Dark Web Profile: BlindEagle

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – The group sends Spanish-language phishing emails with malicious attachments such as PDF, DOCX, RAR/ZIP, UUE, LHA, BZ2, and SVG files (‘the infection chain begins with a Spanish-language spear-phishing email’; ‘attachments vary across campaigns’).
• [T1566.002 ] Spearphishing Link – Victims are lured through embedded links shortened and protected by geofencing logic (‘Embedded links route through URL shorteners with geofencing logic’).
• [T1036 ] Masquerading – Emails and pages impersonate trusted organizations such as DIAN, Fiscalia, and the Ministry of Foreign Affairs (‘impersonating various organizations’).
• [T1480 ] Execution Guardrails – Geofencing is used so non-LATAM users see benign content while LATAM users get the payload (‘redirect non-Latin-American IPs to the legitimate impersonated organization’s website’).
• [T1105 ] Ingress Tool Transfer – The actors download second-stage payloads and components from trusted public services such as Internet Archive, Pastebin, GitHub, Discord CDN, and paste[.]ee (‘pulled components from the Internet Archive and paste[.]ee’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – A heavily obfuscated VBS dropper decodes and launches the next stage (‘a heavily obfuscated 2-3 MB VBScript file named “sostener.vbs”’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell is used to build in-memory scripts and launch payloads (‘built an in-memory PowerShell script at runtime’; ‘triggered a PowerShell command’).
• [T1027 ] Obfuscated Files or Information – Droppers are padded with junk data and payloads are encoded in Base64 or hidden inside images (‘padded with junk data’; ‘decoded a Base64 payload’).
• [T1106 ] Native API – The chain executes payloads through process hollowing into signed Microsoft binaries (‘use of process hollowing into signed Microsoft binaries’).
• [T1055.012 ] Process Hollowing – Final RATs are loaded into memory by hollowing legitimate processes (‘loads a RAT into memory through process hollowing’).
• [T1218.011 ] System Binary Proxy Execution: Rundll32 – DLL side-loading is used to execute malicious components via a legitimate executable (‘initiated infection through side-loading’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – Not mentioned directly as RDP; no direct RDP usage is described in the article, so this technique is not included.
• [T1056.001 ] Keylogging – BlotchyQuasar activates keylogging when banking portals are opened (‘activates keylogging when a victim navigates to any of more than 20 Colombian and Ecuadorian banking portals’).
• [T1015 ] Clipboard Data – No clipboard theft is described in the article, so this technique is not included.
• [T1560.001 ] Archive Collected Data: Archive via Utility – Stolen data is collected and exposed in an HTML file with credentials and PINs (‘left an HTML file exposed… contained thousands of stolen PII entries’).
• [T1113 ] Screen Capture – RATs provide screenshot capture for surveillance (‘including file exfiltration, screenshot capture’).
• [T1123 ] Audio Capture – RATs access microphones for surveillance (‘webcam and microphone access’).
• [T1125 ] Video Capture – RATs access webcams for surveillance (‘webcam and microphone access’).
• [T1041 ] Exfiltration Over C2 Channel – The RATs support file exfiltration over their command channels (‘including file exfiltration’).
• [T1102 ] Web Service – The group repeatedly abuses public web services and cloud platforms for delivery and staging (‘using trusted, high-reputation platforms for hosting’).
• [T1584.001 ] Compromise Infrastructure: Domains – The campaign uses compromised legitimate internal accounts and rented infrastructure across multiple domains (‘sender is a compromised legitimate account’; ‘dynamic-DNS-hosted droppers’).
• [T1587.001 ] Develop Capabilities: Malware – The article notes cracked or modified commodity RATs and custom variants like BlotchyQuasar (‘cracked commodity RATs’; ‘a modified Quasar RAT variant’).
• [T1595 ] Active Scanning – No active scanning is described in the article, so this technique is not included.
• [T1219 ] Remote Access Software – BlindEagle repeatedly deploys RATs such as AsyncRAT, Remcos, njRAT, LimeRAT, BitRAT, Warzone RAT, DCRAT, and Imminent Monitor (‘relying almost entirely on cracked commodity RATs’).
• [T1204.002 ] User Execution: Malicious File – The attack chain depends on the victim opening attachments or clicking links (‘the target does not click, nothing else in the chain fires’).
• [T1189 ] Drive-by Compromise – No drive-by compromise is described; initial access is phishing-based, so this technique is not included.
• [T1053 ] Scheduled Task/Job – No scheduled task persistence is described in the article, so this technique is not included.