Posted in

BlindEagle’s Fileless Attack Hits Colombian Agencies

by Rakesh0

In September 2025, BlindEagle (APT‑C‑36) launched a sophisticated spear‑phishing operation against a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT)—a notable escalation that blended internal account compromise, legal‑themed social engineering, and a multi‑stage file‑less malware chain.
Analysts at Zscaler ThreatLabz detailed an attack sequence that starts with a weaponized SVG, unfolds through three obfuscated JavaScript stages, and culminates in PowerShell that loads Caminho (downloader) and DCRAT (RAT) fully in memory—evading disk‑based controls.

What you’ll learn: the attack anatomy, how it evades controls, real indicators to detect it, common mistakes, and a practical defense playbook aligned to MITRE ATT&CK, NIST CSF, and ISO 27001.

BlindEagle: Definitions & Contemporary TTPs

BlindEagle (APT‑C‑36) is a South American espionage group known for sustained focus on Colombian and broader Spanish‑speaking targets. The 2025 campaign shows maturation: from one‑off payloads to orchestrated chains with steganography and abuse of legitimate services (Internet Archive, Discord CDN).

Key takeaway: The BlindEagle campaign 2025 leverages trust relationships (compromised internal email) and file‑less execution to bypass traditional controls.

How the Attack Works: Step‑by‑Step Anatomy

1) Initial Access: Internal Phishing with Legal Lure (SVG)

  • Source: Email sent from a compromised account inside the same agency, bypassing SPF/DKIM/DMARC because it remained within the Microsoft 365 tenant. [threatlabz…scaler.com], [cyberpress.org]
  • Social engineering: Message impersonates the Colombian judicial system, citing a labor‑lawsuit notice to create urgency. The initial attachment is an SVG carrying Base64‑encoded HTML.

2) Fake Judicial Portal → Multi‑Stage JavaScript

  • Clicking the SVG opens a fraudulent judicial web portal and auto‑downloads a JS file (e.g., ESCRITO JUDICIAL … .js). Three nested JS stages progressively deobfuscate the next via integer arrays and custom routines.

3) WMI‑Triggered PowerShell (File‑less)

  • Final JS invokes PowerShell via WMI, avoiding conventional launch telemetry. PowerShell fetches an image from the Internet Archive and extracts a Base64 payload hidden between markers (e.g., BaseStart-/‑BaseEnd)—classic steganography. Payload is reflectively loaded into memory (.NET), leaving no file on disk.

4) Caminho Downloader → DCRAT via Discord

  • The in‑memory payload is Caminho (a downloader with Portuguese artifacts, also tracked as VMDetectLoader), which retrieves the final stage (e.g., AGT27.txt) from Discord CDN, decodes it, and injects into MSBuild.exe (process hollowing). Final payload: DCRAT, an open‑source .NET RAT with AMSI bypass, keylogging, and expansive control.

Impact: Persistence via scheduled tasks/registry, defense evasion (AMSI patch), and in‑memory execution combine for low detection and sustained access to government assets.

Real‑World Example: MCIT Agency Attack (Colombia)

Zscaler’s investigation confirms targeting of a Colombian MCIT agency with messages sent to a shared IT mailbox from another internal shared account, strengthening credibility and completion rates.
Third‑party analyses (SOC Prime, SC Media) echo the chain—SVG smuggling → JS tiers → WMI+PowerShell → Caminho → DCRAT—and highlight MSBuild.exe abuse and Discord hosting for payload delivery.

Common Mistakes & Misconceptions

  1. Trusting internal sender = safe
    Compromise of internal accounts bypasses email authentication and filtering. Treat internal email with the same scrutiny as external.
  2. Ignoring “harmless” SVGs
    SVG can embed script and Base64 HTML; enable inspection or disarm content at the gateway.
  3. Relying solely on disk‑based AV
    File‑less execution (PowerShell/.NET reflection) never lands on disk—you need command‑line telemetry, script block logging, and behavioral EDR.
  4. Underestimating legitimate‑service abuse
    Payloads hosted on Discord and artifacts hidden in Internet Archive images evade naive domain blocklists; apply contextual policies.

Detection & Threat Hunting Playbook

MITRE ATT&CK Mapping

  • Initial Access: Phishing Attachment (T1566.001) via SVG smuggling (T1027.017).
  • Execution: JavaScript (T1059.007), PowerShell (T1059.001), WMI (T1047), MSBuild living‑off‑the‑land abuse.
  • Defense Evasion: AMSI bypass (T1562), Obfuscated/Compressed Files & Info (T1027).
  • Persistence: Scheduled Task/Job (T1053), Registry Run Keys/StartUp (T1060).

High‑Value Signals to Collect

  • Email telemetry: Internal sender anomalies; messages with SVG attachments; legal‑lure content and judicial branding.
  • Web proxy: Access to Discord CDN payload paths; anomalies to Internet Archive retrieving images post phishing.
  • Endpoint/EDR:
    • PowerShell with FromBase64String, Add‑Type, Reflection.Assembly.Load
    • WMI‑initiated PowerShell processes
    • MSBuild.exe spawned by scripting engines (process hollowing indicators)

IOC & Behavior Examples

  • JS file names resembling judicial documents (e.g., ESCRITO JUDICIAL … .js).
  • Stego markers in images (BaseStart-/‑BaseEnd) from archive.org.
  • Discord file URLs delivering AGT27.txt or similar obfuscated payloads.

Best Practices & Actionable Steps

Email & Social Engineering Controls

  • Content Disarm & Reconstruction (CDR) for SVG/HTML attachments; block or sanitize SVG at gateways.
  • Internal email anomaly detection: Treat in‑tenant messages with layered checks (abnormal sender, uncommon attachment types, judicial branding).
  • Security awareness for legal‑themed lures; simulate judicial‑notice scenarios in phishing drills.

Endpoint & Execution Controls

  • Enable PowerShell Script Block Logging, AMSI (and monitor for patch attempts), and Constrained Language Mode where feasible.
  • Application allowlisting: Restrict MSBuild.exe usage; flag WMI‑triggered script executions.
  • EDR detections for reflection loading, process injection, and Discord/Archive artifacts.

Network & Proxy Policies

  • Allowlist‑style controls for CDN/file‑hosting (Discord, archive.org) from admin/workstation segments; require reason codes or temporary approvals.
  • TLS inspection on egress where lawful and appropriate; enrich with language/context signals (judicial portal mimicry).

Incident Response Runbook (BlindEagle‑style)

  1. Contain affected endpoints; suspend internal sender accounts and review tenant audit logs.
  2. Collect: Email artifacts, SVGs, JS stages, PowerShell logs, WMI events, MSBuild process trees.
  3. Eradicate: Remove scheduled tasks/registry persistence; rotate credentials and MFA for impacted roles.
  4. Recover & Validate: Rebuild compromised workstations; verify policy integrity; monitor for re‑beaconing to Discord/Archive endpoints.

Tools, Frameworks & Standards

  • MITRE ATT&CK® mapping (above) for detections & hunts.
  • NIST CSF: PR.AC (access control), PR.PT (protective tech), DE.AE/DE.CM (anomalies/monitoring), RS.MI (mitigation).
  • ISO/IEC 27001: Annex A controls for A.9 (Access Control), A.12 (Operations Security), A.13 (Communications Security), A.16 (Incident Management).
  • Vendor threat bulletins (Zscaler, Broadcom/Symantec) with Caminho/DCRAT coverage to tune EDR/AV policies.

Expert Insights (Risk‑Impact Analysis)

  • Trust exploitation trumps perimeter filtering: Internal sender compromise nullifies email auth checks; SOC must treat in‑tenant messages as potential initial access.
  • File‑less chains require behavioral visibility: Script block logs, AMSI events, WMI telemetry, and process relationship graphs are mandatory for detection depth.
  • Legitimate‑service abuse is the new normal: Blocking the entire Discord/Archive domains is rarely practical; instead apply contextual controls and case‑based approvals.

FAQs

Q1: What makes the BlindEagle campaign 2025 different from past activity?
Use of an internal sender, SVG smuggling, multi‑stage JS, WMI PowerShell, steganography, and delivery via Caminho → DCRAT hosted on Discord, all executed in memory.

Q2: Why did SPF/DKIM/DMARC not help here?
The phishing originated and traveled inside the Microsoft 365 tenant, so external authentication checks were not applied, letting the message appear legitimate.

Q3: What immediate controls reduce risk?
Block/sanitize SVGs, instrument PowerShell/WMI, restrict MSBuild.exe, monitor Discord/Archive access from endpoints, and strengthen internal‑sender anomaly detection.

Q4: What are the strongest detection signals post‑click?
FromBase64String/Reflection in PowerShell logs, WMI‑spawned script runners, MSBuild process injection, and Discord CDN fetches of obfuscated payloads.

Q5: How is DCRAT evading AV?
By patching AMSI, encrypting comms, and running in memory; add behavioral EDR and script‑block visibility to catch it.

Conclusion

The BlindEagle campaign 2025 shows a mature blend of social engineering, tenant‑trusted email abuse, and file‑less tradecraft—a model many APTs will replicate. To stay ahead: treat internal mail as untrusted, instrument PowerShell/WMI, constrain MSBuild, and apply context‑aware controls to legitimate services used for payload delivery.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *