Targeted Phishing Campaigns by Scripted Sparrow and BlindEagle
Two distinct threat actor groups, Scripted Sparrow and BlindEagle, have been identified conducting highly targeted phishing campaigns against organizations across different regions. Scripted Sparrow, tracked by Fortra analysts, has executed persistent business email compromise (BEC) operations since June 2024, primarily targeting finance teams in North America and Europe. Their campaigns are notable for their structured approach, use of convincing fake invoices, forged executive approvals, and carefully chosen payment amounts just below approval thresholds. The group operates with defined roles and has been observed sending between 10,000 and 50,000 emails daily in small, targeted batches, with over 500 unique campaign variants catalogued.
Meanwhile, BlindEagle has focused its efforts on Colombian government institutions, leveraging compromised internal email accounts to bypass standard email security controls such as SPF, DKIM, and DMARC. Their phishing emails, crafted to mimic official judicial notifications, contain malicious SVG attachments that redirect victims to fraudulent government portals. The infection chain is complex, utilizing multiple layers of obfuscation, legitimate web services, and fileless malware techniques to evade detection. Both campaigns demonstrate a high level of sophistication in social engineering and technical execution, posing significant risks to targeted organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
New analysis reveals Scripted Sparrow's large-scale automation
Further reporting showed Scripted Sparrow uses automation to generate and send millions of phishing emails each month across three continents. The group was also observed adapting tactics to evade filters by dropping attachments and prompting victims to reply, while using measures such as geolocation spoofing and Telegram for internal coordination.
Researchers track Scripted Sparrow as a global phishing ring
Analysis published in December 2025 described Scripted Sparrow as a structured global BEC operation with disciplined workflows, rotating domains and mule accounts, and likely operators spanning several countries. The report highlighted detection opportunities in email headers, domain registration patterns, and reused templates, along with recommended payment verification controls.
Zscaler documents BlindEagle's multi-stage DCRAT infection chain
Researchers detailed how a malicious SVG attachment redirected victims to a fake government portal that delivered obfuscated JavaScript, steganography-based payload retrieval, a Caminho downloader from the Internet Archive, and a final DCRAT payload from Discord CDN. The malware was injected into MSBuild.exe, giving attackers capabilities including keylogging and data exfiltration.
BlindEagle launches phishing campaign against Colombian government agency
BlindEagle targeted an agency under Colombia's Ministry of Commerce, Industry, and Tourism by compromising an internal email account and sending phishing messages from within the organization. The emails mimicked judicial notifications and abused internal trust to bypass SPF, DKIM, and DMARC protections.
Scripted Sparrow begins BEC campaigns targeting finance teams
Scripted Sparrow has been active since June 2024, running business email compromise campaigns against finance and accounts payable personnel in North America and Europe. The group impersonates professional services and consultancy firms, using spoofed threads and fraudulent invoices to induce wire transfers to criminal-controlled accounts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Scripted Sparrow Uses Automation to Generate and Send their Attack Messages
cybersecuritynews.com
Open sourceClipping Scripted Sparrow’s wings: Tracking a global phishing ring
helpnetsecurity.com
Open sourceBlindEagle Hackers Attacking Organization to Abuse Trust and Bypass Email Security Controls
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BlindEagle Phishing Campaign Targets Colombian Government Agencies
BlindEagle, a South American threat group, orchestrated a sophisticated phishing campaign targeting Colombian government agencies, specifically those under the Ministry of Commerce, Industry and Tourism (MCIT). The attackers leveraged compromised internal email accounts to send convincing phishing emails that impersonated the Colombian judicial system, using legal terminology and official formatting to increase credibility and urgency. The emails contained SVG attachments with encoded HTML, leading recipients to a fraudulent web portal designed to mimic the legitimate judicial branch. The attack chain was highly complex and file-less, involving multiple stages of JavaScript execution and PowerShell commands, with each stage using advanced obfuscation techniques such as Base64 and custom algorithms to evade detection. Zscaler analysts identified that the campaign represented a significant escalation in BlindEagle's tactics, moving beyond basic malware to a multi-stage, stealthy infection process that exploited trust relationships within the targeted organizations. The campaign highlights the evolving threat posed by BlindEagle to government entities in Colombia.
Mar 21, 2026
Diverse Cybercriminal Campaigns and Tactics Targeting Organizations
Multiple cybercriminal operations have been reported, each employing distinct tactics to compromise organizations and individuals. These include a large-scale business email compromise (BEC) campaign dubbed 'Scripted Sparrow,' which orchestrated a global siege involving three million emails, and a sophisticated loader attack using fake purchase orders to target manufacturing giants in Italy, Finland, and Saudi Arabia. Another campaign, referred to as 'The Payroll Trap,' leverages fake CAPTCHA pages in a quishing (QR code phishing) scheme to hijack employee paychecks. Additionally, a phishing campaign impersonating ADP was observed, where threat actors used convincing emails and counterfeit login pages to steal employee credentials and personal data. Further, the cybercriminal ecosystem is seeing notable developments, such as the unmasking of 'Fly,' the secret architect behind the infamous Russian Market, and the formation of an alliance between Qilin, DragonForce, and a declining LockBit ransomware group. These stories highlight the evolving landscape of cybercrime, with actors employing both technical deception and strategic partnerships to maximize their impact against a range of targets worldwide.
Mar 21, 2026
Phishing and BEC Campaigns Abusing Trusted Platforms and Infrastructure
A wave of **phishing activity** is leveraging trusted brands and legitimate platform features to increase click-through and evade security controls. LinkedIn users are being targeted via fake “reply” comments posted on public threads that impersonate LinkedIn policy enforcement, claim an account violation, and push victims to external credential-harvesting pages. The lures mimic official branding and sometimes use LinkedIn’s own `lnkd.in` shortener to obscure destinations; reported redirect chains include Netlify-hosted pages (e.g., `very1929412.netlify[.]app`) leading to additional domains (e.g., `very128918[.]site`) designed to capture credentials. LinkedIn stated it is aware of the campaign and emphasized it does not communicate policy violations via public comments. Separately, RavenMail reported a large-scale email phishing campaign impacting **3,000+ organizations** (notably manufacturing) that abused **Google infrastructure** to bypass defenses: messages were sent via legitimate Google services, passed **SPF/DKIM/DMARC**, and used trusted Google-hosted URLs and Google Cloud Storage to host payloads and redirectors—without requiring a compromise of Google itself. In parallel trend reporting, LevelBlue SpiderLabs observed **BEC** volume rising **15% in 2025** based on MailMarshal telemetry (averaging 3,000 intercepted BEC messages per month), with evolving social engineering such as “**contact details swapping**,” where attackers impersonate finance teams to “update” official contact information to divert payments or data; this underscores continued attacker focus on impersonation and trust exploitation across both social platforms and email ecosystems.
Mar 21, 2026