Trustwave researchers identified the threat group’s infrastructure after pivoting from Proton66-linked assets, revealing an extensive network of domains and IP addresses used to host phishing pages impersonating legitimate Colombian banks including Bancolombia, BBVA, Banco Caja Social, and Davivienda. A recently identified campaign by the Blind Eagle threat group, also known as APT-C-36, demonstrates how sophisticated attackers are leveraging readily available tools and services to orchestrate targeted attacks against financial institutions across Latin America. Blind Eagle has emerged as a persistent threat to Colombian financial institutions, employing a multi-stage attack methodology that begins with Visual Basic Script (VBS) files as the primary infection vector. The Blind Eagle group employs a sophisticated multi-stage infection process that begins with obfuscated VBS files containing between 6,000 to 20,000 lines of code, primarily consisting of comments designed to hinder static analysis. These initial payloads utilize the Vbs-Crypter service from “Crypters and Tools,” a subscription-based platform that generates heavily obfuscated loaders to bypass traditional signature-based detection systems. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Their approach combines traditional phishing techniques with sophisticated evasion mechanisms, creating a formidable challenge for security teams defending against these attacks. The group’s operations have been closely linked to the Russian bulletproof hosting service Proton66, utilizing infrastructure within ASN 198953 to host malicious content and coordinate their campaigns. These commodity RATs are downloaded from various sources including paste.ee, textbin.net, and store3.gofile.io, demonstrating the group’s reliance on publicly available infrastructure for payload distribution. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This campaign represents a concerning trend where cybercriminals combine open-source Remote Access Trojans (RATs) with commercial crypter services to evade detection while maintaining operational efficiency. These directories contain complete phishing pages, first-stage malware, and administrative panels, suggesting a prioritization of rapid deployment and accessibility over long-term concealment strategies.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 01 Jul 2025 11:25:13 +0000