{ "id": "ea2a6fd3-517b-4b43-b3e3-e1e62bb43c89", "created_at": "2026-04-06T00:16:19.485557Z", "updated_at": "2026-04-10T03:35:20.350001Z", "deleted_at": null, "sha1_hash": "bc1137ca21f3e152cb17a50db37392918313cb6a", "title": "Malware Analysis: Blind Eagle's North American Journey", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 13801710, "plain_text": "Malware Analysis: Blind Eagle's North American Journey\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 17:54:30 UTC\r\nKey takeaways:\r\nAnde Loader is utilized in this campaign to deliver the final payloads: Remcos RAT and NjRAT.\r\nBlind Eagle threat actor(s) have been using crypters written by Roda and Pjoao1578.\r\nOne of the crypters developed by Roda has the hardcoded server hosting both injector components of the\r\ncrypter and additional malware that was used in the Blind Eagle campaign.\r\nWe observed Blind Eagle threat actor(s) targeting Spanish-speaking users in the manufacturing industry\r\nbased in North America.\r\nBlind Eagle Case Study\r\nBlind Eagle, also tracked as APT-C-36, first appeared around 2018. The alleged threat actor(s) originated from\r\nSouth America and is known to target Colombia and other countries in the region. The threat actor(s) employ\r\nphishing emails to establish an initial foothold.\r\nIn 2021, Trend Micro published a blog post mentioning various RAT variants deployed by Blind Eagle threat\r\nactors, such as njRAT, Remcos, Imminent Monitor, AsyncRAT, LimeRAT, BitRAT, and Warzone RAT.\r\nRecently, the eSentire Threat Response Unit (TRU) observed Blind Eagle threat actor(s) targeting the\r\nmanufacturing industry. The users received the phishing email that contained the link to download the RAR and\r\nBZ2 archives with a malicious VBS file inside.\r\nAnde Loader Analysis\r\nCase One\r\nThe RAR archive is password-protected and contains the malicious VBS file. The VBS file contains the code\r\nresponsible for copying the VBS file into the Startup folder for persistence\r\n(\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup) using File.Copy method.\r\nBefore copying the file into the Startup folder, it introduces the delay with the command “cmd.exe /c ping\r\n127.0.0.1 -n 10”. Later in the script, there is an obfuscated code with a simple “Replace” containing the\r\nPowerShell base64-encoded command to load an assembly ($rOWg), retrieve a specific type (Fiber.Home), and\r\ninvoke a method (VAI) on that type. The method is invoked with an array of parameters (Figure 2).\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 1 of 28\n\nFigure 1: Snippet of the obfuscated PowerShell command\r\nFigure 2: PowerShell command containing the array of parameters\r\nThe infection chain is shown below.\r\nFigure 3: Infection chain\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 2 of 28\n\nUpon decoding the Base64-encoded command, we discovered a .NET binary (MD5:\r\n48b6064beec687fc110145cf7a19640d). The .NET binary is obfuscated with YanoObfuscator version 1.0.15.0. The\r\nstring decryption function applies XOR and bitwise operations to each character in the input string, using a\r\nchanging key (num) based on the provided integer.\r\nThe modified characters are stored in an array, which is then converted back to a string and returned as the\r\ndecrypted result.\r\nHere’s how the decryption works:\r\nThe function initializes two variables: num is set to 356636782 + A_1, and num2 is set to 0.\r\nThe input string A_0 is converted into a character array called an array.\r\nThe function enters a loop.\r\nWithin each iteration of the loop, it performs the following steps:\r\nIt checks the value of num2 to determine the appropriate action.\r\nIf num2 is 0, it sets num3 to 0 and proceeds to the next step.\r\nIf num2 is 1, it initializes num3 to 0.\r\nIf num2 is 2, it increments num3 and proceeds to the next step.\r\nIf num2 is 3, it skips to the next iteration of the loop.\r\nIf num3 is greater than or equal to the length of the array, it breaks out of the loop.\r\nOtherwise, it performs some bitwise operations on the character at index num3 in the array:\r\nIt applies an XOR operation between the lower 8 bits of the character and the current value\r\nof num.\r\nIt shifts the resulting value 8 bits to the left and combines it with the XOR operation between\r\nthe upper 8 bits of the character and the incremented value of num.\r\nThe resulting value is stored back in the array at the same index.\r\nIt sets num2 to 2 to continue the loop.\r\nAfter the loop finishes, the modified array is converted back to a string using the string constructor.\r\nThe resulting string is then returned as the decrypted value.\r\nFigure 4: Obfuscated strings\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 3 of 28\n\nFigure 5: Decryption algorithm\r\nWe can run the obfuscated binary through de4dot to get the strings decrypted.\r\nFurther analyzing the code, it performs the string replacement to produce a URL where it would download a text\r\nfile from and then reverses the contents of the file.\r\nIt then compares the parameters '1No1me_Startup' and '2No3me_3tartup' that are passed in the PowerShell\r\ncommand mentioned above to 1 and 2. And if they are not equal, then the code proceeds with decoding the\r\ncontents of the downloaded file.\r\nIf the first comparison to “1” is true, then:\r\nThe code creates a new .vbs file in the %AppData% folder only if there are no .vbs files already in that\r\ndirectory. It does this by starting a new process to run a PowerShell command that copies all .vbs files from\r\nthe current directory to the %AppData% directory.\r\nThen, it opens the Run registry key, which stores information about programs that should run at startup.\r\nIf there isn't already a registry entry named \"Path\", it creates one with the path to the .vbs file. This will\r\ncause the .vbs file to run every time the computer starts up.\r\nFinally, it runs a function Tools.Ande(Convert.FromBase64String(text2)). This involves converting text2\r\nfrom a Base64 string back to a byte array, and then passing this byte array to the Ande method in the Tools.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 4 of 28\n\nFigure 6: The first evaluation\r\nIf the second comparison to “2” is true, then similarly to the first block, this block of code creates a new .vbs file\r\nin the %AppData% directory if there are no .vbs files in that directory already. Then, it creates a shortcut in the\r\nWindows Startup folder. The shortcut points to a PowerShell command that, when launched, waits for 5 seconds\r\nand then starts the .vbs file.\r\nThe PowerShell command to run the .vbs file would look like this:\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden Start-Sleep 5;\r\nStart-Process C:\\Users\\Username\\AppData\\Roaming\\\u003cGUID\u003e.vbs\r\nThe shortcut is created with some specific properties like having the Notepad icon and the description set to\r\n\"Microsoft\". The creation of this shortcut will cause the .vbs script to be run every time the user logs in to\r\nWindows.\r\nThe naming format “{0}_{1:N}.lnk” means that the shortcut name is composed of two parts separated by an\r\nunderscore:\r\n{0}: This placeholder will be replaced with the filename of the .vbs file (without the extension).\r\n{1:N}: This placeholder will be replaced with a new GUID (Globally Unique Identifier). The :N format\r\nspecifier makes the GUID more compact by removing the hyphens.\r\nFinally, it also runs the same Tools.Ande(Convert.FromBase64String(text2)) function.\r\nIn both cases, the script is set up to run at each system startup, albeit through slightly different mechanisms. The if\r\ncondition associated with the \"1\" comparison uses the Windows Registry to do this, whereas the else if condition\r\nassociated with the \"2\" comparison uses a shortcut in the Startup folder to achieve the same goal.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 5 of 28\n\nFigure 7: The first evaluation\r\nLet’s go back to the beginning of the method “VAI” method.\r\nThe method VAI takes three arguments of type string. The arguments are as follows:\r\nQBXtX: This is a string parameter at the end of the PowerShell command and is used as input for the\r\nmethod, the parameter is used as a part of the URL deobfuscation.\r\nstartup: This is another string parameter at the end of the PowerShell command and is used to evaluate the\r\nfirst condition and compare it to ‘1’.\r\nstartup_reg: This is the third string parameter used as an input for the method and is used to evaluate the\r\nsecond condition and compare it to ‘2’.\r\nAs shown below, after reversing the first-string parameter and replacing it with certain ASCII characters, the\r\nproduced output is the URL that contains the text file with reversed Base64-encoded blob.