BlindEagle

BlindEagle Malware Exposed: Steganography, Banking Trojans, and 9,000 Victims in One Campaign

Key Takeaways

• BlindEagle is active and evolving. Operating since at least 2018, the group continuously updates its toolset, adding DLL sideloading, steganography, and new RAT variants.

• The threat is primarily regional but not exclusively so. Colombia accounts for roughly 87% of known victims, but documented campaigns have reached Ecuador, Chile, Panama, and Spain — and any multinational organization with regional presence is potentially exposed.

• Phishing is the gateway. Every BlindEagle intrusion begins with a convincing impersonation of a trusted government or financial authority.

• Commodity RATs, sophisticated impact. Modified open-source RATs equipped with banking credential interception, keylogging, and remote access give the group everything it needs for both espionage and financial fraud.

• Detection requires behavioral context, not just signatures. The group's use of legitimate platforms (GitHub, Discord, Google Drive) for payload staging, process hollowing for evasion, and DDNS for C2 rotation makes static indicator matching alone insufficient — behavioral detection and up-to-date intelligence are essential.

• The infection chain is complex but detectable: phishing → geolocation filter → VBScript dropper → steganographic payload → process injection → RAT persistence — leaves multiple detection opportunities for organizations with proper monitoring in place.

• Proactively defend with ANY.RUN’s Threat Intelligence Feeds for real-time IOC blocking and Threat Intelligence Lookup for rapid investigation of suspicious artifacts — combining both strengthens detection and response against evolving threats like BlindEagle. destinationIP:"181.134.198.53".

Malicious IP linked to BlindEagle campaigns

What is BlindEagle?

BlindEagle is a South American APT group with a dual mandate: intelligence gathering and financial theft. Unlike many nation-state actors that rely on bespoke, sophisticated malware, BlindEagle operates with lean efficiency: adopting and customizing widely available open-source RATs, layering them within multi-stage infection chains, and constantly rotating tools to frustrate defenders.

The group has maintained a years-long targeting pattern — predominantly Colombia, and secondarily Ecuador, Chile, Panama, and Spain — with remarkable consistency. Their phishing emails convincingly impersonate Colombia's tax authority (DIAN), the Attorney General's Office, the Foreign Affairs Ministry, the judicial system, and major financial institutions. Victims receive what looks like an urgent legal notice or government document; one click sets an elaborate infection cascade in motion.

The group's RAT arsenal has included AsyncRAT, RemcosRAT, njRAT, LimeRAT, BitRAT, QuasarRAT, and DCRat, each modified with additional capabilities tailored to the campaign at hand. In espionage operations, these tools capture keystrokes, take screenshots, activate webcams, and exfiltrate files. In financially motivated campaigns, they transform into banking trojans intercepting credentials for Colombian financial institutions in real time.

The group uses geolocation filtering via URL shorteners: anyone accessing a malicious link from outside the targeted country is silently redirected to the legitimate website of whichever government body is being impersonated. This deflects automated threat hunters and frustrates researchers, while keeping infection rates high among intended targets.

ANY.RUN’s Interactive Sandbox allows to safely detonate FlowerStorm samples and analyse full attack chain:

View sandbox analysis

BlindEagle detonated in Interactive Sandbox

How BlindEagle Threatens Businesses and Organizations

BlindEagle presents serious risks to organizations because it combines stealth, persistence, and operational flexibility.

Key business risks include:

• Credential theft and account compromise. Stolen credentials may provide attackers with access to VPNs, email environments, cloud platforms, and internal systems.
• Espionage and sensitive data exposure. Government agencies, financial institutions, and enterprises risk exposure of confidential documents, communications, and strategic data.
• Operational disruption. Remote access malware enables attackers to manipulate systems, disable defenses, or prepare follow-on attacks.
• Supply chain and trust exploitation. BlindEagle frequently abuses trusted internal email accounts, making phishing campaigns significantly harder for employees and security tools to identify.
• Long-term persistence. RAT-based infections allow threat actors to maintain footholds inside networks for extended periods, increasing the risk of lateral movement and secondary payload deployment.
• Regulatory and compliance exposure. Organizations handling citizen, healthcare, financial, or legal information may face legal consequences after a breach involving sensitive data exfiltration.

