resource lies another DLL,  Gamma.dll , which provides a utility for converting integers\r\nto Unicode characters. This utility is used to compose the name of a resource within Layer 1, which is subsequently loaded\r\nby  SimpleLogin.dll . This resource is named  HSOm and is stored as a bitmap image that undergoes a transformation\r\nprocess. This transformation involves discarding the last 150 rows and the last 150 columns of the image. Additionally, the\r\nrow and column pixel coordinates are inverted. The figure below shows the bitmap when rendered.\r\nFigure 4: The resource  HSOm rendered as a bitmap containing the Layer 3 data.\r\nBy extracting the ARGB coordinates from each pixel, another DLL named  Tyrone.dll is obtained. This DLL represents\r\nLayer 3, which decrypts the final payload by loading a resource named  SIxfc1 and applying a custom XOR-based\r\nalgorithm. This produces an executable file named  Client.exe , which is a BlotchyQuasar malware sample.\r\nObtaining the C2\r\nThe installation steps completed by BlotchyQuasar are discussed in a previous publication. In the sample we analyzed, we\r\nobserved a similar process. However, the procedure employed to obtain the command-and-control (C2) domain has not been\r\npreviously analyzed.\r\nWhen BlotchyQuasar is executed, the C2 server location is retrieved from Pastebin. The specific URL used to fetch the paste\r\nis  hXXps://pastebin[.]com/raw/XAfmb6xp . The content of the paste is an encrypted string, as shown in the example below.\r\n(The relevant part is highlighted in bold and separated by the two “ ¡ ” symbols.)\r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 3 of 8\n\nGNNwsubynrt5oCZ+pAP97K9Sizq1eRn8XQQ8yxktdrbYQL263pZf+aQwkap8YEa09tg1w69qsZYEwGWF482CW3WBNKOJESQBz8IXYNzbbf+jrHU\r\nThis encrypted string is divided into three parts, with the symbol \"¡\" serving as a separator. Of particular interest is the\r\nmiddle part, enclosed by the separators (i.e.,  CllIOSeGR/pSE1OqzWOtN5zIKVp5TOLPJ1rBUGNg5fA= ).This string is Base64\r\ndecoded and decrypted using standard 3DES encryption in ECB mode with PKCS7 padding. The 3DES key used is derived\r\nfrom the MD5 hash of the string  qualityinfosolutions . In the provided example, the resulting C2 domain\r\nis  edificiobaldeares.linkpc[.]net . The C2 communication for this sample leveraged the hardcoded port 9057.\r\nMonitoring the consumption of banking \u0026 payment services\r\nBlotchyQuasar implements a multitude of features, including the ability to monitor a victim's interactions with specific\r\nbanking and payment services. In order to identify such events, the malware examines the title of each newly opened\r\nwindow. If the window title contains certain predefined strings associated with the targeted services, BlotchyQuasar logs a\r\nreference to indicate the occurrence of the interaction.\r\nThe figure below shows an example log collected with references to several banking and payment services. In the example\r\nprovided, websites for Banco Coomeva, Banco of Machala, and PayPal services were accessed. The log, in this case, is a\r\nsimple XML document that contains all the references within elements labeled as  NameCliente . This log file,\r\nnamed  settings.xml , is stored on the disk within the startup folder of the compromised system.\r\nFigure 5: Example BlotchyQuasar log containing references to the victim’s interaction with specific banking and payment\r\nservice providers.\r\nThe table below lists the organizations that BlotchyQuasar targets. Since the list mainly includes Colombian and Ecuadorian\r\nbanks, the malware was most likely designed to target individuals in those countries.\r\nOrganization Location\r\nBBVA Global\r\nBanco AV Villas Colombia\r\nBanco Bolivariano Ecuador\r\nBanco Caja Social Colombia\r\nBanco Coomeva Colombia\r\nBanco Davivenda Colombia\r\nBanco Guayaquil Ecuador\r\nBanco Internacional Ecuador\r\nBanco Pichincha Ecuador\r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 4 of 8\n\nOrganization Location\r\nBanco Popular Colombia Colombia\r\nBanco de Bogotá Colombia\r\nBanco de Machala Ecuador\r\nBanco de la Producción Ecuador\r\nBanco del Austro Ecuador\r\nBanco del Pacifico Ecuador\r\nBancolombia Colombia\r\nPayPal Global\r\nScotiabank Colpatria Colombia\r\nTransUnion Global\r\nTable 1: List of banking and payment service providers targeted by BlotchyQuasar.\r\nKeylogging\r\nBlotchyQuasar provides keylogging functionality, with the keylogging module set to flush logs every 15 seconds. These logs\r\nare stored in the  %APPDATA%\\GPrets directory with the filename format  MM-dd-yyyy (e.g.,  06-18-2024 ). The log file is\r\nstructured according to the figure below, which details the captured keylogging data.\r\nFigure 6: Structure of a BlotchyQuasar key log.\r\nThe initial 32 bytes of the encrypted log file comprise an HMAC SHA256 hash of the remaining content that is used as an\r\nintegrity check. The subsequent 16 bytes store an AES initialization vector (IV) that is randomly generated per file. The AES\r\nkey is hardcoded within the malware's configuration class. In the sample analyzed by ThreatLabz, the AES key was\r\nrepresented by the Base64-encoded string 1WvgEMPjdwfqIMeM9MclyQ== . BlotchyQuasar uses AES in CBC mode (Cipher\r\nBlock Chaining) with PKCS7 padding. The remaining portion of the file following the IV encompasses the encrypted log\r\ndata itself. \r\nA Python implementation of the BlotchyQuasar keylogging decryption routine is shown in the code sample below.\r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 5 of 8\n\nfrom Crypto.Cipher\r\nimport AES\r\nfrom Crypto.Util.Paddingimport unpad\r\ndefdecrypt(log: bytes, key: bytes) -\u003e bytes:\r\n encrypted_payload = log[48:]\r\n iv = log[32:48]\r\n cypher = AES.new(\r\n key,\r\n AES.MODE_CBC,\r\n iv\r\n )\r\n decrypted_payload = cypher.decrypt(encrypted_payload)\r\n block_size = cypher.block_size\r\n decrypted_payload = unpad(decrypted_payload, block_size,\"pkcs7\")\r\n return decrypted_payload\r\nAs illustrated in the figure below, the decrypted logs are stored in HTML format.\r\nFigure 7: Example decrypted key log data created by BlotchyQuasar.\r\nStealing capabilities\r\nBlotchyQuasar targets the browser and FTP client applications shown in the table below.  \r\nApplication Type Targeted Data\r\nChrome Browser\r\nSaved passwords \r\nCookies\r\nChromium Browser\r\nSaved passwords\r\nCookies\r\nInternet Explorer Browser URL history\r\nFirefox Browser\r\nSaved passwords\r\nCookies\r\nOpera Browser\r\nSaved passwords\r\nCookies\r\nYandex Browser\r\nSaved passwords\r\nCookies\r\nFileZilla FTP client Saved passwords\r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 6 of 8\n\nApplication Type Targeted Data\r\nWinSCP FTP client Saved passwords\r\nTable 2: Applications targeted by BlotchyQuasar for information-stealing purposes.\r\nInfrastructure\r\nBlotchyQuasar accesses Pastebin to retrieve the current C2 domain. The structure of the Pastebin content and the decryption\r\nprocedure is unique, which enabled us to identify additional pastes consumed by BlotchyQuasar samples. By successfully\r\ndecrypting these pastes, we uncovered three more C2 domains:\r\nequipo.linkpc[.]net\r\nperfect5.publicvm[.]com\r\nperfect8.publicvm[.]com\r\nAll those domains share a few characteristics:\r\nFirst, these domains are extensions of second-level domains (SLDs) associated with Dynamic DNS service providers.