\r\nFigure 8: URL obfuscation\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 6 of 28\n\nFigure 9: Reversed Base64-encoded blob\r\nAfter reversing the Base64-encoded in the correct order and Base64-decoding it, Ande Loader loads a dynamic-link library (DLL) into the current process. The specific library to be loaded is determined by the value stored in\r\nthe variable and then retrieves the address of a function within the loaded DLL. The function name is determined\r\nby the value stored in variable A, as shown below.\r\nFigure 10: Loading functions from the library\r\nEventually, Ande Loader injects the payload into the RegAsm process using the following functions:\r\nCreateProcessA – creates the process in a suspended mode with the CREATE_SUSPENDED flag.\r\nGetThreadContext / Wow64GetThreadContext (depending on the OS) – obtains the current context of\r\nthe suspended thread.\r\nReadProcessMemory – used to read data from the memory of a specified process.\r\nZwUnmapViewOfSection – used to unmap a section of a mapped executable image or a shared data file\r\nfrom the virtual address space of a process.\r\nVirtualAllocEx – used to allocate memory within the virtual address space of a specified process.\r\nIn our example, the value 12288 corresponds to the MEM_COMMIT | MEM_RESERVE constant,\r\nindicating that the memory should be both committed and reserved. It is passed as the fourth\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 7 of 28\n\nargument to the function. 64 or 0x40 – the parameter represents the memory protection flags for the\r\nallocated region.\r\nThe value 64 corresponds to the PAGE_EXECUTE_READWRITE constant, indicating that the\r\nallocated memory should be readable, writable, and executable. It is passed as the fifth argument to\r\nthe function.\r\nWriteProcessMemory – used to write data to the memory of a specified process.\r\nSetThreadContext / Wow64SetThreadContext – used to set the thread context (registers and flags) for a\r\nthread.\r\nResumeThread – used to resume the execution of a suspended thread within a process.\r\nFigure 11: Process injection\r\nThe final payload dropped by Ande Loader is a RemcosRAT (Remote Access Tool) that is being sold online by\r\nBreakingSecurity. The eSentire Threat Response Unit (TRU) will release the technical malware analysis of\r\nRemcosRAT separately in the future. We have also observed other malware stored on the server, such as\r\nArrowRAT, NjRAT, Quasar RAT, and Ursnif.\r\nCase Two\r\nIn the second infection case, the BZ2 archive was distributed via a Discord CDN link.\r\nFigure 12: Password-protected BZ2 archive\r\nThe VBS file contains a similar obfuscation pattern and persistence mechanism. Here are some differences in\r\nAnde Loader dropped:\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 8 of 28\n\nThe loader did not contain the strings in the encrypted form and instead was in the unobfuscated form but\r\nwith the same replacement logic in place.\r\nInstead of RemcosRAT, the loader delivers NjRAT (the configuration for NjRAT can be found at the end of\r\nthis article).\r\nThe process hollowing is performed in one of these processes instead of just one hardcoded process:\r\nAppLaunch.exe\r\naspnet_regbrowsers.exe\r\ncvtres.exe\r\nilasm.exe\r\njsc.exe\r\nMSBuild.exe\r\nRegAsm.exe\r\nRegSvcs.exe\r\nFigure 13: List of processes to perform process hollowing on\r\nCrypter “ByRoda”\r\nAn anonymous person shared the crypter that is used during one of the Blind Eagle campaigns that Igal Lytzki,\r\nThreat Analyst at PerceptionPoint, mentioned. The crypter developer goes under the nickname “Roda-Modder” or\r\n“Roda” on hacking forums. The developer also shares other crypters and protectors on forums since 2014.\r\nFigure 14: Crypter advertisement (1)\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 9 of 28\n\nFigure 15: Crypter advertisement (2)\r\nTo activate the crypter, the user would need to provide the “active” key.\r\nFigure 16: Crypter activation form\r\nThe key activation works in the following way:\r\nThe base64-encoded string is retrieved from developer’s GitHub repository.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 10 of 28\n\nLogin_Load: This method is called when the form loads. It starts the download of the string from the\r\nGitHub repository.\r\nx1_DownloadStringCompleted: This method is triggered when the string download started by\r\nLogin_Load is finished. It calls the descrypted function on the downloaded string to obtain the original\r\nkeys.\r\nFigure 17: x1_DownloadStringCompleted method\r\ndescrypted: This method is called within x1_DownloadStringCompleted to decode the downloaded string\r\nfrom Base64. The function takes the base64 encoded string, replaces \"@\" with \"1\", decodes it from base64,\r\nand then reverses the string. The decrypted string is stored in this.S to be used later in the Button1_Click\r\nmethod.\r\nFigure 18: descrypted method\r\nButton1_Click: This method is called when the user clicks the button. It splits the decrypted string into an\r\narray of keys using “//” as a delimeter and compares each key with the text entered by the user. If a match\r\nis found, it logs the user in and shows a success pop-up message. If the match is found, the user receives an\r\n“Expired key!!” pop-up message.\r\nFigure 19: Button1_Click method\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 11 of 28\n\nFigure 20: FuckCrypt panel\r\nThe crypter can be generated in VBS and JS extensions with the options for persistence as a startup name,\r\nscheduled task, and AntiVM.\r\nThe payload reaches out to Pastebin and then pasteio[.]com to retrieve the injector. We have also seen a different\r\nversion of the crypter posted by a Security Researcher, @1ZRR4H. The crypter reaches out to Pastebin and then\r\nwtools[.]io to retrieve the injector components.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 12 of 28\n\nAt the moment of writing this blog, pasteio appears to be down, which makes FuckCrypt version 2.1 non-operable. The generated VBS contains an obfuscated base64-encoded PowerShell one-liner and junk code that can\r\nbe found hardcoded in the Resource section of the crypter.\r\nFigure 21: The crypted VBS file\r\nFigure 22: Embedded Resources section\r\nThe first downloaded file mentioned above is the payload that is partially responsible for process injection. From\r\nthe screenshot below, the functions such as GetThreadContext, SetThreadContext, ReadProcessMemory,\r\nNtUnmapViewOfSection, VirtualAllocEx, ResumeThread, etc. used, suggesting process hollowing (T1055.012).\r\nThe DLL also contains other APIs that are well-known to be used in process injection.\r\nFrom the code below, the decoded-base64 final payload would be injected into InstalUtil.exe.\r\nFigure 23: Process hollowing\r\nIf the decoded PowerShell one-liner contains “4” in the fourth parameter passed to the binary – it means the\r\nAntiVM is enabled. The AntiVM feature checks if one of the processes, such as vmtoolsd or VirtualBox, is\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 13 of 28\n\nrunning on the infected machine.\r\nIf a process is found that matches either of these names (indicating that a virtual machine tool is currently\r\nrunning), the function will terminate and return immediately.\r\nFigure 24: VM check\r\nIf the fourth parameter also contains the value “1”, the code creates a new registry entry in\r\n\"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" with a value that runs a PowerShell command to\r\nexecute a VBScript file located under the %TEMP% folder, that way, the code gets executed each time the system\r\nstarts up.\r\nThe file containing the PowerShell command is named \"xx1.ps1\". Moving forward, the code constructs a\r\nVBScript command that executes the initial VBS crypted script in a new file \"xx2.vbs\" under the %TEMP%\r\nfolder.\r\nFigure 25: If the fourth parameter contains \"1\"\r\nIf the fourth parameter contains “2”, it should perform similar actions as in the previous code. But instead, it\r\ncreates a scheduled task in our example named “Roda”, that runs every minute and a VBS file named “xx.vbs’\r\ninstead of “xx2.vbs”.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 14 of 28\n\nFigure 26: If the fourth parameter contains \"2\"\r\nIf the fourth parameter contains “3”, the code creates a Windows shortcut (.lnk file) in the Startup directory of the\r\ncurrent user to run the initial VBS file via PowerShell. The Startup directory is a special folder where any files or\r\nshortcuts placed within it automatically run when Windows starts. The name of the shortcut is the string stored in\r\nthe third parameter, in our example, it’s “bestcrypt”.\r\nFigure 27: If the fourth parameter contains \"3\"\r\nAnother crypter (MD5: b167a0bc7b097550a89a5ba4cb258592) written by Roda, shown in Figure 28, pulls the\r\nadditional injector components from the hardcoded server (Figure 29). We assess with medium confidence that the\r\nFuckCrypt developer is also involved in the Blind Eagle campaign, dropping the malware stored on the same\r\nserver.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 15 of 28\n\nFigure 28: FuckCrypt\r\nFigure 29: Hardcoded IP containing injector components\r\nWe were able to find other samples associated with the binary or the developer. The hashes are included in the\r\nIndicators of Compromise at the end of this article.\r\nIn one of the crypters mentioned above, another developer’s handle, “Pjoao1578’ was mentioned.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 16 of 28\n\nFigure 30: The mention of the nickname in one of the crypters\r\nThe crypter developer “Pjoao1578’ has been selling .NET crypters since around 2016.\r\nFigure 31: Crypter sale advertisement by Pjoao1578 (translated to English from Portuguese)\r\nThe Pastebin repository of the “Pjoao1578’ “ developer contains some files that have been used in the crypters.\r\nThe developer is also known for re-purposing the open-source NjRAT under their own version, “0.7d” (MD5:\r\n5d4c903e2ba132fe886be296c10707e9).\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 17 of 28\n\nFigure 32: Pastebin repository of c\r\nAfter some research, we have confirmed that Pjoao1578 and Roda are two different developers, but their crypters\r\nare actively used in the Blind Eagle campaign.\r\nCurrently, the developer is actively working on UpCrypter or also known as UpCry in the previous version.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 18 of 28\n\nFigure 33: UpCry crypter\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 19 of 28\n\nFigure 34: New version of UpCrypter\r\nThe generated VBS files for the UpCry and UpCrypter are shown below.\r\nFigure 35: VBS file (UpCry)\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 20 of 28\n\nFigure 36: VBS file UpCrypter\r\nAt the time of writing this report, the URL that serves additional payloads for the UpCry crypter is down\r\n(hxxps://ia903401.us.archive[.]org/28/items/dll_20210416_20210416_2051/Dll.txt).\r\nThe execution pattern for the UpCrypter is similar to FuckCrypt: hxxps://pastebin[.]com/raw/vwbv5PXc \u003e\r\nhxxps://wtools[.]io/code/dl/bOlD.\r\nThe initial binary is responsible for setting up persistence mechanisms and writing files to the disk (similar to\r\nFuckCrypt), the registry run key value name is hardcoded as “NetwrixParam\". The binary then proceeds with\r\nretrieving the payload responsible for persistence, and the second binary, which is obfuscated with .NET Reactor,\r\nis responsible for process hollowing, this is a part of the RunPE feature of the crypter (Figure 38).\r\nFigure 37: Initial binary pulled from Pastebin\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 21 of 28\n\nFigure 38: APIs indicating process hollowing\r\nThen the third retrieved PowerShell one-liner is responsible for invoking the final payload.\r\nHow eSentire is Responding\r\nThe eSentire Threat Response Unit (TRU) combines threat intelligence gained from research and security\r\nincidents to create practical outcomes for our customers. We are taking a comprehensive response approach to\r\ncombat modern cybersecurity threats by deploying countermeasures, such as:\r\nPerforming global threat hunts for indicators associated with Blind Eagle.\r\nImplementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to\r\nidentify malicious command execution and exploitation attempts and ensure that eSentire has visibility and\r\ndetections are in place across eSentire MDR for Endpoint and MDR for Network.\r\nImplementing threat detections to identify malicious command execution and ensure that eSentire has\r\nvisibility and detections are in place across eSentire MDR for Endpoint.\r\nOur detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond\r\nrapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU\r\nclosely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts\r\nto assess customer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against Blind Eagle:\r\nConfirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs your\r\nemployees on emerging threats in the threat landscape.\r\nWhile the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which\r\ncritical business decisions must be made. Preventing the various attack technique and tactics utilized by the\r\nmodern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint\r\ndetections, and the ability to investigate logs \u0026 network data during active intrusions.\r\neSentire TRU is a world-class team of threat researchers who develop new detections enriched by original threat\r\nintelligence and leverage new machine learning models that correlate multi-signal data and automate rapid\r\nresponse to advanced threats.  \r\nTo learn what it means to have an elite team of Threat Hunters and researchers that works for you, connect with an\r\neSentire Security Specialist now. \r\nYara Rule\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 22 of 28\n\nrule Ande_Loader {\r\n meta:\r\n author = \"eSentire TI\"\r\n description = \"Ande_Loader\"\r\n date = \"7/3/2023\"\r\n strings:\r\n $s1 = {37 39 31 37 32 42 31 33 2d 45 44 42 41 2d 34 30 39 36 2d 42 37 32 35 2d 38 45 39 32 42\r\n $s2 = {56 41 49}\r\n $s3 = {6F 25 00 00 0A}\r\n $s4 = {28 ?? 00 00 0A}\r\n condition:\r\n all of ($s*)\r\n}\r\nIndicators of Compromise\r\nName Indicators\r\nAnde Loader 48b6064beec687fc110145cf7a19640d\r\nAnde Loader b8f878d1ee6a118f9eee4cf111193f53\r\nAnde Loader 4c30ea433832fb13b5d7637d3b13bead\r\nAnde Loader 2a59f2a51b96d9364e10182a063d9bec\r\nAnde Loader 99d3b2eb598775d41b18d57a9d1dc9ee\r\nAnde Loader 97c880a2514a9faaaa327e745a4c5c5c\r\nAnde Loader 9e447f721d859407da88a8e6992e4aa0\r\nAnde Loader 2885d0ab293d957f2a237a64f956d61a\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 23 of 28\n\nAnde Loader 64b690d32216049b199234c5fc092e6f\r\nAnde Loader 1a321713876f764543d75859a4727b9a\r\nAnde Loader a5da69e6c72a8759297415a0e30cbea8\r\nAnde Loader bcb0ed502a8275a23a9d627f319cb610\r\nAnde Loader 6ecd3d6c93cec7e7133afd691c2c2225\r\nAnde Loader e14efed36bb6870d65277776281dc3b3\r\nAnde Loader fb4c1a0a6d525af1e3778e9e9ee48c7d\r\nAnde Loader 2e30e9db2016f9cb67d0f5ec4ca3d0a3\r\nAnde Loader 6f62e2abb7558c83f2a4d3edefa05c7f\r\nAnde Loader ffcbdcec38e077448a87f5546dada7bd\r\nAnde Loader ac2940e6619dbc4dbb1a096f657dd346\r\nUpCry e3962d6ecd509dcb7669b8df6dbb5c76\r\nFuckCrypt a2994443fac8cf94f497dcf204ab818e\r\nVbs-Crypter Simples.exe 0b9cc70477af81a3fc8a5d335162f96d\r\nFuckCrypt b167a0bc7b097550a89a5ba4cb258592\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 24 of 28\n\nVbs-Crypter.exe 191d5bf5d3ab54549d436399bcab642d\r\nRemcos RAT 137f21d1f8fdd5cfe86637368b526027\r\nNjRAT 7b72f2775b7bf33c9778533480d34e04\r\nVBS 917392f4b75c0b5f19839c2da1af2d37\r\nVBS 76250bc5ea0235a90bc153e0d7262349\r\nC2 (RemcosRAT) rxms.duckdns[.]org:57832\r\nC2 (NjRAT) njnjnjs[.]duckdns.org\r\nC2 (opendir) 91.213.50[.]74\r\nExtracted Remcos Configuration:\r\nrxms.duckdns[.]org:57832:1||RemoteHost||1|| ||||||1|||| ||8||r e m c o s . e x e ||R e m c o s |\r\nNjRAT Configuration:\r\nhost = \"njnjnjs[.]duckdns.org\";\r\nport = \"35888\";\r\nregistryName = \"6515f0beea\";\r\nsplitter = \"@!#\u0026^%$\";\r\nvictimName = \"TllBTiBDQVQ=\";\r\nversion = \"0.7NC\";\r\nstubMutex = null;\r\ncurrentAssemblyFileInfo = new FileInfo(Application.ExecutablePath);\r\nkeylogger = null;\r\nisConnected = false;\r\ntcpSocket = null;\r\nlastCapturedImage = \"\";\r\ncurrentPlugin = null;\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 25 of 28\n\nReferences\r\nhttps://twitter.com/0xToxin/status/1674401247464509441?s=20\r\nhttps://twitter.com/1ZRR4H/status/1677747923600257028?s=20\r\nMITRE ATT\u0026CK\r\nMITRE\r\nATT\u0026CK Tactic\r\nID\r\nMITRE ATT\u0026CK\r\nTechnique\r\nDescription\r\nInitial Access T1566 Phishing\r\nBlind Eagle is delivered via a phishing\r\nemail containing the link to retrieve the\r\npassword-protected archive.\r\nUser Execution T1204.002 Malicious File\r\nThe user launches the malicious VBS\r\nfile\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nPersistence is achieved via the Registry\r\nRun Keys / Startup folder\r\nExecution T1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nThe VBS script spawns PowerShell to\r\nexecute Ande Loader\r\nDefense Evasion,\r\nPrivilege\r\nEscalation\r\nT1055.012\r\nProcess Injection: Process\r\nHollowing\r\nBlind Eagle is using process hollowing\r\nto inject the final payload\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 26 of 28\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 27 of 28\n\nSource: https://www.esentire.com/blog/blind-eagles-north-american-journey\r\nhttps://www.esentire.com/blog/blind-eagles-north-american-journey\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.esentire.com/blog/blind-eagles-north-american-journey" ], "report_names": [ "blind-eagles-north-american-journey" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434579, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc1137ca21f3e152cb17a50db37392918313cb6a.pdf", "text": "https://archive.orkl.eu/bc1137ca21f3e152cb17a50db37392918313cb6a.txt", "img": "https://archive.orkl.eu/bc1137ca21f3e152cb17a50db37392918313cb6a.jpg" } }