BlindEagle
BlindEagle is a South American threat group, also referred to as APT-C-36 in the provided content, that targets Latin American entities with a strong focus on Colombia. Reported victims include Colombian government agencies, judicial institutions, other government entities, private companies, and individuals. The group is described as conducting cyber-espionage and, in some reporting, mixing espionage with financial attacks and showing interest in stealing financial data. BlindEagle is consistently associated with phishing- and spear-phishing-led intrusions. Reported lures include emails impersonating government entities and services, including Colombian judicial notifications, and campaigns sent from compromised internal government email accounts to bypass SPF, DKIM, and DMARC controls. Observed delivery mechanisms include Google Drive links to password-protected archives, malicious SVG attachments, and .url web shortcut files exploiting a variant of CVE-2024-43451 to trigger NTLM hash leakage and support malware delivery. The group has frequently rotated among commodity and open-source RATs and related malware, including AsyncRAT, Lime-RAT, BitRAT, Quasar RAT, njRAT, Agent Tesla, Remcos RAT, and DCRAT. Reporting states BlindEagle previously used a modified Quasar RAT as a banking trojan targeting customers of Colombian financial entities, later shifted to njRAT for espionage against Colombian government entities, and in late 2024 used CVE-2024-43451 in campaigns against Colombian entities to distribute Remcos RAT. One report notes Remcos variants included modules for cryptocurrency wallet theft. Recent reporting in the provided content describes a sophisticated campaign against an agency under Colombia’s Ministry of Commerce, Industry and Tourism in which BlindEagle compromised an internal email account and sent phishing emails mimicking judicial notifications. The infection chain used a fileless, multi-stage sequence with obfuscated JavaScript, PowerShell, steganography, and abuse of legitimate services including the Internet Archive and Discord CDN. In that campaign, a Caminho downloader retrieved DCRAT, which was executed in memory and injected into MSBuild.exe; reported capabilities included keylogging, data exfiltration, AMSI patching, and persistence via scheduled tasks and registry modifications.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- government
- judicial
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BlindEagle is conducting advanced phishing and multi-stage malware campaigns targeting Colombian government agencies, using file-less techniques, steganography, and legitimate services to evade detection.
BlindEagle is known for hijacking government email accounts in Colombia, likely for espionage or information theft.
BlindEagle is conducting cyber-espionage against Colombian government entities by abusing compromised internal email accounts to deliver multi-stage malware via phishing.
Targeting Colombian government agencies with phishing emails for espionage or data theft.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.