The BlindEagle threat actor launched a spear phishing campaign in September 2025 targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism. The attackers leveraged a compromised internal email account to bypass perimeter defenses and deliver a sophisticated multi-stage attack. The initial vector involved a fake web portal designed to lure victims with legal-themed content, exploiting user trust and social engineering. The payload delivery utilized nested JavaScript and PowerShell scripts, which executed in-memory to evade detection by traditional antivirus and endpoint security solutions. Steganography was employed to conceal malicious code within seemingly benign files, complicating forensic analysis. The downloader Caminho was used to fetch and deploy DCRAT, a remote access trojan capable of persistent control and data exfiltration. The campaign also abused legitimate services such as Discord for command and control communications, blending malicious traffic with normal network activity. The attack chain incorporated multiple MITRE ATT&CK techniques including T1053.005 (Scheduled Task), T1047 (Windows Management Instrumentation), T1059.007 (PowerShell), T1566.001 (Spear Phishing), and others related to defense evasion, persistence, and credential access. This evolution in tactics and tooling highlights BlindEagle’s continued focus on Colombian institutions and their ability to adapt to security improvements. No known exploits are publicly reported, and the attack requires initial user interaction through phishing. The overall campaign demonstrates a medium severity threat with significant impact on confidentiality and integrity of targeted systems.

For European organizations, the direct impact may be limited due to the specific targeting of Colombian government entities. However, the tactics and tools used by BlindEagle could be adapted or repurposed against European government agencies or critical infrastructure with similar IT environments. The use of compromised internal accounts to bypass security controls and the abuse of legitimate services like Discord for command and control pose risks to confidentiality, enabling data theft or espionage. The in-memory execution and steganography techniques complicate detection and response, potentially allowing prolonged undetected access. European organizations involved in diplomatic, trade, or governmental relations with Colombia or Latin America could face indirect risks if the threat actor expands targeting. Additionally, the campaign underscores the importance of securing email systems, monitoring for insider threats, and controlling the use of non-traditional communication platforms within sensitive networks. The medium severity rating reflects moderate ease of exploitation but significant potential damage if successful.

1. Implement advanced email security solutions with anomaly detection to identify compromised internal accounts and spear phishing attempts, including monitoring for unusual sending patterns and content. 2. Enforce strict multi-factor authentication (MFA) on all email and critical system accounts to reduce the risk of account compromise. 3. Deploy endpoint detection and response (EDR) tools capable of detecting in-memory execution, nested scripting, and steganographic payloads. 4. Restrict or monitor the use of unauthorized communication platforms such as Discord within corporate and government networks, especially for sensitive or classified environments. 5. Conduct regular user awareness training focused on spear phishing and social engineering, emphasizing the risks of legal-themed lures and suspicious web portals. 6. Utilize network segmentation and least privilege principles to limit lateral movement and access to critical systems. 7. Monitor scheduled tasks, WMI activity, and PowerShell execution logs for suspicious behavior indicative of attacker persistence or execution techniques. 8. Establish incident response playbooks tailored to multi-stage, stealthy intrusions involving advanced malware and legitimate service abuse. 9. Collaborate with threat intelligence providers to stay updated on BlindEagle tactics and indicators of compromise (IOCs). 10. Conduct regular security audits and penetration testing to identify and remediate gaps that could be exploited by similar threat actors.