Blind Eagle's Prolonged Campaign: Targeting Colombian Government with RATs and Phishing

Researchers from Recorded Future's Insikt Group have identified five distinct clusters of activity attributed to the persistent threat actor known as Blind Eagle, spanning from May 2024 to July 2025. The primary targets of these attacks were various levels of the Colombian government, including local, municipal, and federal entities. The threat actor employed a combination of Remote Access Trojans (RATs), phishing lures, and dynamic DNS infrastructure to carry out their operations. Blind Eagle, also known as APT-C-36, has a history of targeting entities in Latin America, particularly Colombia. The prolonged duration of this campaign indicates a high level of persistence and possibly significant resources backing the group. The use of RATs suggests that the attackers are interested in maintaining long-term access to compromised systems, potentially for espionage or data exfiltration purposes. The employment of phishing lures as an initial access vector is a common tactic among sophisticated threat actors. By tricking users into clicking malicious links or downloading infected attachments, the attackers can bypass perimeter defenses and establish a foothold within the target network. The use of dynamic DNS infrastructure further complicates detection and mitigation efforts, as it allows the attackers to frequently change the location of their command and control servers. The targeting of multiple levels of government highlights the broad scope of Blind Eagle's interests. Government entities are attractive targets due to the sensitive information they hold and the potential for disruption of critical services. This campaign underscores the ongoing threat posed by advanced persistent threats (APTs) to government organizations, particularly in regions that may lack robust cybersecurity defenses. For cybersecurity professionals, this campaign serves as a reminder of the importance of continuous monitoring and threat intelligence. Organizations should implement advanced endpoint protection solutions to detect and block RATs, as well as conduct regular training on phishing awareness to mitigate the risk of initial compromise. Additionally, leveraging threat intelligence feeds can help stay updated on the latest tactics, techniques, and procedures (TTPs) used by groups like Blind Eagle. In conclusion, the prolonged campaign by Blind Eagle against Colombian government entities highlights the need for robust cybersecurity measures. By understanding the tactics and techniques employed by such threat actors, organizations can better prepare and defend against similar attacks in the future.