“Caminho” to Compromise: BlindEagle Hackers Hijack Government Emails in Colombia

A notorious cyber-espionage group known for terrorizing South American institutions has launched a new campaign against the Colombian government, using compromised internal email accounts to bypass security filters and deploy a sophisticated new malware strain.

A new investigation by Zscaler ThreatLabz reveals that BlindEagle (also tracked as APT-C-36) struck a government agency under the Ministry of Commerce, Industry and Tourism (MCIT) in early September 2025. In a disturbing evolution of tactics, the group is now deploying Caminho, a likely Brazilian-made downloader, to deliver the final malicious payload.

Unlike typical phishing attacks that arrive from suspicious external domains, this campaign utilized a compromised email account within the target organization itself.

“The attack started with a phishing email that was likely sent from a compromised account within the targeted organization to abuse trust and bypass email security controls,” the report states.

Because the email originated from a legitimate internal Microsoft 365 tenant, standard authentication checks like SPF, DKIM, and DMARC raised no red flags . The email masqueraded as an official notification from the Colombian Judicial Branch (“Rama Judicial”), threatening the recipient with legal fines if they failed to respond to a labor lawsuit .

The attack chain was meticulously designed to evade detection. The email contained an SVG image attachment that, when clicked, redirected the victim to a fraudulent web portal mimicking the official judicial system.

Once on the fake site, a “receipt” automatically downloaded, triggering a complex infection sequence. “The user’s action initiates a file-less attack chain that includes three JavaScript code snippets followed by a PowerShell command”.

In a clever use of steganography, the PowerShell script downloaded an innocent-looking image file from the Internet Archive. Hidden within the image data was the malicious code, sandwiched between markers labeled BaseStart- and -BaseEnd.

The most significant development in this campaign is the introduction of Caminho, a malware downloader that appears to be purchased from underground markets.

“Evidence suggests BlindEagle may have started using Caminho, a downloader malware likely sold in underground marketplaces,” researchers noted.

The malware’s code suggests a connection to the Brazilian cybercriminal ecosystem, as its internal arguments use Portuguese terms like caminho (meaning “path”) and minutos. This tool acts as a bridge, fetching the final payload—DCRAT—from a hosted file on Discord.

This campaign marks a shift towards higher sophistication for BlindEagle. “BlindEagle has evolved their attack chains from deploying a single malware strain to a more sophisticated, multi-layer flow,” the report concludes.

By combining internal account compromise, steganography, and modular malware, the group continues to pose a severe threat to government sectors in the region.

Related Posts:

• BlindEagle APT Group: A Persistent Threat in Latin America
• BlindEagle APT Targets Colombian Insurance with BlotchyQuasar RAT
• Caminho Loader-as-a-Service Uses LSB Steganography to Hide .NET Payloads in Archive.org Images
• Microsoft Announces Microsoft 365 for the U.S. Gov: Offering a Complete Office Solution