Blind Eagle

Blind Eagle, also known as APT-C-36, is a suspected South American Advanced Persistent Threat (APT) group that has been active since April 2018. The group has continuously targeted Colombian government institutions and important corporations in various sectors including finance, petroleum, and professional manufacturing. Blind Eagle is believed to be a Spanish-speaking entity, inferred from the language used in its spear-phishing emails. Their attack strategies involve impersonating other Colombian government branches and using password-protected ZIP or RAR archives to deliver malware payloads. The group has also expanded its operations to North America, particularly targeting Spanish-speaking users in the manufacturing industry. This was discovered by eSentire researchers who uncovered a new campaign launched by Blind Eagle. The threat actor uses a variety of Remote Access Trojans (RATs) such as Ande Loader, Remcos RAT, NjRAT, LimeRAT, QuasarRAT, and RemcosRAT for its attacks. These RATs are delivered via phishing emails and are often concealed within RAR and BZ2 archives. As of March 15, 2024, manufacturing organizations across North America have been under attack by Blind Eagle. The group leverages the Ande Loader malware for remote access trojan delivery, facilitated by phishing emails with RAR and BZ2 archives. According to eSentire's report, the RAR archives enable the deployment of Remcos RAT while the BZ2 archives lead to the distribution of NjRAT. Furthermore, Check Point Research detailed the adversary's advanced toolset, which includes Meterpreter payloads delivered via spear-phishing emails.