Still Circling: Blind Eagle’s Toolkit Keeps Evolving

Still Circling: Blind Eagle’s Toolkit Keeps Evolving
LevelBlue SpiderLabs reports that Blind Eagle has continued evolving its delivery chains in 2026, including new obfuscation schemes, a GitHub-staged AutoIt loader, and a heavily upgraded AsyncRAT build. The cluster still relies on recurring “Photo Studio” persistence artifacts and shared infrastructure patterns while adding WNF injection, HVNC banking fraud, browser profile cloning, and a Chrome App-Bound Encryption bypass. #BlindEagle #Proton66 #AsyncRAT #PhotoStudioVBS #JC-46

Keypoints

  • Blind Eagle, also tracked as APT-C-36, APT-Q-98, TAG-144, and AguilaCiega, continued operating through exposed open-directory staging servers in 2026.
  • Researchers identified four major developments: a new JavaScript AES obfuscation scheme, a bare AutoIt3 RunPE loader staged from GitHub, a reused “Photo Studio” persistence disguise, and an upgraded AsyncRAT build called JC-46.
  • The group’s loaders show strong infrastructure and logic reuse, with recurring Apache open directories, dynamic DNS usage, and repeated delivery patterns.
  • One loader family uses self-mutating VBScript that changes file hashes on every execution, making hash-based detection ineffective after first run.
  • The most technically advanced sample uses a custom AES implementation with a non-standard S-box and round constants to evade standard Rijndael-based detection.
  • JC-46 adds WNF-based injection, HVNC banking-fraud features, browser profile cloning, and a bypass for Chrome App-Bound Encryption v20.
  • Shared persistence artifacts such as the “Photo Studio” scheduled task and %LOCALAPPDATA%PhotoStudioVBS appear across multiple toolchains and provide strong hunting pivots.

