Blind Eagle Splits Into Five Clusters: RATs, Phishing Lures, and Dynamic DNS Target Colombia

The cyber-espionage group Blind Eagle (APT-C-36 / TAG-144) has been linked to five separate activity clusters targeting Colombia between May 2024 and July 2025. Most of these attacks were focused on the Colombian government, but several other industries such as defense, healthcare, education, and energy were also affected.

The attackers mainly used phishing emails to trick victims. These emails often appeared to come from government agencies or local banks. The embedded links were masked with shorteners like cort[.]as and acortaurl[.]com. If the link was opened outside Colombia or Ecuador, it redirected to a real government site to avoid suspicion.

Once victims clicked, Blind Eagle delivered Remote Access Trojans (RATs) such as AsyncRAT, Remcos, DcRAT, LimeRAT, and XWorm. These tools gave attackers full control of infected systems. The malware was usually dropped through VBS scripts that executed PowerShell commands, sometimes hiding payloads inside images with steganography.

A major strength of Blind Eagle’s campaigns is their heavy use of dynamic DNS services. Platforms like duckdns[.]org and noip[.]com allow the group to constantly rotate domains. Combined with VPNs, VPS servers, and Colombian ISP addresses, this made their operations resilient and difficult to track.

Legitimate services were also abused in these campaigns. Attackers used Discord, GitHub, Dropbox, Google Drive, Internet Archive, Paste.ee, and Bitbucket to host payloads and scripts. Since traffic to these platforms is common in workplaces, malicious activity often blended in without raising alarms.

One of the activity clusters was tied to bank-themed phishing pages. Fake websites imitating Bancolombia, BBVA, and Davivienda were set up to steal credentials from unsuspecting users. These phishing attempts were often combined with malware infections to maximize impact.

Each of the five identified clusters had different goals. Cluster 1 focused entirely on Colombian government networks using DcRAT and Remcos. Cluster 2 spread AsyncRAT and XWorm across government, education, and retail sectors. Cluster 3 stuck to AsyncRAT and Remcos over Colombian ISPs. Cluster 4 combined phishing with banking lures. Cluster 5 relied on LimeRAT and cracked AsyncRAT variants.

Researchers also found evidence linking Blind Eagle’s infrastructure to Proton66, a bulletproof hosting provider. Servers from Proton66 were reportedly used for both malware distribution and phishing websites. This connection shows that the group is investing in stable, hard-to-take-down hosting services.

What makes Blind Eagle effective is not advanced custom malware, but rather their clever use of commodity RATs, free hosting services, and local themes. By tailoring their phishing to Colombian targets and rotating infrastructure quickly, they have managed to stay active for more than a year.

Experts warn that this campaign proves even basic tools can be dangerous when combined with smart delivery methods. Organizations in Colombia, especially government agencies, are being urged to improve email defenses, raise awareness against phishing, and carefully monitor network activity linked to cloud platforms and dynamic DNS.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news