Listen to this Post
Inside the Cyber Campaign Targeting Colombia and Beyond
The advanced persistent threat (APT) group known as Blind Eagle has once again caught the spotlight, this time for its tight connection to the Russian-based bulletproof hosting provider Proton66. Security experts at Trustwave SpiderLabs have confirmed this association after a deep dive into digital infrastructure linked to Proton66 led them to active malicious domains.
This threat actor has long been known for targeting organizations in Colombia and Ecuador, and its techniques are evolving. Its attacks start with Visual Basic Script (VBS) loaders that execute remote access trojans (RATs) like AsyncRAT and Remcos RAT, giving hackers control of infected systems. These VBS scripts, though seemingly outdated, remain effective due to their native compatibility with Windows and stealthy execution.
What makes Blind Eagle’s campaign even more dangerous is its use of DuckDNS dynamic domains, rotating subdomains linked to a single IP address (notably 45.135.232[.]38) — an approach that confounds traditional threat detection tools. These domains have been actively used since August 2024, hosting phishing pages that impersonate top Colombian banks including Bancolombia, BBVA, Banco Caja Social, and Davivienda.
Beyond phishing, the group also utilizes Crypters and Tools, a subscription-based crypter service, to obfuscate and encrypt their payloads, making them harder to detect. The VBS scripts connect to remote servers to fetch and execute encrypted binaries, serving as launch pads for secondary infections. Researchers noted that some scripts overlap with Vbs-Crypter, suggesting a reuse of underground tools.
Adding to the risk is a discovered botnet panel allowing attackers to manage infected machines, extract data, and monitor endpoints in real time. This infrastructure supports command-and-control capabilities common in RAT campaigns.
Recent reports from Darktrace and Check Point revealed Blind Eagle’s exploitation of a now-patched Windows vulnerability (CVE-2024-43451) in November 2024. Even after the patch was released, the group continued using its established techniques, proving its adaptability and persistence.
operation reflects a broader pattern of cybercriminal reliance on bulletproof hosting and dynamic DNS services, making mitigation and attribution even more challenging.
🔍 What Undercode Say:
Analyzing Blind Eagle’s Sophisticated Threat Infrastructure
Blind Eagle is far from being a typical cybercrime group. It combines stealth, adaptability, and infrastructure resilience in ways that reflect a professionalized and well-funded operation. What makes this campaign particularly alarming is not just the technical method but the intentional infrastructure strategy — utilizing Proton66, a notorious bulletproof hosting provider known for ignoring legal takedown requests, is a strategic move to ensure uninterrupted malicious operations.
The heavy use of DuckDNS for subdomain rotation introduces a layer of agility that undermines traditional domain blacklisting. Defenders find themselves in a constant cat-and-mouse game, especially when these subdomains cycle across a static IP address tied to malicious activity. Such a strategy is cost-efficient for attackers and makes long-term tracking extremely difficult.
From a malware deployment perspective, the use of VBS might seem old-fashioned, but its efficiency on Windows-based systems makes it highly reliable. Its execution in the background, bypassing most security protocols when obfuscated, is a testament to how legacy tools still pose modern threats when cleverly applied. With the loader-to-RAT transition, the attackers can shift tactics rapidly — deploying information stealers, keyloggers, or simply enabling full remote access.
The targeting of Colombian financial institutions is not random. It suggests political or financial motivations, possibly linked to cyber-espionage or localized financial fraud. This matches the operational profile of APT groups with regional interests, hinting at motivations that go beyond ordinary profit-driven cybercrime.
The reuse of Crypters and Tools services, especially ones associated with Vbs-Crypter, shows how underground cybercrime has matured into a service-based model. Attackers no longer need to develop everything from scratch; they rent modular tools, making campaigns scalable and more accessible to less technically sophisticated actors — a trend that’s expanding the cyber threat landscape rapidly.
Finally, the botnet control panel discovered adds a dangerous element. It turns compromised endpoints into long-term assets, allowing ongoing surveillance, data theft, and possibly pivoting into internal networks. Combined with the group’s demonstrated ability to exploit zero-day vulnerabilities (like CVE-2024-43451) shortly after disclosure, Blind Eagle shows high levels of operational readiness and planning.
In conclusion, Blind Eagle’s approach reflects a disturbing evolution in cyber threat operations: merging old and new tools, leveraging resilient infrastructure, and targeting localized institutions with high precision. Security teams must move beyond patching and embrace multi-layered defense, behavioral analytics, and constant infrastructure monitoring to combat such actors.
✅ Fact Checker Results:
Verified: Blind Eagle’s use of Proton66 and dynamic DNS was confirmed by Trustwave’s technical report.
Confirmed: VBS scripts were used as malware loaders, leading to RAT deployments.
Cross-validated: CVE-2024-43451 was indeed exploited in November 2024 as reported by Check Point and Darktrace.
🔮 Prediction:
Given Blind Eagle’s proven adaptability and infrastructure reliance, future campaigns are likely to expand across Latin America, possibly targeting Brazil, Peru, or Chile next. The group’s continued use of public RATs and crypters suggests it will further automate infection chains. Expect increasing sophistication in their phishing lures, possibly incorporating AI-generated deepfakes or multi-language impersonation pages to enhance social engineering success.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