\r\nSecond, they exhibit a consistent pattern in their resolution history. Specifically, they predominantly resolve to IP\r\naddresses that belong to two primary sets. The first set comprises nodes associated with specific VPN services,\r\nnamely Powerhouse Management, PrivateVPN, and ParadiseNetworks.\r\nThe second set comprises IP addresses associated with specific Colombian internet service providers (ISPs), namely\r\nColombia Movil, Telmex Colombia, and Tigo. These IP addresses are likely indicative of compromised routers. This\r\ninformation aligns with publicly disclosed findings about the infrastructure under the control of the BlindEagle threat\r\nactor.\r\nBy shifting our focus towards resolving IP addresses, we gained further insights into the infrastructure underpinning\r\noperations similar to the one described in this blog. We discovered additional domains that exhibited similar characteristics.\r\nWhile we lack sufficient information to definitively establish that these domains are controlled by the same threat actor, they\r\ncontinue to pose threats to individuals and organizations. Notably, these domains have been utilized, and may still be in use,\r\nas C2 servers for various commodity malware families, including njRAT, QuasarRAT, RevengeRAT, and others. It is crucial\r\nto remain vigilant as these domains could potentially be employed for malicious activities in the future.\r\nAs an example, the table below displays the date of first submission on VirusTotal of various QuasarRAT samples\r\ncommunicating with the domain edificiobaldeares.linkpc[.]net. This domain has been utilized as a C2 server since July 2022\r\nand active until March 2024. Since a similar pattern repeats in other domains, we strongly recommend blocking them.\r\nFirst Submission Date MD5 Malware Family\r\n18-07-2022 a73057824a65a5ac982e298a80febf61 QuasarRAT\r\n21-07-2022 bd4505316254f00329431fb8b2888643 QuasarRAT\r\n22-07-2022 d2fc372302180fbabe18c425aa4a0a72 QuasarRAT\r\n22-07-2022 c944cb638364c74431bf1dbe7dd329ff QuasarRAT\r\n24-07-2022 64e6ad512eff12e971efdd8979086c5c QuasarRAT\r\n26-07-2022 a1f5091ad4e12f922a8e760e0980ab66 QuasarRAT\r\n29-07-2022 ad578125b337168c976ff5e7e1b190b8 QuasarRAT\r\n01-08-2022 e21b4c9d9da81deea2381f9b988b0f99 QuasarRAT\r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 7 of 8\n\nFirst Submission Date MD5 Malware Family\r\n04-08-2022 07f661aeeb0774f0cb84b0a5e970c2a5 QuasarRAT\r\n09-08-2022 c4a946903cc9e9a84763ac1731cdd7dd QuasarRAT\r\n11-08-2022 75a40cc019c39e3c2800fb2fe5aba1d3 QuasarRAT\r\n12-08-2022 0fa40788b75896a452398b6a49cc62b6 QuasarRAT\r\n15-08-2022 59a4f7aed1e3a0718592fb536e987a1d QuasarRAT\r\n16-08-2022 456211df625002df378cf0f4af9d1a6f QuasarRAT\r\n17-08-2022 0f35306ad4fede9a9ba0276a5e788138 QuasarRAT\r\n19-08-2022 6044b126afb86682b4a3440e2924c079 QuasarRAT\r\n19-08-2022 b432e8ff5797fbaf5808d95d46524647 QuasarRAT\r\n20-08-2022 a31ff54f33ced7b4180f87afb18185a7 QuasarRAT\r\n20-08-2022 e3239ac16c6fe9c99d6fac0867121a88 QuasarRAT\r\n07-07-2023 2784a9fc64d244b14e7d8e4d03f41265 QuasarRAT\r\n06-03-2024 3125ae6b1462b0b48dc06bc47d8ddbc7 QuasarRAT\r\nTable 3: The most recent recorded interactions between various QuasarRAT malware samples and the\r\ndomain  edificiobaldeares.linkpc[.]net .\r\nScopri altri blog di Zscaler\r\nSource: https://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nhttps://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar" ], "report_names": [ "blindeagle-targets-colombian-insurance-sector-blotchyquasar" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434951, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67a7e63baf71300341926bcebb9745fa9d716cc1.pdf", "text": "https://archive.orkl.eu/67a7e63baf71300341926bcebb9745fa9d716cc1.txt", "img": "https://archive.orkl.eu/67a7e63baf71300341926bcebb9745fa9d716cc1.jpg" } }