Cyber Threat Group Blind Eagle Launches Sophisticated Malware Attacks

Advanced persistent threat (APT) group Blind Eagle has launched a new wave of cyberattacks using sophisticated, multi-stage malware to compromise victims and evade detection, cybersecurity researchers report. The campaign, uncovered in recent threat intelligence analysis, leverages phishing, fileless execution techniques, and modular payloads to breach networks and deploy remote access tools.

Phishing Leads to Multi-Stage Malware Deployment

According to security analysts, the intrusion sequence begins with a highly targeted spear-phishing email sent to internal accounts associated with government agencies. The message impersonates a legitimate entity and includes an SVG attachment that, when opened, redirects recipients to a fraudulent web portal. This deceptive URL lures users into downloading a script that initiates execution of a malicious JavaScript payload.

Once activated, this script triggers a fileless attack chain, meaning malicious code runs in memory without writing files to disk, which is a key technique for avoiding traditional antivirus detection. The first stage installs a specialized downloader named Caminho, which resides in memory and then injects the open-source DCRAT malware into system processes.

Unlike many earlier variants of RAT (remote access trojan) payloads, DCRAT used in these attacks includes capabilities beyond typical remote control, such as keylogging and direct disk access. It also has the ability to bypass Microsoft’s Antimalware Scan Interface, a defense mechanism common in Windows environments that some malware strains cannot evade.

Broader Campaign Context and Indicators

Threat intelligence records show that Blind Eagle, also tracked under identifiers such as APT-C-36, TAG-144 and AguilaCiega, has historically deployed a variety of RAT families in its operations, including AsyncRAT, Remcos, NjRAT and Quasar variants in earlier clusters of activity targeting Latin America. Previous campaigns against Colombian government and private sector organizations illustrate the group’s persistence and adaptability.

In the current campaign, analysts also discovered two dozen hosts worldwide leaking certificates tied to DCRAT infrastructure, indicating a broader footprint. The threat actors have incorporated dynamic DNS services to support their command-and-control infrastructure, further enabling them to shift endpoints quickly if nodes are blacklisted.

Blind Eagle is known for tailoring its phishing lures to highly specific victims and sectors; previous reporting indicates it has targeted government, law enforcement, financial and public service entities using socially engineered email themes to increase click-through rates.
blogs.blackberry.com

Mitigation and Response

Cybersecurity professionals advise organizations to harden email filters, train users to recognize spear-phishing attempts, and deploy behavior-based detection tools that monitor for unusual memory-only activities.

Regular threat hunting and endpoint monitoring can help identify fileless malware stages before attackers escalate privileges or exfiltrate sensitive information.