BlindEagle Phishing Campaign Targets Colombian Government Agencies
BlindEagle, a South American threat group, orchestrated a sophisticated phishing campaign targeting Colombian government agencies, specifically those under the Ministry of Commerce, Industry and Tourism (MCIT). The attackers leveraged compromised internal email accounts to send convincing phishing emails that impersonated the Colombian judicial system, using legal terminology and official formatting to increase credibility and urgency. The emails contained SVG attachments with encoded HTML, leading recipients to a fraudulent web portal designed to mimic the legitimate judicial branch.
The attack chain was highly complex and file-less, involving multiple stages of JavaScript execution and PowerShell commands, with each stage using advanced obfuscation techniques such as Base64 and custom algorithms to evade detection. Zscaler analysts identified that the campaign represented a significant escalation in BlindEagle's tactics, moving beyond basic malware to a multi-stage, stealthy infection process that exploited trust relationships within the targeted organizations. The campaign highlights the evolving threat posed by BlindEagle to government entities in Colombia.
Related Entities
Threat Actors
Sources
Related Stories
Targeted Phishing Campaigns by Scripted Sparrow and BlindEagle
Two distinct threat actor groups, Scripted Sparrow and BlindEagle, have been identified conducting highly targeted phishing campaigns against organizations across different regions. Scripted Sparrow, tracked by Fortra analysts, has executed persistent business email compromise (BEC) operations since June 2024, primarily targeting finance teams in North America and Europe. Their campaigns are notable for their structured approach, use of convincing fake invoices, forged executive approvals, and carefully chosen payment amounts just below approval thresholds. The group operates with defined roles and has been observed sending between 10,000 and 50,000 emails daily in small, targeted batches, with over 500 unique campaign variants catalogued. Meanwhile, BlindEagle has focused its efforts on Colombian government institutions, leveraging compromised internal email accounts to bypass standard email security controls such as SPF, DKIM, and DMARC. Their phishing emails, crafted to mimic official judicial notifications, contain malicious SVG attachments that redirect victims to fraudulent government portals. The infection chain is complex, utilizing multiple layers of obfuscation, legitimate web services, and fileless malware techniques to evade detection. Both campaigns demonstrate a high level of sophistication in social engineering and technical execution, posing significant risks to targeted organizations.
2 months agoPhishing Campaign Using SVG Smuggling to Deliver AsyncRAT via Fake Colombian Judicial Notifications
A sophisticated phishing campaign has been identified targeting users in Colombia by impersonating official judicial notifications from the 17th Municipal Civil Court of the Bogotá Circuit. The attackers crafted emails in Spanish, leveraging local institutional details to increase the credibility of the lure. The phishing emails claim to contain a lawsuit notification and prompt recipients to open an attached SVG file. This SVG file is weaponized to initiate a multi-stage infection chain. Upon opening, the SVG file triggers the execution of a malicious HTA (HTML Application) file, which is a common technique for bypassing traditional email security filters. The HTA file then executes a VBS (Visual Basic Script) file, which in turn runs a PowerShell script. This PowerShell script acts as a downloader and loader, ultimately injecting the AsyncRAT remote access trojan into a legitimate Windows process to evade detection. AsyncRAT is a well-known remote access tool that allows attackers to gain persistent control over infected systems, exfiltrate data, and potentially deploy additional payloads. The campaign employs anti-virtual machine techniques to avoid analysis and uses persistence mechanisms to maintain access on compromised hosts. Security researchers have observed that the use of SVG files for initial infection is increasing, as these files can bypass some security controls due to their perceived harmlessness. The campaign demonstrates a high level of technical sophistication, chaining multiple scripting languages and file types to obfuscate the attack and evade endpoint detection. The malicious files have been identified and their MD5 hashes documented for threat intelligence sharing. Detection signatures have been updated by security vendors such as Quick Heal and Seqrite to identify and block the components of this attack. The campaign is notable for its targeted approach, focusing on Colombian users and leveraging local judicial terminology to increase the likelihood of success. The use of AsyncRAT as the final payload provides attackers with extensive capabilities for surveillance, data theft, and further lateral movement within affected organizations. Security teams are advised to educate users about the risks of opening unexpected attachments, especially those purporting to be from legal or government institutions. Organizations should also ensure that email security solutions are updated to detect SVG-based threats and that endpoint protection is capable of identifying the multi-stage infection chain. The incident highlights the evolving tactics of threat actors in using file formats and social engineering tailored to specific regions and institutions.
5 months ago
Phishing and Social Engineering Campaigns Leveraging Trusted Channels and China-Linked Tradecraft
Multiple reports highlight **social engineering-driven compromise** rather than exploitation of software vulnerabilities, with attackers relying on trusted-looking communications and infrastructure to bypass defenses. One campaign described by X-Labs uses a “clean” initial business email (often passing `SPF`/`DKIM`/`DMARC`) that contains **no direct malicious link**, instead delivering a **PDF attachment** that leads victims through a multi-stage document chain. The chain leverages reputable cloud services—including **Vercel Blob**—to host intermediary PDFs that redirect to a **Dropbox-impersonation** credential-harvesting page, and then uses a **Telegram bot** as a collection point for stolen credentials, complicating detection and takedown. Separately, researchers reported a targeted operation attributed to **China-linked Mustang Panda** (aka *HoneyMyte*) against government officials and diplomats, using **fake diplomatic briefing documents** themed as U.S./international policy updates to induce execution and install surveillance tooling, including **PlugX** (noted as a DOPLUGS variant). In parallel, U.S. reporting described **HUMINT-style recruitment approaches** tied primarily to China, where adversaries pose as recruiters/consulting firms on email and job platforms to elicit or purchase sensitive information from current/former U.S. government personnel—an espionage pathway that is adjacent to, but distinct from, the phishing/malware activity described in the other reporting.
1 months ago