BlindEagle threat actors are exploiting compromised internal email accounts to launch spear-phishing campaigns that bypass traditional email security controls, targeting Colombian government agencies with sophisticated multi-stage malware attacks, according to Zscaler ThreatLabz research.
The cybersecurity firm discovered the campaign in early September 2025, revealing that the South American threat group targeted a government agency under Colombia’s Ministry of Commerce, Industry and Tourism (MCIT) using a phishing email sent from what appears to be a compromised account within the same organization.
This technique exploits inherent trust between colleagues and leverages internal email infrastructure to evade detection.
Attack Chain Analysis
The attack begins with a phishing email sent to a shared IT team email address from another agency-shared account, making it appear legitimate.
BlindEagle’s campaign leverages in-memory scripts, legitimate internet services like Discord, steganography, and the deployment of Caminho and DCRAT.
Security analysis of the email metadata revealed that both sender and receiver domains had properly configured DMARC, DKIM, and SPF protocols with no evident flaws.
The email trajectory appeared completely legitimate, with all “Received” headers referencing Microsoft 365/Exchange servers, including the originating server.
Notably, DMARC, DKIM, and SPF checks were not applied because the message remained entirely within the organization’s Microsoft 365 tenant.
The phishing lure employed a legal-themed design mimicking Colombia’s judicial system, referencing an authentic-sounding labor lawsuit case number and date to pressure recipients into immediate action.
The email contained a clickable SVG image that, when activated, decoded a Base64-encoded HTML page mimicking an official Colombian judicial portal.
This fraudulent portal automatically downloaded a JavaScript file named “ESCRITO JUDICIAL AGRADECEMOS CONFIRMAR RECIBIDO NOTIFICACION DE ADMISION DEMANDA LABORAL ORDINARIA E S D.js” within seconds.
The attack chain initiates a file-less execution sequence comprising three JavaScript snippets followed by a PowerShell command.
The first two scripts deobfuscate embedded payloads using a simple algorithm that reconstructs executable code to launch the next stage.
The third JavaScript stage introduces Unicode-based comment obfuscation and employs Windows Management Instrumentation (WMI) to execute a PowerShell command through the Win32_Process.Create() method with hidden window properties.
After isolating and decoding the payload, the script dynamically loads it as a .NET assembly using reflection, culminating in the invocation of the VAI method within the ClassLibrary1 home class.
Caminho Downloader and DCRAT Payload
ThreatLabz identified the loaded assembly as Caminho (also known as VMDetectLoader), a malware downloader first traced to May 2025.
The PowerShell command downloads an image file from the Internet Archive, carving out a Base64-encoded payload embedded between “BaseStart-” and “-BaseEnd” markers.
The configuration is encrypted using AES-256 with a symmetric key, and includes a certificate serving dual purposes: ensuring configuration integrity and enabling C2 server authentication.
BlindEagle was among the early adopters, potentially using it in campaigns documented since June 2025. The malware’s codebase contains Portuguese-language argument names like “caminho” (meaning “path”), suggesting origins within the Brazilian cybercriminal ecosystem.
Caminho’s primary method downloads a text file named AGT27.txt from a Discord CDN URL, which is obfuscated through Base64 encoding and reversal.
The file never touches disk; instead, it loads directly into memory. Caminho then deobfuscates the Base64-encoded and reversed content, executing it via process hollowing where a legitimate MSBuild.exe instance is hollowed out to host the malicious code.
The injected payload is DCRAT, an open-source C# remote access trojan offering keylogging, disk access, and other capabilities.
DCRAT distinguishes itself from AsyncRAT variants by patching Microsoft’s Antimalware Scan Interface (AMSI) to evade detection.
ThreatLabz identified 24 hosts worldwide exposing certificates issued by the same source as the DCRAT sample, though only a subset likely belongs to the threat actor’s infrastructure.
The campaign is attributed to BlindEagle with medium confidence based on multiple factors. The DCRAT C2 domain consistently resolves to Swedish IP addresses under ASN 42708 (GleSYS AB), a hosting provider known to be utilized by BlindEagle.
The campaign also employs Dynamic DNS services from ydns[.]eu, previously documented as a BlindEagle preference.
Victimology strongly supports attribution, as Colombia remains BlindEagle’s primary target with documented history of attacking Colombian government entities.
Indicators Of Compromise (IOCs)
| Indicator | Description |
|---|---|
| 961ebce4327b18b39630bfc4edb7ca34 | MD5 hash of the JavaScript file. |
| 3983a5b4839598ba494995212544da05087b811b | SHA1 hash of the JavaScript file. |
| d0fe6555bc72a7a45a836ea137850e6e687998eb1c4465b8ad1fb6119ff882ab | SHA256 hash of the JavaScript file. |
| d80237d48e1bbc2fdda741cbf006851a | MD5 hash of the SVG attachment. |
| 722a4932576734a08595c7196d87395e6ec653d7 | SHA1 hash of the SVG attachment. |
| 8f3dc1649150961e2bac40d8dabe5be160306bcaaa69ebe040d8d6e634987829 | SHA256 hash of the SVG attachment. |
| c98eb5fcddf0763c7676c99c285f6e80 | MD5 hash of the fraudulent web portal. |
| 3ab2aa4e9a7a8abcf1ea42b51152f6bb15a1b3c5 | SHA1 hash of the fraudulent web portal. |
| 03548c9fad49820c52ff497f90232f68e044958027f330c2c51c80f545944fc1 | SHA256 hash of the fraudulent web portal. |
| 4284e99939cebf40b8699bed31c82fd6 | MD5 hash of the PNG image. |
| 21e95fed5fc5c4a10fafbc3882768cce1f6cd7af | SHA1 hash of the PNG image. |
| 08a5d0d8ec398acc707bb26cb3d8ee2187f8c33a3cbdee641262cfc3aed1e91d | SHA256 hash of the PNG image. |
| 9799484e3942a6692be69aec1093cb6c | MD5 hash of the Caminho instance. |
| b3fb8a805d3acc2eda39a83a14e2a73e8b244cf4 | SHA1 hash of the Caminho instance. |
| c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4 | SHA256 hash of the Caminho instance. |
| bbb99dfd9bf3a2638e2e9d13693c731c | MD5 hash of the text file. |
| 4397920a0b08a31284aff74a0bed9215d5787852 | SHA1 hash of the text file. |
| d139bfe642f3080b461677f55768fac1ae1344e529a57732cc740b23e104bff0 | SHA256 hash of the text file. |
| 97adb364d695588221d0647676b8e565 | MD5 hash of the DCRAT instance. |
| 38b0e360d58d4ddb17c0a2c4d97909be43a3adc0 | SHA1 hash of the DCRAT instance. |
| e7666af17732e9a3954f6308bc52866b937ac67099faa212518d5592baca5d44 | SHA256 hash of the DCRAT instance. |
| hXXps://archive[.]org/download/optimized_msi_20250821/optimized_MSI.png | Download URL for the PNG image. |
| startmenuexperiencehost[.]ydns.eu | DCRAT C2 domain. |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.