Close Menu
Cybercrime and Ransomware

Blind Eagle Targets Colombia with RATs, Phishing Lures, and Dynamic DNS Infrastructure

Staff WriterBy No Comments5 Mins Read3 Views

Fast Facts

  1. Blind Eagle, a persistent threat actor since 2018, has conducted five activity clusters (May 2024–July 2025), mainly targeting Colombian government and various sectors across South America using open-source and cracked RATs, dynamic domains, and legitimate internet services.
  2. Their operations involve sophisticated spear-phishing campaigns impersonating government agencies, exploiting compromised email accounts, geofencing, and staging payloads through platforms like GitHub, Dropbox, and Paste.ee to evade detection.
  3. The group’s malware deployment often utilizes PowerShell scripts, Visual Basic Droppers, and RATs such as Lime RAT, DCRat, and Remcos, with command-and-control infrastructure relying on Colombian ISPs, VPS, VPNs, and dynamic DNS services.
  4. While primarily focused on Colombia’s government sector (~60% of activity), their campaigns also target education, healthcare, retail, and occasionally other South American countries, raising questions about whether their motives are financial, espionage-driven, or both.

Problem Explained

Between May 2024 and July 2025, cybersecurity researchers have identified five distinct activity clusters linked to a persistent threat group known as Blind Eagle, which has been systematically targeting various organizations across countries such as Colombia, Ecuador, Chile, and Panama, with a primary focus on Colombian government agencies. These cyber campaigns, tracked by Recorded Future’s Insikt Group under the label TAG-144, employ a range of tactics—including spear-phishing impersonations of government agencies, the use of compromised email accounts, and the deployment of remote access trojans like Lime RAT, DCRat, AsyncRAT, and Remcos RAT—to infiltrate and compromise targets across sectors like government, education, healthcare, and finance. The attackers also utilize sophisticated methods such as dynamic domain switching, legitimate internet services for staging payloads, and geofencing to evade detection, all while maintaining a consistent operational methodology dating back to at least 2018 that hints at both espionage and financial motives. The report suggests that despite variations in infrastructure and malware deployment, Blind Eagle’s tactics remain highly effective, raising concerns over underlying motivations that could involve both economic gain and potential espionage, especially given the apparent focus on Colombian authorities and institutions.

The targeting and methods suggest a coordinated and well-established campaign designed to exploit digital vulnerabilities through sophisticated social engineering and technical obfuscation, with the threat actor frequently leveraging open-source tools, cracked RATs, and legitimate online platforms to mask malicious activity. The detailed attribution and clustering analysis by Recorded Future highlight a persistent pattern of attacks richly layered with deception techniques like orchestrated phishing emails, staged payloads delivered via cloud services, and the strategic use of geofencing and IP infrastructure rooted in the targeted regions. This steady campaign reflects not only an adaptable and resourceful threat group but also an ongoing security challenge underscored by lingering questions about the group’s ultimate objectives—whether driven purely by monetary interests or augmented by state-sponsored espionage efforts—especially given the group’s consistent focus on South American governmental and critical infrastructure.

Risks Involved

Between May 2024 and July 2025, the persistent threat actor known as Blind Eagle, tracked as TAG-144, has conducted sophisticated cyberattacks predominantly targeting Colombian government agencies, as well as sectors including education, healthcare, and energy across South America and Spanish-speaking communities in North America. These campaigns employ a variety of tactics such as spear-phishing impersonating government entities, leveraging open-source and cracked remote access trojans (RATs) like Lime RAT, DCRat, and Remcos, often using compromised email accounts, dynamic domain services, and legitimate internet platforms to stage malicious payloads covertly. The group’s operations utilize advanced command-and-control infrastructure, including Colombian IP addresses, virtual private servers, dynamic DNS, and staging within trusted internet services like Dropbox and GitHub, complicating detection efforts. Their techniques include deploying malware through multi-stage PowerShell scripts and embedding malicious code within seemingly benign files, which can lead to data theft, espionage, or system disruption. The targeted concentration on government infrastructure in Colombia underscores a dual motivation—potentially financial espionage and broader geopolitical interests—exposing vulnerabilities in critical public sector systems, impairing national security, and amplifying the importance of robust, layered cybersecurity defenses to counteract such resourceful and persistent adversaries.

Possible Action Plan

Monitoring threats like Blind Eagle’s Five Clusters targeting Colombia through RATs (Remote Access Trojans), phishing lures, and dynamic DNS infrastructure highlights the critical need for swift remediation to prevent data breaches, financial loss, and damage to organizational reputation. Prompt action can halt ongoing attacks and disrupt malicious activities, protecting sensitive information and maintaining operational integrity.

Containment Measures

  • Isolate affected systems immediately to prevent spread.
  • Disable compromised accounts or services.

Investigation & Analysis

  • Conduct thorough incident analysis to identify attack vectors.
  • Collect and analyze forensic evidence.

Threat Removal

  • Remove malware, RATs, and malicious scripts.
  • Reset or change compromised credentials.

Patch & Update

  • Apply security patches and updates to vulnerable software.
  • Harden systems against known exploits.

Network Defense

  • Implement firewall rules to block malicious IPs and domains.
  • Use DNS filtering to prevent access to malicious domains.

User Training

  • Educate staff on phishing recognition and safe practices.
  • Reinforce awareness on security protocols.

Enhanced Monitoring

  • Increase monitoring for anomalous activity.
  • Set up alerts for suspicious behaviors.

Communication & Reporting

  • Inform relevant stakeholders and authorities.
  • Document incidents for compliance and future reference.

Stay Ahead in Cybersecurity

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.