Threat Actor Overview
BlindEagle, also known in the security community as APT-C-36 or ÁguilaCiega, is a long-running cyber-espionage group primarily active in Colombia and parts of Latin America. Based on observed campaigns over multiple years, the group has shown consistent targeting patterns and tooling overlap.
This group is not financially motivated. Analysis of incident timelines and post-compromise behavior suggests their activity is focused on intelligence gathering, long-term access, and quiet monitoring of sensitive systems. They focus on government entities because those networks contain legal records, citizen data, policy documents, and internal communications.
BlindEagle has evolved significantly over the years. Earlier campaigns relied on relatively simple malware attachments. More recent investigations indicate the current activity involves careful planning, multi-stage execution, stealthy tooling, and patience, which points to a mature threat actor rather than opportunistic criminals.
Who Is Being Targeted
Primary Targets
Based on victim analysis across multiple campaigns, the following sectors appear to be most frequently targeted:
- National government ministries
- Judicial and legal institutions
- Tax authorities and civil registries
- Local and regional government offices
- Government-linked contractors and suppliers
Geographic Focus
- Colombia (primary and consistent target)
- Limited spillover into neighboring Latin American countries has been observed in some campaigns
Scale of Impact (So Far)
Based on multiple security investigations and telemetry analysis:
- Thousands of endpoints have been infected across multiple campaigns
- At least hundreds of government organizations have been targeted
- One major campaign alone resulted in over 1,600 confirmed infections
- Total historical infections attributed to related BlindEagle activity are estimated in the several-thousand range
These numbers are derived from telemetry-based detections and incident response cases, meaning actual impact could be higher due to undetected or unreported compromises.
Initial Access – How the Attack Starts
Based on repeated campaign analysis, the attack almost always begins with highly targeted phishing emails.
What the Email Looks Like
In reviewed cases, the phishing emails typically:
- Appear to come from a real Colombian government entity
- Use official logos, language, and formatting consistent with legitimate correspondence
- Reference topics such as:
- Legal complaints
- Court summons
- Administrative penalties
- Tax or compliance issues
These emails often create urgency or fear, pushing the recipient to act quickly.
In some cases, analysis indicates the email originated from a previously compromised legitimate government account, making detection significantly more difficult.
Malicious Attachments – What the Victim Opens
The phishing email usually contains an attachment or link disguised as a legal document. Across investigated incidents, common formats include:
.SVGfiles (abused due to their ability to carry embedded scripts).URLor.LNKfiles- ZIP or RAR archives
- HTML or HTA files masquerading as documents
To most users, these files appear harmless. Once opened, however, they initiate script execution without obvious warning.
Stage One Execution – Script Abuse
When the victim opens the attachment, the following sequence is typically observed:
- A hidden script executes automatically
- That script launches PowerShell, a legitimate Windows administrative tool
- The PowerShell command is:
- Heavily obfuscated
- Base64-encoded
- Executed directly in memory
Why This Is Dangerous
From an investigative standpoint:
- No obvious malware file is written to disk
- Antivirus solutions often treat PowerShell activity as legitimate
- The execution chain blends into normal system behavior
This technique falls under Living-Off-The-Land (LOTL) abuse, which is commonly observed in advanced intrusion activity.
Stage Two – Downloader (Caminho)
Following initial execution, the PowerShell script downloads a small loader commonly referred to as Caminho.
What Caminho Does
Based on malware analysis:
- Collects basic system and environment information
- Establishes contact with attacker-controlled infrastructure
- Downloads the primary malware payload
- Often removes itself to reduce forensic footprint
Caminho serves primarily as a staging component, bridging the phishing stage and the final payload delivery.
Stage Three – Remote Access Trojans (RATs)
The final payload is usually a commodity Remote Access Trojan (RAT). Observed variants include, but are not limited to:
- DCRAT
- Remcos
- AsyncRAT
- njRAT
What These RATs Enable
In affected environments, these tools allow attackers to:
- Remotely control compromised systems
- Steal files and credentials
- Monitor keystrokes and screen activity
- Deploy additional tooling
- Move laterally within the network
To avoid detection, analysis shows the RAT is often:
- Injected into legitimate Windows processes
- Launched via trusted binaries such as MSBuild
- Packed or encrypted to evade signature-based detection
Persistence – Staying Inside the Network
Once established, the malware implements persistence mechanisms to survive system restarts. Commonly observed methods include:
- Scheduled tasks
- Registry run keys
- Disguised Windows services
- Files hidden in system-like directories
These techniques allow BlindEagle to maintain access for extended periods, sometimes weeks or months, without raising immediate suspicion.
Internal Reconnaissance & Lateral Movement
After establishing persistence, the attackers proceed cautiously.
What They Look For
Based on post-incident reviews, attackers typically seek:
- Domain administrator credentials
- File servers and shared storage
- Sensitive internal documents
- Credential material cached on systems
How They Move
Lateral movement has been observed through:
- Stolen credentials
- Legitimate Windows administrative tools
- Exploitation of weak NTLM or SMB configurations
- Use of
.URLfiles to trigger WebDAV or SMB authentication leaks
The overall objective appears to be quiet expansion, rather than immediate disruption.
Command and Control (C2)
BlindEagle’s command-and-control infrastructure typically relies on:
- Dynamic DNS services
- Frequently rotated domains
- Non-standard ports
- Encrypted or lightly obfuscated network traffic
Traffic patterns are designed to closely resemble normal HTTPS communication, making detection difficult without behavioral analysis.
Indicators of Compromise (IOC Examples)
The following IOCs are behavioral and contextual indicators commonly observed during investigations.
Network Indicators
- Dynamic DNS domains not previously seen in the environment
- Rare outbound connections to unfamiliar ports
- Use of Discord CDN URLs for payload hosting
Host Indicators
- PowerShell executed with
-EncodedCommand - PowerShell launched by
mshta.exeorwscript.exe - MSBuild spawning network connections
- Unexpected scheduled tasks or registry run entries
Malware Artifacts
- Strings referencing Caminho, DCRAT, or Remcos
- Packed binaries using HeartCrypt-style encryption
Detection Rules
Rule 1: PowerShell Encoded Command from Unusual Parent
Why this matters:
BlindEagle heavily relies on obfuscated PowerShell launched by script engines or user-opened files.
Detection Logic
- Process name is
powershell.exe - Command line contains:
-EncodedCommandOR long Base64-like strings
- Parent process is not a known administrative tool
Example Logic
ProcessName = powershell.exe
AND CommandLine CONTAINS "-EncodedCommand"
AND ParentProcessName IN (mshta.exe, wscript.exe, cscript.exe)Severity: High
Rule 2: Script Engine Launching PowerShell
Why this matters:
Script-based phishing attachments often abuse mshta or Windows Script Host.
Detection Logic
ParentProcessName IN (mshta.exe, wscript.exe, cscript.exe)
AND ChildProcessName IN (powershell.exe, cmd.exe)Severity: High
Rule 3: MSBuild or CSC Executing Network Connections
Why this matters:
BlindEagle frequently uses trusted developer binaries to hide malicious execution.
Detection Logic
ProcessName IN (msbuild.exe, csc.exe)
AND NetworkConnection = TRUE
AND DestinationIP NOT IN corporate_rangesMSBuild rarely needs outbound internet access on user workstations.
Severity: High
Rule 4: Execution from User-Writable Directories
Why this matters:
Payloads are commonly launched from Downloads, Temp, or AppData.
Detection Logic
ProcessPath CONTAINS ("\Users\" OR "\AppData\" OR "\Temp\")
AND ProcessName IN (powershell.exe, mshta.exe, wscript.exe)Severity: Medium
Rule 5: Suspicious Scheduled Task Creation
Why this matters:
BlindEagle establishes persistence via scheduled tasks with misleading names.
Detection Logic
EventType = ScheduledTaskCreated
AND TaskPath CONTAINS "\Microsoft\" = FALSE
AND TaskCommand CONTAINS ("powershell" OR "mshta" OR "wscript")Severity: Medium to High
Rule 6: Registry Run Key Persistence from Non-Standard Location
Why this matters:
Registry run keys are used to auto-start malware after reboot.
Detection Logic
RegistryKey IN (
HKCU\Software\Microsoft\Windows\CurrentVersion\Run,
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
)
AND RegistryValuePath CONTAINS ("\AppData\" OR "\Temp\")Severity: Medium
Rule 7: Outbound Connection to Dynamic DNS from Non-Browser Process
Why this matters:
BlindEagle uses dynamic DNS and non-browser tools for C2 communication.
Detection Logic
DestinationDomain CONTAINS (".ddns", ".dyn", ".ydns")
AND ProcessName NOT IN (chrome.exe, msedge.exe, firefox.exe)Severity: High
Rule 8: Discord CDN Access from Script or System Process
Why this matters:
Payloads are often hosted on Discord infrastructure.
Detection Logic
DestinationDomain CONTAINS "discord"
AND ProcessName IN (powershell.exe, mshta.exe, msbuild.exe)Severity: Medium to High
Rule 9: Abnormal NTLM / SMB Authentication Triggered by URL Files
Why this matters:
BlindEagle uses .URL files to trigger credential leaks via SMB or WebDAV.
Detection Logic
FileOpened EXTENSION = ".url"
AND FollowedBy AuthenticationProtocol IN (NTLM, SMB)
AND Destination NOT IN internal_file_serversSeverity: High
Rule 10: Multiple Living-Off-The-Land Tools in Short Timeframe
Why this matters:
BlindEagle chains multiple native tools quickly during initial compromise.
Detection Logic
SameHost
WITHIN 10 minutes
EXECUTES (mshta.exe → powershell.exe → msbuild.exe)Severity: Critical
MITRE ATT&CK Mapping (Key Techniques)
Based on observed behaviors, BlindEagle activity aligns with the following MITRE ATT&CK techniques:
- Initial Access: Spear-phishing Attachment
- Execution: PowerShell, JavaScript, MSHTA
- Persistence: Scheduled Tasks, Registry Run Keys
- Defense Evasion: Obfuscation, In-Memory Execution
- Credential Access: NTLM / SMB Abuse
- Lateral Movement: Windows Administrative Tools
- Command & Control: Encrypted Web Traffic
This behavior is consistent with APT-style tradecraft, rather than financially motivated ransomware operations.
How This Could Have Been Prevented
Email Layer
- Block or sandbox SVG, HTA, and URL attachments
- Enforce strict DMARC, DKIM, and SPF policies
- Flag legal-themed emails from unexpected senders
Endpoint Layer
- Enable PowerShell Script Block Logging
- Restrict PowerShell and MSBuild usage
- Enforce application allow-listing
- Monitor parent-child process anomalies
Network Layer
- Block or closely monitor outbound Dynamic DNS traffic
- Monitor newly registered domains
- Enforce SMB signing and reduce NTLM usage
User Awareness
- Train staff on legal-themed phishing, not generic phishing
- Emphasize that government agencies rarely send executable attachments
Final Takeaway
Based on current and historical campaign analysis, this activity demonstrates:
- Strong understanding of government workflows
- Long-term intelligence-focused objectives
- High success rates driven by trusted legal lures
- Increasing technical sophistication over time
BlindEagle is unlikely to cease operations. Public-sector organizations should assume continued targeting and shift defensive strategies toward behavioral detection, credential hygiene, and zero-trust assumptions.
