Targeted Phishing Campaigns by Scripted Sparrow and BlindEagle
Two distinct threat actor groups, Scripted Sparrow and BlindEagle, have been identified conducting highly targeted phishing campaigns against organizations across different regions. Scripted Sparrow, tracked by Fortra analysts, has executed persistent business email compromise (BEC) operations since June 2024, primarily targeting finance teams in North America and Europe. Their campaigns are notable for their structured approach, use of convincing fake invoices, forged executive approvals, and carefully chosen payment amounts just below approval thresholds. The group operates with defined roles and has been observed sending between 10,000 and 50,000 emails daily in small, targeted batches, with over 500 unique campaign variants catalogued.
Meanwhile, BlindEagle has focused its efforts on Colombian government institutions, leveraging compromised internal email accounts to bypass standard email security controls such as SPF, DKIM, and DMARC. Their phishing emails, crafted to mimic official judicial notifications, contain malicious SVG attachments that redirect victims to fraudulent government portals. The infection chain is complex, utilizing multiple layers of obfuscation, legitimate web services, and fileless malware techniques to evade detection. Both campaigns demonstrate a high level of sophistication in social engineering and technical execution, posing significant risks to targeted organizations.
Related Entities
Threat Actors
Sources
Related Stories
BlindEagle Phishing Campaign Targets Colombian Government Agencies
BlindEagle, a South American threat group, orchestrated a sophisticated phishing campaign targeting Colombian government agencies, specifically those under the Ministry of Commerce, Industry and Tourism (MCIT). The attackers leveraged compromised internal email accounts to send convincing phishing emails that impersonated the Colombian judicial system, using legal terminology and official formatting to increase credibility and urgency. The emails contained SVG attachments with encoded HTML, leading recipients to a fraudulent web portal designed to mimic the legitimate judicial branch. The attack chain was highly complex and file-less, involving multiple stages of JavaScript execution and PowerShell commands, with each stage using advanced obfuscation techniques such as Base64 and custom algorithms to evade detection. Zscaler analysts identified that the campaign represented a significant escalation in BlindEagle's tactics, moving beyond basic malware to a multi-stage, stealthy infection process that exploited trust relationships within the targeted organizations. The campaign highlights the evolving threat posed by BlindEagle to government entities in Colombia.
2 months agoDiverse Cybercriminal Campaigns and Tactics Targeting Organizations
Multiple cybercriminal operations have been reported, each employing distinct tactics to compromise organizations and individuals. These include a large-scale business email compromise (BEC) campaign dubbed 'Scripted Sparrow,' which orchestrated a global siege involving three million emails, and a sophisticated loader attack using fake purchase orders to target manufacturing giants in Italy, Finland, and Saudi Arabia. Another campaign, referred to as 'The Payroll Trap,' leverages fake CAPTCHA pages in a quishing (QR code phishing) scheme to hijack employee paychecks. Additionally, a phishing campaign impersonating ADP was observed, where threat actors used convincing emails and counterfeit login pages to steal employee credentials and personal data. Further, the cybercriminal ecosystem is seeing notable developments, such as the unmasking of 'Fly,' the secret architect behind the infamous Russian Market, and the formation of an alliance between Qilin, DragonForce, and a declining LockBit ransomware group. These stories highlight the evolving landscape of cybercrime, with actors employing both technical deception and strategic partnerships to maximize their impact against a range of targets worldwide.
2 months ago
Phishing and BEC Campaigns Abusing Trusted Platforms and Infrastructure
A wave of **phishing activity** is leveraging trusted brands and legitimate platform features to increase click-through and evade security controls. LinkedIn users are being targeted via fake “reply” comments posted on public threads that impersonate LinkedIn policy enforcement, claim an account violation, and push victims to external credential-harvesting pages. The lures mimic official branding and sometimes use LinkedIn’s own `lnkd.in` shortener to obscure destinations; reported redirect chains include Netlify-hosted pages (e.g., `very1929412.netlify[.]app`) leading to additional domains (e.g., `very128918[.]site`) designed to capture credentials. LinkedIn stated it is aware of the campaign and emphasized it does not communicate policy violations via public comments. Separately, RavenMail reported a large-scale email phishing campaign impacting **3,000+ organizations** (notably manufacturing) that abused **Google infrastructure** to bypass defenses: messages were sent via legitimate Google services, passed **SPF/DKIM/DMARC**, and used trusted Google-hosted URLs and Google Cloud Storage to host payloads and redirectors—without requiring a compromise of Google itself. In parallel trend reporting, LevelBlue SpiderLabs observed **BEC** volume rising **15% in 2025** based on MailMarshal telemetry (averaging 3,000 intercepted BEC messages per month), with evolving social engineering such as “**contact details swapping**,” where attackers impersonate finance teams to “update” official contact information to divert payments or data; this underscores continued attacker focus on impersonation and trust exploitation across both social platforms and email ecosystems.
2 months ago