For CISOs and SOC teams, BlindEagle is particularly dangerous because its activity often blends into legitimate workflows. The attack chain can look like normal document sharing, judicial notifications, or internal communications until malware execution has already begun.

Victimology: Who Is Most at Risk?

Colombia accounts for approximately 87% of observed victims, reflecting the group's core focus. Ecuador, Chile, Panama, and Spain have also been targeted in documented campaigns, indicating the group is willing to expand when the opportunity presents itself. Sectors at heightened risk:

• Government and public institutions: BlindEagle routinely impersonates and targets judicial bodies, tax agencies, immigration authorities, and peace negotiation bodies. The group specifically targeted Colombia's judicial institutions in campaigns running through early 2025, infecting over 9,000 victims in a single wave.
• Financial services: Banks, insurance companies, and fintech firms are prime targets. A 2024 campaign focused specifically on Colombia's insurance sector, delivering a customized Quasar RAT designed to steal banking credentials.
• Energy, oil, and gas: The group has actively targeted this sector since at least 2018, likely for both espionage and operational intelligence.
• Healthcare and education: Campaigns have swept up hospitals, universities, and health agencies, which tend to have broader attack surfaces and less mature security postures.
• Law enforcement and immigration: BlindEagle has impersonated and targeted law enforcement and immigration agencies, adding a dimension of intelligence collection around state security activities.

Any organization with employees in Colombia or other targeted Latin American countries including multinational companies with regional offices should consider itself within potential targeting range.

The Evolution of BlindEagle: Key Milestones

2018: Origins

BlindEagle begins operations, primarily targeting Colombian government institutions and financial sector entities. Early campaigns use basic phishing and off-the-shelf RATs, establishing the operational playbook the group will refine over the following years.

2019–2021: Expanding the toolkit

The group cycles through successive RATs — Quasar RAT, AsyncRAT, LimeRAT, BitRAT — demonstrating a pattern of adopting whatever commodity tool best fits the current campaign. Geolocation filtering via URL shorteners becomes a signature defensive tactic.

2022: Remcos and new targets

BlindEagle adds Remcos RAT to its arsenal, deploying it against government entities, private companies, and individuals in Colombia. The group begins experimenting with more elaborate infection chains, including password-protected archives hosted on Google Drive.

Early 2023: Ecuador targeting and sharpened tools

A notable campaign targets Ecuadorian organizations with a refined infection chain, incorporating living-off-the-land techniques (specifically the abuse of mshta) alongside a modified Quasar RAT configured to intercept banking credentials. Fake UUE files and Fsociety-based tooling appear in Colombian campaigns targeting judicial, financial, health, law enforcement, and immigration entities.

Mid-2023

Agent Tesla and expanding surveillance. BlindEagle transitions from njRAT to Agent Tesla as its primary implant in one campaign wave, signaling intent to broaden its surveillance capabilities.

2024: Steganography, DLL sideloading, and the njRAT pivot

BlindEagle begins hiding payloads inside images using steganography, and experiments with DLL sideloading — a technique previously uncharacteristic of the group. Portuguese-language artifacts begin appearing in malicious code, suggesting possible Brazilian involvement or deliberate misdirection. A dedicated campaign targets Colombia's insurance sector using BlotchyQuasar (a customized Quasar RAT variant), initiated via phishing emails impersonating Colombia's tax authority DIAN.

Late 2024–Early 2025

Justice for All campaign. A series of campaigns target Colombian judicial institutions, delivering malicious .url files that exploit behavior similar to CVE-2024-43451 — a Windows NTLMv2 hash disclosure vulnerability. Simply right-clicking, deleting, or dragging the file triggers a WebDAV request that notifies the attacker of the download. The PARAISO campaign alone infects over 1,600 victims with Remcos RAT. Total infections across this campaign wave approach 9,000. GitHub and Bitbucket repositories are abused as distribution platforms for final-stage payloads.

2025: Continued activity and supply chain risk

Darktrace identifies fresh BlindEagle activity targeting customers in Latin America through mid-2025. Researchers link BlindEagle infrastructure to Proton66, a bulletproof hosting provider. The group continues to evolve, with new campaigns targeting Colombian government agencies using DCRat and novel loaders. MITRE ATT&CK formally tracks the group as G0099, cataloguing its growing technique set.

How BlindEagle Gets Into Systems and Spreads

BlindEagle's intrusion methodology is highly consistent across campaigns, making it both predictable in pattern and effective in execution.

Stage 1 — Phishing lure

Everything begins with a carefully crafted phishing email. BlindEagle impersonates trusted institutions: Colombia's tax authority (DIAN), the Attorney General's Office, the judicial system, or major banks. Emails contain urgent language — a tax notice, a court summons, a legal complaint — designed to compel the recipient to act immediately. Attachments may appear to be PDFs or Word documents; links in the email body direct victims to download what appears to be official documentation.

Stage 2 — Geolocation filtering

Before any malicious content is served, a URL shortener checks the victim's geographic location. Connections from outside the targeted country are silently redirected to the legitimate website of the impersonated institution.

Stage 3 — Initial dropper

The victim downloads a compressed archive — ZIP, LHA, or UUE format — containing what appears to be an official document. Inside are Visual Basic Scripts (VBScripts) that, when executed, use WScript, XMLHTTP objects, or PowerShell commands to reach out to attacker-controlled servers or legitimate public platforms (GitHub, Pastebin, Discord, Bitbucket, Google Drive) to download the next-stage payload.

Stage 4 — Intermediate payload

The second-stage artifact may be a text file (with base64 or ASCII-encoded payload), an image file (with the payload concealed via steganography), or a .NET executable masquerading as a legitimate application. The initial dropper decodes and extracts this content, producing an intermediate DLL or .NET injector.

Stage 5 — Process injection and persistence

The injector loads the final RAT payload into the memory of a legitimate Windows process using process hollowing — a technique that causes the malicious code to execute under the guise of a trusted application, evading process-based security tools. The malware then writes itself into the Windows Registry to survive reboots. Command-and-control (C2) communications are established using Dynamic DNS services such as DuckDNS, which allow high IP rotation and rapid subdomain creation, making infrastructure takedown difficult.

Stage 6 — Post-compromise activity

With the RAT running, BlindEagle operators have full remote access: keylogging, screenshot capture, webcam activation, file exfiltration, remote desktop control, and — in financial campaigns — real-time interception of banking credentials as victims navigate to financial websites.

How BlindEagle Functions: Technical Mechanics

RAT rotation and customization

BlindEagle does not develop proprietary malware. Instead, it sources open-source or commodity RATs — AsyncRAT, Remcos, njRAT, LimeRAT, BitRAT, QuasarRAT, DCRat — and customizes them for each campaign. Modifications include adding keylogging routines tuned to specific banking websites, installing secondary plugin frameworks for expanded capability, embedding espionage-focused features such as webcam activation and screen recording, and in at least one documented case, building a complete banking credential interception module into a Quasar RAT variant.

Steganography

BlindEagle has been observed hiding encoded payloads inside image files, using steganographic techniques to conceal malicious code in plain sight. The encoded content is extracted and decoded by the initial dropper before being executed.

Process hollowing

The group's preferred injection method involves hollowing out a legitimate Windows process, replacing its code with the RAT payload.

DLL sideloading

By placing a malicious DLL in a location where a legitimate application will load it, BlindEagle can execute arbitrary code under the cover of a trusted application without triggering standard detection rules.

Living-off-the-land (LotL)

BlindEagle makes extensive use of Windows-native tools and processes — PowerShell, WScript, mshta, the .NET framework — reducing reliance on easily detected third-party malicious executables. Using built-in system tools for malicious purposes blends attacker activity into normal operational noise.

C2 via trusted platforms

By hosting payloads and staging infrastructure on GitHub, Bitbucket, Google Drive, Discord, and Pastebin, BlindEagle benefits from the implicit trust that security tools and network filters extend to these platforms. Blocking them outright would break legitimate business workflows — making BlindEagle's use of them a deliberate and effective defense bypass.

BlindEagle Sample Sandbox Analysis

View this sandbox session to observe BlindEagle full kill chain, payload, connections, and processes.

Blind Eagle (APT-C-36) typically begins its campaigns with a phishing email disguised as a notification from a government agency, court, or financial organization. The email contains a link or attachment that encourages the recipient to download a file and run it:

BlindEagle detonated in Interactive Sandbox

In more recent campaigns, the group uses malicious Internet Shortcut (.url) files instead of classic .lnk files. Such a file points to a UNC/WebDAV path, for example: \62.60.226[.]200@80\file\WondersharePDFelement.exe

(The name of the executable file often changes, and shortcuts that are literally one day old may already be outdated). The @80 indicates WebDAV over HTTP.

File static analysis in the sandbox

After interacting with the file, the system attempts to connect to the remote resource via WebDAV, displaying an interactive dialog window:

File opening confirmation

If the user confirms, we can see the launch of the specified file in the process details:

Processes linked to the file in the sandbox (Note the file path starting with \Device\Mup...) We can also see the WebDAV connection in the scan through the corresponding detection: WebDAV connection detected in the sandbox

After launching the remote payload, behavior may vary, but most often we observe C2 network traffic from the additional payload downloaded from the network. RAT traffic received after launching the payload:

RAT detected in network traffic

Right away in the sandbox, we can check Network Threats and see detections for Remcos:

Remcos malware detected

And the data on connections:

Captured network connections

Additionally, we see that a log file was dropped:

Log file detected in the sandbox

As a result, a Remcos RAT was downloaded, which is also visible in the detections:

Remcos RAT detected by the sandbox

Using ANY.RUN sandbox analysis, we can see the entire chain: URL file loading → launching a remote executable file via WebDAV → downloading the malicious payload (BlindEagle most often delivers RATs) → actual operation of the received payload (traffic, dropped files) with detection of the specific malware family.

Besides Interactive Sandbox, ANY.RUN provides threat intelligence solutions that help to protect proactively against BlindEagle and similar threats.

Threat Intelligence Feeds can help businesses:

• Detect emerging BlindEagle infrastructure;
• Block malicious IPs, domains, and URLs associated with campaigns;
• Monitor malware behavior patterns;
• Correlate network telemetry with fresh indicators;
• Enrich SIEM, SOAR, EDR, and firewall workflows;
• Identify infrastructure reuse across campaigns.

Because BlindEagle frequently shifts payloads and hosting providers, real-time IOC enrichment is critical for reducing exposure windows.

Threat Intelligence Lookup helps analysts proactively investigate:

• Suspicious hashes;
• PowerShell artifacts;
• Domains and IPs;
• File relationships;
• Behavioral patterns;
• Similar malware samples linked to BlindEagle operations.

This enables faster threat hunting and incident triage, especially when organizations detect suspicious phishing emails or unusual RAT-like behavior.

Other key measures:

• Robust email security with sandboxing and attachment scanning.
• User training on phishing, especially legal/government-themed lures.
• Endpoint detection and response (EDR) with behavioral monitoring.
• Least-privilege access, network segmentation, and multi-factor authentication.
• Regular patching and disabling unnecessary macros/scripts.
• Monitoring for anomalous PowerShell/WMI usage and WebDAV connections

Conclusion

BlindEagle has evolved into a persistent and sophisticated cyber threat actor capable of targeting governments, enterprises, and critical organizations with stealthy phishing campaigns and RAT-based malware.

Its combination of social engineering, PowerShell abuse, DLL sideloading, and evolving malware infrastructure makes it especially dangerous for organizations relying solely on signature-based defenses.

For modern security teams, protection against BlindEagle requires more than endpoint detection alone. It demands continuous threat intelligence, behavioral visibility, rapid IOC correlation, and proactive hunting capabilities capable of identifying campaigns before they escalate into full-scale compromise.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.