Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks

Source: https://thehackernews.com/2025/06/blind-eagle-uses-proton66-hosting-for.html

The threat identified involves a cybercriminal group or campaign named 'Blind Eagle' leveraging Proton66 hosting services to conduct phishing attacks and deploy Remote Access Trojans (RATs) targeting Colombian banks. Phishing is a social engineering technique where attackers impersonate legitimate entities to trick victims into divulging sensitive information or downloading malicious payloads. In this case, the attackers use Proton66, a hosting provider, likely chosen for its ability to facilitate anonymous or resilient hosting of phishing infrastructure. The deployment of RATs following successful phishing attempts allows attackers to gain persistent, covert access to compromised systems, enabling them to exfiltrate data, manipulate banking operations, or move laterally within victim networks. Although the threat is currently reported with minimal discussion and no known exploits in the wild, its high severity classification indicates significant potential risk. The focus on Colombian banks suggests a targeted campaign with financial motivations. The lack of affected software versions or patches implies this is not a software vulnerability but rather a threat actor campaign exploiting human factors and social engineering combined with malware delivery. The use of RATs post-phishing elevates the threat from mere credential theft to full system compromise, increasing the potential damage. The campaign's reliance on Proton66 hosting may complicate takedown efforts and attribution, as such services can provide anonymity and resilience against blocking or shutdowns.

Detailed information about Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks. Get real-time updates, technical details, and miti

Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks - Live Threat Intelligence - Threat Radar | OffSeq.com

Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks

Reddit Discussion: Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's presence has increased in Latin America since 2024. The infection chain involves downloading a loader called VMDetectLoader, which uses process hollowing to inject DCRat into memory. VMDetectLoader can detect virtual machines and create persistence through scheduled tasks or registry keys. DCRat has various capabilities including recording victims, file manipulation, and keystroke logging. IBM X-Force assesses that Latin America will continue facing targeting from actors deploying banking trojans via phishing campaigns.

The threat involves a sophisticated phishing campaign conducted by the threat actor Hive0131, primarily targeting users in Colombia with fake electronic notifications purportedly from The Judiciary of Colombia. These phishing emails contain embedded links or PDF attachments designed to lure victims into downloading a loader named VMDetectLoader. This loader employs advanced evasion techniques, including virtual machine detection to avoid sandbox analysis, and uses process hollowing to inject the DCRat banking trojan directly into memory. This in-memory injection minimizes the malware's disk footprint, helping it evade traditional antivirus detection. VMDetectLoader also establishes persistence on infected systems through scheduled tasks or registry key modifications. DCRat itself is a Malware-as-a-Service (MaaS) banking trojan with a broad range of capabilities such as keystroke logging, file manipulation, and recording victim activity, enabling attackers to steal sensitive financial credentials and other confidential information. The infection chain leverages multiple MITRE ATT&CK techniques including T1566 (phishing), T1055 (process hollowing), T1547 (persistence), and T1056 (input capture), indicating a multi-stage, sophisticated attack. Although currently focused on Latin America, particularly Colombia, the modularity and MaaS model of DCRat suggest potential for expansion to other regions. Indicators of compromise include specific malicious domains (e.g., feb18.freeddns.org) and file hashes associated with the loader and trojan components. No known public exploits exist, but the campaign’s reliance on social engineering and evasion techniques makes it a persistent and evolving threat vector.

Detailed information about Threat Analysis: DCRat presence growing in Latin America. Get real-time updates, technical details, and mitigation strategies.

Threat Analysis: DCRat presence growing in Latin America - Live Threat Intelligence - Threat Radar | OffSeq.com

Threat Analysis: DCRat presence growing in Latin America

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser extension for Google Chrome, Microsoft Edge, and Brave, and another utilizing Mesh Agent or PDQ Connect Agent. The campaign aimed to steal authentication data from victims' bank accounts, particularly targeting Banco do Brasil customers. Over 700 downloads of the malicious extension were recorded, affecting users in Brazil, Colombia, Czech Republic, Mexico, Russia, Vietnam, and other countries. The attackers used sophisticated techniques, including virtualization checks, UAC bypass, and file deletion to evade detection.

Operation Phantom Enigma is a malicious cyber campaign first identified in early 2025, primarily targeting Brazilian residents. The attackers leveraged phishing emails, some originating from compromised corporate email servers, to distribute malware designed to steal banking authentication credentials. The campaign employed two main attack vectors: a malicious browser extension compatible with Google Chrome, Microsoft Edge, and Brave browsers, and exploitation of legitimate remote management tools such as Mesh Agent and PDQ Connect Agent. The browser extension was downloaded over 700 times, indicating a significant infection vector. The primary target was Banco do Brasil customers, with the attackers aiming to harvest login credentials and potentially conduct fraudulent transactions. The campaign also affected users in Colombia, Czech Republic, Mexico, Russia, Vietnam, and other countries, demonstrating a broad geographic reach. The attackers used advanced evasion techniques including virtualization environment detection to avoid sandbox analysis, User Account Control (UAC) bypass to escalate privileges without user consent, and file deletion to remove traces of their activities. These tactics suggest a well-resourced adversary focused on stealth and persistence. The use of legitimate remote management tools as part of the attack chain indicates a sophisticated approach to lateral movement and persistence within compromised networks. The campaign’s medium severity rating reflects the targeted nature of the attacks and the moderate scale of infections, but the potential for significant financial theft and data compromise remains high.

Detailed information about Operation Phantom Enigma. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Affecting Colombia

Filter Threats

Threats Affecting Colombia

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility