Threat Research

BlindEagle Targets Colombian Government Agency with Caminho and DCRAT

ZScaler
BlindEagle Targets Colombian Government Agency with Caminho and DCRAT

Zscaler ThreatLabz attributes a spear-phishing campaign targeting a Colombian government agency to the BlindEagle actor, which used a compromised internal email account, an SVG-smuggled fake judicial portal, nested JavaScript and PowerShell, steganography, the Caminho downloader, and DCRAT as the final RAT. The attack chain involved in-memory execution, Discord-hosted artifacts, process hollowing, and an AES-encrypted DCRAT configuration tied to a certificate-based C2 authentication. #BlindEagle #DCRAT

Keypoints

  • BlindEagle targeted a Colombian government agency (MCIT) using a phishing email likely sent from a compromised internal account to increase trust and bypass tenant email checks.
  • The phishing lure used a clickable SVG that decoded an embedded Base64 HTML page mimicking a judicial web portal and automatically delivered a malicious JavaScript file.
  • A multi-stage file-less chain of nested JavaScript snippets and a PowerShell command retrieved a Base64 payload from the Internet Archive and loaded a .NET assembly in memory.
  • The .NET assembly was identified as the Caminho downloader, which fetched an encoded text payload from a Discord CDN URL, decoded it in memory, and executed DCRAT via process hollowing of MSBuild.exe.
  • DCRAT was deployed with an AES-256–encrypted configuration and a certificate used for integrity and C2 authentication; Zscaler identified multiple hosts exposing the same certificate issuer.
  • Attribution to BlindEagle is based on infrastructure choices (GleSYS ASN, ydns.eu), victimology (Colombia), phishing themes, tooling (Caminho, .NET RATs), and Portuguese artifacts in Caminho’s code.

MITRE Techniques

  • [T1583.001 ] Acquire Infrastructure: Domains – BlindEagle used the YDNS.eu D-DNS service for the C2 domain ( ‘BlindEagle used the YDNS.eu D-DNS service for the C2 domain.’)
  • [T1586.002 ] Compromise Accounts: Email Accounts – The phishing message was likely sent from a compromised account within the targeted organization ( ‘attacker controlled the sender’s email account and used it to deliver a phishing attempt’).
  • [T1588.001 ] Obtain Capabilities: Malware – BlindEagle employed Caminho as a downloader and DCRAT as the final RAT ( ‘BlindEagle employed Caminho, a downloader…and the open-source RAT known as DCRAT.’)
  • [T1608.001 ] Stage Capabilities: Upload Malware – An obfuscated instance of DCRAT was staged on Discord for retrieval ( ‘staged an obfuscated instance of DCRAT on Discord.’)
  • [T1566.001 ] Phishing: Spearphishing Attachment – Initial access was attempted via a phishing email containing a clickable SVG image ( ‘phishing email bearing a clickable SVG image.’)
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell was used to download an image from the Internet Archive and carve out a Base64 payload that is loaded as a .NET assembly ( ‘download an image file from the Internet Archive…carves out a Base64-encoded payload’).
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – Nested JavaScript snippets performed deobfuscation and launched subsequent stages leading to PowerShell execution ( ‘a file-less attack chain composed of three JavaScript code snippets followed by a PowerShell command’).
  • [T1204.001 ] User Execution: Malicious Link – The attack required the user to click the SVG image to open the fake portal ( ‘The image above is fully clickable’).
  • [T1204.002 ] User Execution: Malicious File – The chain required the user to open a downloaded JavaScript file to progress to later stages ( ‘after the user double-clicks on the fraudulent receipt downloaded…a file-less attack chain’).
  • [T1047 ] Windows Management Instrumentation – The final JavaScript used WMI Win32_Process Create() to execute a PowerShell command ( ‘it leverages Windows Management Instrumentation (WMI) to obtain a Win32_Process instance’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – DCRAT can set persistence via RunKey when executed by an unprivileged user ( ‘DCRAT is capable of setting persistence via RunKey’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – DCRAT can set persistence using scheduled tasks ( ‘DCRAT is capable of setting persistence via scheduled tasks’).
  • [T1140 ] Deobfuscate/Decode Files or Information – Multiple stages used Base64-encoded payloads that were decoded during execution ( ‘Multiple stages in the attack chain are composed of Base64-encoded payloads.’)
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – DCRAT includes an AMSI bypass to evade detection ( ‘DCRAT ships with an AMSI bypass technique’).
  • [T1027.003 ] Obfuscated Files or Information: Steganography – Caminho was hidden in encoded form within a PNG image ( ‘Caminho is hidden in encoded form within a PNG image.’)
  • [T1027.010 ] Obfuscated Files or Information: Command Obfuscation – JavaScript and PowerShell snippets were obfuscated or Base64-encoded at several stages ( ‘obfuscates JavaScript and PowerShell code snippets either by encoding them in Base64 or using other custom obfuscation methods.’)
  • [T1027.017 ] Obfuscated Files or Information: SVG Smuggling – A fraudulent web portal was embedded inside an SVG image ( ‘hid a fraudulent web portal inside an SVG image using obfuscation.’)
  • [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Caminho was stored as a text file encoded in reverse Base64 ( ‘Caminho was stored as a text file encoded in reverse Base64.’)
  • [T1055.012 ] Process Injection: Process Hollowing – Caminho executes DCRAT by hollowing an MSBuild.exe process ( ‘hollowing a MsBuild.exe process’).
  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – DCRAT attempts to detect sandbox environments by checking WMI system cache memory descriptions ( ‘DCRAT attempts to detect sandbox environments by examining the WMI system cache memory descriptions.’)
  • [T1095 ] Non-Application Layer Protocol – DCRAT uses socket-based channels for C2 communications ( ‘DCRAT communications to and from the C2 server happen via socket-based channels.’)
  • [T1105 ] Ingress Tool Transfer – DCRAT supports installing and executing additional plugins (DLLs) delivered by the operator ( ‘DCRAT supports the installation and execution of additional plugins in the form of DLLs.’)

Indicators of Compromise

  • [File Hashes ] hashes for artifacts used in the campaign – MD5 961ebce4327b18b39630bfc4edb7ca34 (JavaScript file), SHA256 e7666af17732e9a3954f6308bc52866b937ac67099faa212518d5592baca5d44 (DCRAT instance), and 19 more hashes.
  • [IP Addresses ] hosts exposing the X.509 certificate tied to the DCRAT configuration – 45.74.34.32, 103.20.102.130, and other listed hosts.
  • [Domains ] command-and-control and hosting domains – startmenuexperiencehost[.]ydns.eu (DCRAT C2 domain), cdn.discordapp[.]com (Discord CDN used to host AGT27.txt), and other infrastructure.
  • [File Names ] notable filenames observed in the attack chain – ESCRITO JUDICIAL AGRADECEMOS CONFIRMAR RECIBIDO NOTIFICACION DE ADMISION DEMANDA LABORAL ORDINARIA E S D.js (malicious JavaScript), AGT27.txt (Caminho payload hosted on Discord).
  • [URLs ] download locations and image hosting used to hide payloads – hXXps://archive[.]org/download/optimized_msi_20250821/optimized_MSI.png (PNG carrying encoded Caminho), and the Discord CDN URL for AGT27.txt (obfuscated in the sample).

Read more: https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat