BlindEagle APT Deploys Dual Remote Access Trojans Against Colombian Government Infrastructure

Zscaler ThreatLabz has documented a sophisticated cyberattack campaign attributed to the BlindEagle advanced persistent threat group targeting a Colombian government institution. The research reveals a multi-stage infection chain that deployed both the Caminho remote access trojan and DCRat malware through steganographically concealed payloads. According to the investigation published on December 16, 2025, the attack occurred in early September 2025 and demonstrates significant operational evolution in BlindEagle's technical capabilities, particularly in its use of image-based payload concealment and dual malware deployment strategies against South American governmental entities.

BlindEagle, also tracked as APT-C-36, has maintained consistent focus on Colombian and Ecuadorian targets, operating primarily in South America against users in Spanish-speaking countries. The threat actor's targeting of a government agency under the control of the Ministry of Commerce, Industry and Tourism represents continued focus on Colombian governmental operations. The research indicates that the phishing email originated from what appears to be a compromised account within the targeted organization itself, demonstrating the attackers' ability to exploit internal trust relationships.

Technical Findings: Analyzing the Multi-Stage Infection Architecture

Zscaler's analysis identified a complex attack sequence comprising multiple distinct operational stages, each employing specific evasion and persistence mechanisms. The researchers documented the following technical progression:

1. Compromised Email Vector: The campaign initiated through a phishing email targeting a shared email address likely monitored by the organization's IT team. The analysis revealed that the phishing message was sent from another shared email address belonging to the same agency. ThreatLabz determined that despite proper configuration of email security protocols including DMARC, DKIM, and SPF, the checks were not applied because the message was handled entirely within the organization's Microsoft 365 tenant. The researchers assess that the attacker controlled the sender's email account and exploited this internal trust relationship.
2. SVG-Based Social Engineering: The phishing email employed a legal-themed design mimicking an official message from the Colombian judicial system, referencing a labor lawsuit with an authentic-sounding case number and date. An SVG image attachment served as the delivery mechanism, containing a Base64-encoded HTML page embedded within the image data. When clicked, this fraudulent web portal mimicked an official Colombian judicial branch interface.
3. JavaScript Execution Chain: The fraudulent portal automatically downloaded a JavaScript file with a Spanish-language filename related to judicial notifications. Upon execution, this initiated a fileless attack chain composed of three JavaScript code snippets. The first two scripts used integer array obfuscation with deobfuscation algorithms that reconstructed executable code. The third stage introduced Unicode-based comment obfuscation, requiring two replacement steps to strip embedded character sequences.
4. PowerShell Command Delivery: The final JavaScript stage leveraged Windows Management Instrumentation to execute a PowerShell command via the Win32_Process object's Create method. This command downloaded an image file from the Internet Archive and carved out a Base64-encoded payload embedded between specific markers (BaseStart- and -BaseEnd). The script then dynamically loaded the decoded content as a .NET assembly using reflection, invoking the VAI method within the ClassLibrary1.Home class.
5. Caminho Malware Deployment: ThreatLabz identified the loaded assembly as Caminho, a malware downloader also known as VMDetectLoader. The researchers note that Caminho can be traced back to May 2025, with BlindEagle identified as one of its early adopters in campaigns documented from June 2025 onward. The codebase exhibited heavy obfuscation including code flattening, junk code insertion, and anti-debugging measures. Evidence suggests Brazilian cybercriminal ecosystem origins, supported by Portuguese-language argument names in the code.
6. Steganographic Payload Retrieval: Caminho's primary function involved downloading a text file named AGT27.txt from a Discord content delivery network URL. The URL itself was obfuscated through Base64 encoding and reversal. The downloaded file contained Base64-encoded and reversed content that Caminho deobfuscated entirely in memory, never writing to disk.
7. DCRat Installation via Process Hollowing: The decoded payload from AGT27.txt consisted of a DCRat executable. Caminho executed this using process hollowing techniques, launching the legitimate Windows utility MSBuild.exe and hollowing it out to host the malicious code. DCRat represents an open-source remote access trojan developed in C# with capabilities including keylogging, disk access, and AMSI patching for evasion.

Key Data Points and Indicators

The investigation yielded specific technical artifacts enabling detection and attribution. Zscaler documented the following indicators:

The JavaScript dropper utilized Spanish-language administrative terminology such as "ESCRITO JUDICIAL" and "NOTIFICACION DE ADMISION DEMANDA LABORAL ORDINARIA" in its filename. The attack chain employed Base64 encoding at multiple stages for obfuscation purposes.

The PowerShell command targeted the Internet Archive for payload hosting, specifically downloading a PNG image file from archive.org/download/optimized_msi_20250821/optimized_MSI.png. This image contained steganographically embedded content extracted through marker-based carving.

Caminho's VAI method contained Portuguese-language parameter names including "caminhovbs," "namevbs," "persitencia," "nomedoarquivo," and "extençao," reinforcing attribution to Portuguese-speaking developers. The malware downloaded AGT27.txt from Discord infrastructure at cdn.discordapp.com, utilizing the platform's content delivery network for operational security.

DCRat's configuration employed AES-256 encryption with the symmetric key "aPZ0ze9qOhazFFqspYVRZ8BW14nGuRUe". The configuration included a certificate serving dual functions: ensuring configuration integrity and enabling command-and-control server authentication. The command-and-control domain startmenuexperiencehost.ydns.eu utilized Dynamic DNS services, with resolution to Swedish IP addresses under ASN 42708 (GleSYS AB).

Through certificate-based server authentication analysis, ThreatLabz identified 24 hosts worldwide exposing certificates with matching issuer characteristics, though the researchers note that only a subset likely represents infrastructure operated by this specific threat actor due to DCRat's open-source availability.

Platform Abuse and Defensive Challenges

The research highlights critical defensive challenges stemming from BlindEagle's deliberate exploitation of legitimate content delivery networks. Discord's CDN operates under trusted domain infrastructure with valid TLS certificates, passing through standard web filtering configurations deployed in enterprise and government environments. According to Zscaler's analysis, this tactic forces defenders into risk calculations between blocking legitimate collaboration platforms versus accepting potential malware delivery channels.

The technical effectiveness stems from asymmetry between CDN reputation scores in security products and actual content hosted through user-generated upload mechanisms. Organizations detecting the primary Caminho payload cannot assume complete threat eradication, as the secondary DCRat implant may remain dormant or communicate through separate infrastructure invisible to initial forensic scoping. The research emphasizes that this redundancy approach extends attacker dwell time and increases likelihood of operational objective achievement even under partial detection scenarios.

The use of compromised internal email accounts represents another significant challenge. The attack bypassed email security protocols not through technical exploitation, but through abuse of legitimate internal communication pathways where security checks are minimized for operational efficiency. This highlights the difficulty in distinguishing malicious activity from legitimate internal business communications when attackers control valid credentials.

Methodology and Attribution

The investigation was conducted by Zscaler ThreatLabz. The research methodology included dynamic malware execution in isolated environments, network traffic analysis of command-and-control protocols, and email metadata examination. Attribution to the BlindEagle threat actor was established through tactical overlaps including geographic targeting patterns, malware family preferences, infrastructure reuse patterns, and Spanish-language social engineering themes. The researchers assigned medium confidence to this attribution based on multiple supporting factors including victimology, infrastructure characteristics, phishing lure design, tooling preferences, and historical operational patterns.

Conclusion

Zscaler's documentation of BlindEagle's attack against Colombian government infrastructure demonstrates measurable advancement in the threat actor's operational tradecraft, particularly regarding steganographic evasion and redundant implant deployment. The successful compromise through internal email account abuse indicates either improved initial access capabilities or exploitation of persistent credential management gaps within regional public sector organizations. Organizations within Colombia and neighboring South American nations should treat this campaign as indicative of sustained threat actor interest in governmental operations, with reasonable expectation of continued targeting using evolved variants of the documented techniques. The dual-RAT approach combined with legitimate platform abuse suggests BlindEagle possesses sufficient resources and operational maturity to support complex, multi-stage intrusion sequences against defended targets, warranting proportional defensive investment from entities within the threat actor's established operational geography.