BlindEagle Targets Colombian Government Agency with Caminho and DCRAT
Dec. 21, 2025, 7:33 p.m.
Description
A spear phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism was discovered in September 2025. The attack, attributed to BlindEagle, utilized a compromised email account within the organization to bypass security controls. The campaign employed a sophisticated multi-layer attack chain, including a fake web portal, nested JavaScript and PowerShell scripts, steganography, and the deployment of Caminho as a downloader for DCRAT. The attack leveraged legal-themed lures, in-memory execution, and abuse of legitimate services like Discord. BlindEagle's evolution in tactics and use of new tools like Caminho demonstrates their ongoing threat to Colombian institutions.
Tags
Date
- Created: Dec. 17, 2025, 2:49 a.m.
- Published: Dec. 17, 2025, 2:49 a.m.
- Modified: Dec. 21, 2025, 7:33 p.m.
Indicators
- 3ef2cf8f65a9a6f4955ecd0292af0cd68e65864907d07543c416ab28a2acfa6d
- 08a5d0d8ec398acc707bb26cb3d8ee2187f8c33a3cbdee641262cfc3aed1e91d
- e7666af17732e9a3954f6308bc52866b937ac67099faa212518d5592baca5d44
- d0fe6555bc72a7a45a836ea137850e6e687998eb1c4465b8ad1fb6119ff882ab
- 03548c9fad49820c52ff497f90232f68e044958027f330c2c51c80f545944fc1
- d139bfe642f3080b461677f55768fac1ae1344e529a57732cc740b23e104bff0
- 8f3dc1649150961e2bac40d8dabe5be160306bcaaa69ebe040d8d6e634987829
- c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4
- 103.20.102.130
- 103.236.70.158
- 181.235.3.119
- 203.104.42.92
- 191.93.118.254
- 181.206.158.190
- 179.13.11.235
- 185.18.222.5
- 74.124.24.240
- 191.91.178.101
- 103.20.102.151
- 181.131.217.135
- 179.13.4.196
- 178.16.54.45
- 103.186.108.212
- 45.153.34.67
Additional Informations
- Government and administrations
- startmenuexperiencehost.ydns.eu
- Colombia