BlindEagle Phishing Campaign Targets Colombian Government Agencies
BlindEagle, a South American threat group, orchestrated a sophisticated phishing campaign targeting Colombian government agencies, specifically those under the Ministry of Commerce, Industry and Tourism (MCIT). The attackers leveraged compromised internal email accounts to send convincing phishing emails that impersonated the Colombian judicial system, using legal terminology and official formatting to increase credibility and urgency. The emails contained SVG attachments with encoded HTML, leading recipients to a fraudulent web portal designed to mimic the legitimate judicial branch.
The attack chain was highly complex and file-less, involving multiple stages of JavaScript execution and PowerShell commands, with each stage using advanced obfuscation techniques such as Base64 and custom algorithms to evade detection. Zscaler analysts identified that the campaign represented a significant escalation in BlindEagle's tactics, moving beyond basic malware to a multi-stage, stealthy infection process that exploited trust relationships within the targeted organizations. The campaign highlights the evolving threat posed by BlindEagle to government entities in Colombia.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Caminho downloader and DCRAT deployed with fileless execution and persistence
The attack chain executed the Caminho downloader and DCRAT RAT in memory, while using AMSI patching and other evasion methods to avoid detection. The operators also established persistence through scheduled tasks and registry modifications to maintain access on infected systems.
BlindEagle launches 'Caminho' phishing campaign from hijacked government account
Using the compromised MCIT-related account, BlindEagle sent phishing emails impersonating official judicial notifications to Colombian government targets. The campaign used SVG attachments, multi-stage JavaScript and PowerShell, steganography, and payload delivery through services such as the Internet Archive and Discord.
BlindEagle compromises Colombian government email accounts
BlindEagle gained access to government email accounts in Colombia, including an internal account at a Ministry of Commerce, Industry and Tourism agency. The compromise enabled the attackers to abuse trusted government infrastructure in later phishing activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Targeted Phishing Campaigns by Scripted Sparrow and BlindEagle
Two distinct threat actor groups, Scripted Sparrow and BlindEagle, have been identified conducting highly targeted phishing campaigns against organizations across different regions. Scripted Sparrow, tracked by Fortra analysts, has executed persistent business email compromise (BEC) operations since June 2024, primarily targeting finance teams in North America and Europe. Their campaigns are notable for their structured approach, use of convincing fake invoices, forged executive approvals, and carefully chosen payment amounts just below approval thresholds. The group operates with defined roles and has been observed sending between 10,000 and 50,000 emails daily in small, targeted batches, with over 500 unique campaign variants catalogued. Meanwhile, BlindEagle has focused its efforts on Colombian government institutions, leveraging compromised internal email accounts to bypass standard email security controls such as SPF, DKIM, and DMARC. Their phishing emails, crafted to mimic official judicial notifications, contain malicious SVG attachments that redirect victims to fraudulent government portals. The infection chain is complex, utilizing multiple layers of obfuscation, legitimate web services, and fileless malware techniques to evade detection. Both campaigns demonstrate a high level of sophistication in social engineering and technical execution, posing significant risks to targeted organizations.
Mar 21, 2026
Phishing Campaign Using SVG Smuggling to Deliver AsyncRAT via Fake Colombian Judicial Notifications
A sophisticated phishing campaign has been identified targeting users in Colombia by impersonating official judicial notifications from the 17th Municipal Civil Court of the Bogotá Circuit. The attackers crafted emails in Spanish, leveraging local institutional details to increase the credibility of the lure. The phishing emails claim to contain a lawsuit notification and prompt recipients to open an attached SVG file. This SVG file is weaponized to initiate a multi-stage infection chain. Upon opening, the SVG file triggers the execution of a malicious HTA (HTML Application) file, which is a common technique for bypassing traditional email security filters. The HTA file then executes a VBS (Visual Basic Script) file, which in turn runs a PowerShell script. This PowerShell script acts as a downloader and loader, ultimately injecting the AsyncRAT remote access trojan into a legitimate Windows process to evade detection. AsyncRAT is a well-known remote access tool that allows attackers to gain persistent control over infected systems, exfiltrate data, and potentially deploy additional payloads. The campaign employs anti-virtual machine techniques to avoid analysis and uses persistence mechanisms to maintain access on compromised hosts. Security researchers have observed that the use of SVG files for initial infection is increasing, as these files can bypass some security controls due to their perceived harmlessness. The campaign demonstrates a high level of technical sophistication, chaining multiple scripting languages and file types to obfuscate the attack and evade endpoint detection. The malicious files have been identified and their MD5 hashes documented for threat intelligence sharing. Detection signatures have been updated by security vendors such as Quick Heal and Seqrite to identify and block the components of this attack. The campaign is notable for its targeted approach, focusing on Colombian users and leveraging local judicial terminology to increase the likelihood of success. The use of AsyncRAT as the final payload provides attackers with extensive capabilities for surveillance, data theft, and further lateral movement within affected organizations. Security teams are advised to educate users about the risks of opening unexpected attachments, especially those purporting to be from legal or government institutions. Organizations should also ensure that email security solutions are updated to detect SVG-based threats and that endpoint protection is capable of identifying the multi-stage infection chain. The incident highlights the evolving tactics of threat actors in using file formats and social engineering tailored to specific regions and institutions.
Mar 21, 2026
Casbaneiro and Horabot Phishing Campaign Hits Latin America and Europe
A Brazilian cybercrime group tracked as **Augmented Marauder** and **Water Saci** is targeting Spanish-speaking users at organizations across Latin America and Europe with a multi-stage phishing campaign that delivers the **Casbaneiro** banking trojan and uses **Horabot** for delivery and propagation. The operation begins with court summons-themed phishing emails carrying password-protected PDF lures that direct victims to malicious links and ZIP archives, leading to execution of `HTA` and `VBS` payloads, followed by AutoIt loaders and encrypted malware components. Researchers said the malware chain includes anti-analysis checks, retrieval of additional payloads from remote servers, and dynamically generated judicial-themed PDF attachments created through a remote PHP API using random PINs. Horabot helps expand the campaign by harvesting Outlook contacts, abusing compromised email accounts, and sending new phishing messages, while the broader operation also incorporates **ClickFix** social engineering and **WhatsApp-based** distribution to evade defenses and widen infections.
Apr 2, 2026