Blind Eagle (APT-C-36): Financially Motivated Cybercrime Meets Open-Access Infrastructure in LATAM

Trustwave SpiderLabs has uncovered new insights into the operations of Blind Eagle (APT-C-36), a Latin America-focused threat actor known for its persistent targeting of financial institutions—particularly in Colombia. The group’s recent campaign reveals a blend of opportunistic techniques and brazenly exposed infrastructure, pointing to a strategic shift prioritizing rapid deployment over stealth.

The investigation began by pivoting off IP address 45.135.232[.]38, linked to Proton66 OOO, a known bulletproof hosting provider. The infrastructure traced from this netblock included clusters of malicious domains hosted via DuckDNS, all showing consistent naming patterns and serving up phishing kits and malware.

“Pivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters… characterized by strong interconnections across multiple domains and IP address clusters,” the report explains.

This infrastructure was notable for its reliance on VBS files as initial payloads, combined with Dynamic DNS (DDNS) services, and second-stage Remote Access Trojans (RATs) like Remcos and AsyncRAT.

Blind Eagle’s phishing campaigns masquerade as login pages for top Colombian banks including Bancolombia, Davivienda, BBVA, and Banco Caja Social.

“In some of the more egregious cases, these directories contain complete phishing pages impersonating legitimate Colombian banks… along with first-stage malware designed to initiate the infection.”

These pages are pixel-perfect clones, complete with HTML/CSS mimicking the original portals. Once a user submits credentials, a VBS script is delivered to the system as the first stage of malware deployment.

These VBS files are heavily obfuscated and often generated by subscription-based crypter services, like “Crypters and Tools,” which help evade detection.

“An analysis of some of the VBS codes also revealed overlaps with previously analyzed samples generated by Vbs-Crypter… a subscription-based service commonly used to obfuscate and pack VBS payloads.”

The script elevates itself to administrator level, disables Windows Defender by adding exclusions to C:\, and cleans registry traces before deploying further payloads using tools like paste.ee, textbin.net, and gofile.io.

Once the second-stage RAT is downloaded—typically renamed as benign .txt files—it connects to the attacker’s web-based botnet panel.

Trustwave found that Blind Eagle’s botnet C2 panel was completely exposed online, requiring no authentication. The dashboard revealed at least 264 active infections, mostly in Argentina, and included features for:

• Command execution
• Payload deployment
• File exfiltration
• Real-time endpoint control

“This level of access… illustrates not only the operational simplicity of the campaign but also reinforces the minimal emphasis placed by the threat actors on infrastructure compartmentalization or concealment.”

The C2 panels reused SSL certificates, hosted files on open directories, and showed no attempt at segmentation.

Despite their rudimentary methods, Blind Eagle’s campaigns are alarmingly effective, thanks to targeted phishing, freely available malware tools, and the operational freedom offered by bulletproof hosting.

Related Posts:

• Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
• New Alert: Amadey Trojan Spearheads APT-C-36’s Malicious Campaign
• Cyberattackers Target South Korean Inboxes with LNK Weaponry
• Obscure VBScript “sostener.vbs” Unmasked: Fuels Multi-Stage RAT Delivery, Linked to Blind Eagle APT
• Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows