A sophisticated cyber attack campaign, attributed to the South American threat group BlindEagle, has recently targeted government agencies in Colombia, demonstrating an alarming evolution in their methodology. The group launched a coordinated assault on a government agency within the Ministry of Commerce, Industry and Tourism (MCIT) in early September 2025, employing multi-stage malware delivery and carefully crafted phishing emails. This incident marks a significant escalation in the complexity of BlindEagle’s operations, moving beyond basic malware deployment to a meticulously orchestrated chain of malicious components.
The attack chain begins with a deceptive phishing email designed to impersonate the Colombian judicial system. The email leverages official government formatting and urgent legal terminology to pressure recipients into acknowledging receipt of what appears to be a labor lawsuit notification. Crucially, the phishing email was dispatched from a compromised account within the targeted organization itself, lending an air of authenticity to the message and enabling it to bypass standard email security protocols that often flag external threats. This internal compromise allowed the attackers to exploit existing trust relationships within the organization.
BlindEagle’s Evolving Attack Vectors Against Colombian Government Agencies
An analysis by Zscaler researchers has fully detailed the attack chain, revealing that BlindEagle utilized a highly complex, file-less methodology to evade detection systems. The initial compromise vector involved an SVG (Scalable Vector Graphics) image file attached to the phishing email. This SVG contained encoded HTML that redirected users to a fraudulent web portal meticulously mimicking the legitimate Colombian judicial branch.
Once a user interacted with this deceptive portal, the attack proceeded through a series of three JavaScript files, culminating in the execution of a PowerShell command. Each stage of this process involved progressively deobfuscating the subsequent component using various encoding techniques, including Base64 and proprietary obfuscation algorithms. This intricate layering made it considerably more difficult for security solutions to identify the malicious intent.
Sophisticated Infection Mechanism Leverages Steganography and Legitimate Services
The infection mechanism employed by BlindEagle showcases a particularly advanced approach, incorporating steganography and the abuse of legitimate services for payload delivery. The JavaScript files within the attack chain feature complex deobfuscation routines where integer arrays are transformed into executable code. Following this, the PowerShell command downloads an image file from the Internet Archive. Within this image, a malicious payload, encoded in Base64, is hidden and subsequently extracted.
This extracted payload is then loaded directly into the system’s memory using .NET reflection. This in-memory execution is a critical evasion technique, as it prevents any malicious file from ever being written to the disk. Consequently, traditional file-based security solutions often fail to detect the presence of malware when no physical file is present. The PowerShell script ultimately executes Caminho, identified as a downloader malware, which exhibits Portuguese language artifacts within its code.
Caminho then proceeds to retrieve DCRAT (a remote access trojan) by leveraging Discord’s content delivery network. DCRAT is known for its advanced evasion capabilities, notably its ability to patch Microsoft’s Antimalware Scan Interface (AMSI). By disabling AMSI, the malware significantly hinders Windows’ built-in detection and prevention mechanisms. To ensure persistent access to compromised systems, the malware establishes persistence through the creation of scheduled tasks and modifications to system registries.
This latest campaign underscores BlindEagle’s significant maturation as a threat actor. The group has demonstrated a potent combination of social engineering expertise and technical proficiency in techniques such as obfuscation, steganography, and the exploitation of legitimate services. These capabilities allow BlindEagle to conduct targeted attacks against government infrastructure with a substantially reduced risk of detection, posing a growing threat to national cybersecurity.