MITRE Techniques

  • [T1059.005] Visual Basic – Blind Eagle uses VBScript droppers and downloaders to launch the infection chain and build PowerShell commands (‘VBScript dropper’, ‘System3.vbs / System5.vbs’).
  • [T1059.007] JavaScript – A JavaScript stage performs custom AES decryption with a substituted S-box and round constants (‘hold.js — a custom AES-256 implementation’).
  • [T1059.001] PowerShell – Multiple stages assemble and execute PowerShell decryptors and payload orchestrators (‘assemble an AES decryption stub in memory’, ‘passed via -Command’).
  • [T1027] Obfuscated Files or Information – The loaders heavily obfuscate strings, payloads, and constants using XOR, AES, Base28, and custom ciphers (‘custom stream-cipher loader’, ‘custom Base28 alphabet’).
  • [T1140] Deobfuscate/Decode Files or Information – Scripts decode encrypted string tables, Base64-like blobs, and custom-encoded payloads before execution (‘The reassembled stream is then fed into a genuinely custom decoder’).
  • [T1055] Process Injection – The campaign uses process hollowing and WNF-based injection to run payloads inside other processes (‘process hollowing into RegSvcs.exe’, ‘abuses the Windows Notification Facility’).
  • [T1055.012] Process Hollowing – Several chains hollow legitimate processes such as RegSvcs.exe, MSBuild.exe, AppLaunch.exe, and jsc.exe (‘performs process hollowing into RegSvcs.exe’).
  • [T1129] Shared Modules – The AutoIt chain stages a legitimate interpreter separately from the malicious script to blend in (‘the interpreter’s hash always matches a known-clean AutoIt release’).
  • [T1105] Ingress Tool Transfer – Payloads and scripts are fetched from raw.githubusercontent.com and other staging locations (‘fetch two files from raw.githubusercontent.com’).
  • [T1106] Native API – The injector uses undocumented and low-level Windows APIs such as NtUpdateWnfStateData and OpenProcess (‘abuses the Windows Notification Facility (WNF) via the undocumented NtUpdateWnfStateData syscall’).
  • [T1036] Masquerading – Components disguise themselves as “Photo Studio,” a photo viewer, or benign installers to mislead defenders (‘fake photo-viewer identity’, ‘scheduled task name Photo Studio’).
  • [T1547.001] Registry Run Keys / Startup Folder – The article describes persistence installation via scheduled tasks and dropped startup-style artifacts (‘Task Scheduler XML template’, ‘PhotoStudio.vbs’).
  • [T1053.005] Scheduled Task – The shared builder creates a “Photo Studio” scheduled task for persistence (‘Scheduled task name Photo Studio’).
  • [T1218] System Binary Proxy Execution – Legitimate signed binaries and interpreters are abused to run malicious logic (‘wscript.exe’, ‘RegSvcs.exe’, ‘MSBuild.exe’, ‘jsc.exe’, ‘AppLaunch.exe’).
  • [T1112] Modify Registry – UAC bypass and system changes rely on registry hijacks and settings changes (‘fodhelper.exe registry hijack’, ‘DelegateExecute via computerdefaults.exe’).
  • [T1562.001] Impair Defenses – The RAT disables Windows Defender protections and adds exclusions (‘Disables Windows Defender’s real-time protection and adds exclusions’).
  • [T1078.004] Cloud Accounts – Not applicable; no valid cloud account abuse is described in the article.
  • [T1071.001] Web Protocols – Command-and-control and staging traffic use standard web resources and HTTPS-like web hosting patterns (‘raw.githubusercontent.com’, Apache open directories).
  • [T1497.001] System Checks – The loader fingerprints AV/EDR and environment details before execution (‘fingerprinting installed AV/EDR by process name’).
  • [T1056.001] Keylogging – The AsyncRAT build includes keylogging functionality (‘Keylogger’).
  • [T1113] Screen Capture – The RAT streams screenshots from the victim environment (‘screenshot streaming’).
  • [T1021.002] SMB/Windows Admin Shares – Not explicitly described.
  • [T1021.001] Remote Desktop Protocol – The hidden RDP module enables and tunnels RDP access (‘enables RDP and disables Network Level Authentication’).
  • [T1078.001] Default Accounts – The hidden local admin account behavior indicates account manipulation for persistence (‘creates a hidden local admin account excluded from the login screen’).
  • [T1027.011] File and Directory Permissions Modification – The chain writes and overwrites files in user-writable locations to maintain persistence and staging (‘overwrites itself’, ‘writes files via a double ADODB.Stream trick’).
  • [T1204.002] Malicious File – The campaign relies on user-executed malicious scripts and staged payload files (‘envifa.vbs’, ‘hold.bat’, ‘Client1.exe’).
  • [T1005] Data from Local System – The RAT steals browser profiles, credentials, Wi-Fi passwords, and local data (‘copy its Chromium profile’, ‘Wi-Fi passwords in cleartext’).

Indicators of Compromise

  • [IP addresses ] Open-directory staging servers and historical infrastructure – 46[.]246.84.5, 181[.]235.8.24, and other 2 IPs
  • [Domain names ] GitHub staging and C2 infrastructure – raw.githubusercontent.com/cabeto850128/comicsam, rema200426.duckdns.org
  • [File names ] VBScript, batch, JavaScript, and AutoIt stages – envifa.vbs, sostener2.vbs, hold.bat, hold.js, and other 6 items
  • [File names ] AutoIt download and interpreter artifacts – System3.vbs, System5.vbs, kiSBJ4DDvg.pif, XjvdJar2Kf.pif
  • [File names ] Loader and payload components – Paralell.dll, Client1.exe, PhotoStudio.vbs
  • [File hashes ] Identified payload hashes for JC-46 components – Paralell.dll SHA-256 a4fbd707f4ce7ca68e6137cef1c56b6f408e5f0a0f148434d996bb98c3a21fff, Client1.exe SHA-256 a73cb9d5d46e19f3daa4a14cfe5d8fa4319a3d62452039e4972e6a316bbb26f4
  • [Scheduled tasks ] Persistence artifact used across multiple toolchains – Photo Studio, PhotoStudioVBS
  • [Directories ] Shared persistence path and user-writable staging locations – %LOCALAPPDATA%PhotoStudioVBSPhotoStudio.vbs, %TEMP%


Read more: https://www.levelblue.com/blogs/spiderlabs-blog/still-circling-blind-eagles-toolkit-keeps-evolving