Listen to this Post
Introduction: A New Phase of Cyber Espionage in Latin America
BlindEagle, a long-tracked South American cyber espionage group, has once again demonstrated its growing technical maturity. In a campaign uncovered by Zscaler’s ThreatLabz team, the group targeted a Colombian government agency under the Ministry of Commerce, Industry, and Tourism (MCIT). The operation, detected in early September 2025, reflects a sharp evolution in BlindEagle’s tradecraft, combining trusted internal email abuse, file-less malware delivery, steganography, and an open-source remote access trojan. This attack is not an isolated incident but part of a broader pattern of sustained intelligence-driven targeting across Spanish-speaking institutions.
Campaign Discovery and Initial Targeting
The campaign came to light after analysts observed anomalous email traffic directed at a Colombian government entity. The messages appeared legitimate at first glance, carrying internal context and familiar formatting. This initial credibility played a critical role in the success of the attack, as it allowed the phishing email to bypass conventional skepticism among recipients.
Abuse of Trusted Internal Accounts
Investigators determined that the phishing message likely originated from a compromised Microsoft 365 account within the same organization. By leveraging an internal sender, BlindEagle effectively bypassed standard email authentication mechanisms, including DMARC, DKIM, and SPF. This tactic exploited institutional trust rather than technical vulnerabilities alone.
Judicial-Themed Social Engineering
The phishing email was disguised as an official notification from Colombia’s judicial system. It referenced a fabricated labor lawsuit, a theme carefully chosen to provoke urgency and fear. The content was linguistically and culturally aligned with Colombian administrative processes, increasing its plausibility for government employees.
Weaponized SVG Attachment
Attached to the email was an SVG file, an unconventional but increasingly abused format in phishing operations. When opened, the SVG decoded itself into an HTML page. This page closely mimicked a legitimate Colombian judicial web portal, reinforcing the illusion of authenticity.
Fake Portal and Automatic Payload Delivery
After a brief delay designed to appear like a legitimate page load, the fake portal automatically downloaded a JavaScript file titled “ESCRITO JUDICIAL…js.” This naming convention further reinforced the legal narrative and reduced suspicion from the victim.
Multi-Stage JavaScript Execution
Opening the JavaScript file initiated a complex, multi-stage infection chain. Each stage was heavily obfuscated using arrays of integers, encoded strings, and layered execution logic. This obfuscation concealed malicious intent and hindered both static and dynamic analysis.
Transition to PowerShell via WMI
The final JavaScript stage invoked Windows Management Instrumentation (WMI) to execute a PowerShell command. This approach allowed the malware to operate in a file-less manner, significantly reducing its footprint on disk and making detection more difficult for traditional endpoint security tools.
Steganography via Public Infrastructure
The PowerShell script downloaded an image hosted on the Internet Archive, a legitimate and widely trusted platform. Hidden within the image was Base64-encoded data, embedded between the markers “BaseStart-” and “-BaseEnd.” This data was extracted and decoded entirely in memory.
In-Memory .NET Assembly Loading
Once decoded, the hidden payload was loaded directly into memory as a .NET assembly. This technique avoided writing executable files to disk, further complicating forensic investigation and signature-based detection.
Identification of the Caminho Loader
The extracted payload was identified as Caminho, a malware downloader also known as VMDetectLoader. Caminho has historical ties to Brazilian cybercriminal ecosystems, highlighting BlindEagle’s reuse and adaptation of regional malware tooling.
Use of Discord as a Payload Host
Caminho retrieved its next-stage payload from a Discord URL. The location was concealed within an obfuscated Base64-encoded string. Hosting malicious payloads on legitimate platforms like Discord allowed the attackers to blend malicious traffic with normal user activity.
AGT27.txt and Process Hollowing
The secondary payload was hidden inside a file named AGT27.txt. After decoding, the malware injected itself into MSBuild.exe using process hollowing, effectively hijacking a trusted Windows binary to execute malicious code under the guise of legitimate activity.
Deployment of DCRAT
The final stage of the attack delivered DCRAT, an open-source Remote Access Trojan written in C. DCRAT provided the attackers with deep control over the infected system, transforming an initial phishing click into a full-scale espionage foothold.
Capabilities of the DCRAT Payload
DCRAT enabled keylogging, file system access, screenshot capture, plugin execution, and remote command execution. These capabilities allowed BlindEagle to conduct surveillance, steal sensitive documents, and potentially pivot deeper into government networks.
Evasion and Encryption Techniques
To evade detection, DCRAT incorporated AMSI bypass techniques that neutralized Windows anti-malware scanning interfaces. For command-and-control communication, it used AES-256 encryption combined with certificate-based authentication, ensuring both confidentiality and resilience.
Attribution to BlindEagle
Zscaler attributed the campaign to BlindEagle based on multiple indicators. These included infrastructure overlaps with past operations, consistent targeting of Colombian institutions, and the reuse of malware components containing Portuguese-language artifacts.
Established BlindEagle Tradecraft
BlindEagle has a documented history of hosting malicious payloads on legitimate services and employing steganography to hide data. These techniques have become hallmarks of the group’s operational style across South America.
Evolution from Simple Infections to Layered Intrusions
This campaign illustrates BlindEagle’s shift from straightforward, single-malware infections toward layered, multi-phase intrusion chains. The integration of PowerShell, in-memory loaders, and open-source RATs reflects a deliberate move toward stealth and persistence.
Strategic Focus on Government Institutions
Government agencies across Latin America remain priority targets for BlindEagle. Ministries dealing with commerce, justice, and tourism offer access to sensitive economic data, policy discussions, and international communications valuable for espionage.
Security Implications for the Region
The attack underscores the limitations of perimeter-focused defenses. Even organizations with strong email authentication controls remain vulnerable when attackers compromise trusted internal accounts and abuse legitimate platforms.
Summary of the Original Findings
In summary, the BlindEagle campaign began with a spear-phishing email sent from a compromised internal account, bypassing standard email security checks. The message impersonated Colombia’s judicial system and delivered a weaponized SVG attachment. This attachment led victims to a fake judicial portal that automatically downloaded a malicious JavaScript file. Through multiple obfuscated stages, the attack transitioned to PowerShell execution via WMI. A steganographic image hosted on the Internet Archive delivered the Caminho loader, which then fetched additional payloads from Discord. The malware used process hollowing to inject code into MSBuild.exe and ultimately deployed the DCRAT remote access trojan. Attribution indicators linked the operation to BlindEagle, highlighting the group’s continued evolution toward sophisticated, multi-layered cyber espionage campaigns targeting Latin American government institutions.
What Undercode Say:
BlindEagle’s Strategic Shift Toward Living-Off-the-Land
BlindEagle’s increasing reliance on native Windows components such as WMI, PowerShell, and MSBuild reflects a broader industry trend toward living-off-the-land techniques. These methods reduce dependency on custom binaries and significantly complicate detection.
Internal Trust as the Primary Attack Vector
The campaign demonstrates that compromising a single internal account can neutralize years of investment in email authentication standards. Trust, not technology, became the weakest link in this intrusion.
SVG and HTML Abuse Signals Creative Social Engineering
The use of SVG files as a delivery mechanism shows a creative understanding of modern email filtering limitations. Formats perceived as “non-executable” continue to be abused as initial access vectors.
Steganography Remains Highly Effective
Hiding payloads inside images hosted on reputable platforms remains an effective way to evade both automated scanning and human suspicion. This technique is likely to persist as long as public infrastructure is implicitly trusted.
Open-Source Malware Lowers Operational Costs
By deploying DCRAT, BlindEagle benefits from a mature feature set without the overhead of developing proprietary malware. Open-source tools also complicate attribution, as they blur the line between criminal and state-aligned activity.
Discord and Cloud Platforms as C2 Proxies
The abuse of Discord illustrates how attackers exploit popular platforms as resilient command-and-control proxies. Blocking such services outright is often impractical for government and enterprise environments.
AMSI Bypass as a Baseline Capability
The inclusion of AMSI bypass techniques indicates that BlindEagle assumes defenders rely heavily on Windows-native protections. Bypassing these controls is no longer an advanced option but a baseline requirement.
Regional Malware Ecosystem Convergence
The reuse of Brazilian malware components highlights a growing convergence within the South American cyber underground. Tools and techniques flow freely across borders, accelerating capability development.
Espionage Over Financial Motivation
Unlike purely criminal campaigns, this operation prioritized stealth, persistence, and access rather than immediate monetization. This aligns strongly with intelligence-gathering objectives.
Detection Requires Behavioral Visibility
Signature-based defenses alone are insufficient against such attacks. Behavioral monitoring, anomaly detection, and context-aware analysis are critical to identifying multi-stage intrusions.
Training Must Match Cultural Context
The success of the judicial-themed lure underscores the importance of localized security awareness training. Generic phishing education often fails against culturally tailored social engineering.
BlindEagle Is Testing Defensive Maturity
This campaign appears designed not only to infiltrate but to measure defensive response. The layered approach probes multiple detection points, revealing where controls are weakest.
Long-Term Access Is the Real Goal
The careful use of encryption, certificate-based authentication, and file-less execution suggests BlindEagle is optimizing for long-term, low-noise access rather than short-term exploitation.
Fact Checker Results
Attribution Confidence
Zscaler’s indicators align with BlindEagle’s known infrastructure and targeting patterns. ✅
Technical Consistency
The described infection chain is technically coherent and consistent with observed tooling. ✅
Intent Assessment
Evidence strongly supports an espionage motive rather than opportunistic cybercrime. ✅
Prediction
Increased Use of Internal Account Compromise
BlindEagle will likely expand its reliance on hijacked internal accounts to bypass perimeter defenses. 🔮
Broader Targeting Across Latin America
Similar campaigns are expected to appear in other Spanish-speaking government institutions. 🔮
Deeper Integration of Cloud-Hosted Payloads
Future operations will increasingly rely on trusted cloud and social platforms for payload delivery and C2. 🔮
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
