Dark Web Profile: BlindEagle
BlindEagle (APT-C-36 / AguilaCiega / TAG-144 / G0099 / APT-Q-98) is a threat actor believed to be operating from Latin America. Tracked since 2018, the group runs a hybrid espionage-and-cybercrime operation that has compromised many organizations across Latin America and the U.S. Additionally, the Red Akodon cluster also overlaps via shared cracked AsyncRAT samples, but is not formally identical.
What makes BlindEagle worth global attention is not its technical sophistication, since the group relies almost entirely on cracked commodity RATs and public file-sharing services. Their operational discipline, however, tells a different story. The phishing lures are culturally precise and localized to specific Colombian institutions. The delivery infrastructure uses geofencing that actively blinds non-LATAM sandboxes. Patches are weaponized within days.
This level of operational awareness raises a question about the group’s actual technical depth. The gap between their operational skill and their choice of tooling is too wide to be explained by a lack of capability alone. The consistent reliance on commodity tooling may be a deliberate choice rather than a limitation. Off-the-shelf RATs and rented crypters leave a generic forensic footprint, making it harder for analysts to build a distinct technical profile around the group. They also reduce development time and keep operations moving at a pace that custom tooling would slow down.
Whether this is a matter of efficiency or a conscious effort to obscure the group’s true capabilities remains an open question, but the operational output suggests a group that knows exactly what it is doing.
Who Is BlindEagle?
BlindEagle was publicly disclosed as APT-C-36 on February 18, 2019, with retrospective activity dating to April 2018.
Origin is assessed as South American, likely Colombian or neighboring, on the basis of consistent UTC-5 and UTC-4 working hours, Spanish lures, regional infrastructure use, and operational artifacts.
No nation-state attribution has been confirmed, and no individuals have been indicted or publicly identified, though crypter authors using nicknames “Roda” and “Pjoao1578” have been documented by previous research. The latter is likely a Brazilian developer, which is consistent with Kaspersky’s August 2024 observation of variable names in Portuguese and Brazilian image-hosting usage. This activity suggests outsourcing or collaboration with Portuguese-speaking actors.
Threat actor card of Blind Eagle, TAG-144, AguilaCiega, APT-Q-98
Motivation of the group can be stated as hybrid and dual-purpose. The financial side of BlindEagle’s operations centers on banking-credential theft. The group deploys BlotchyQuasar, a modified Quasar RAT variant that monitors browser window titles and activates keylogging when a victim navigates to any of more than 20 Colombian and Ecuadorian banking portals, including Bancolombia, Davivienda, BBVA, Banco de Bogota, Banco Popular, Caja Social, and Banco Pichincha. One of BlindEagle’s operational clusters focused entirely on running fake banking portals designed to mimic Davivienda, Bancolombia, and BBVA.
Additionally, in February 2025, the group made an operational mistake and left an HTML file exposed in one of their GitHub repositories. That file contained thousands of stolen PII entries, including usernames, passwords, email credentials, and ATM PINs harvested from individuals, businesses, and government employees. The insurance sector has also been targeted within this financial track. That said, no public reporting has confirmed actual funds being extracted from victim accounts or credentials being sold on underground markets.
The espionage side targets a different set of institutions entirely: Colombian judiciary bodies (Rama Judicial, Fiscalia General), government ministries (DIAN, Ministry of Foreign Affairs, the agency under the Ministry of Commerce, Industry and Tourism), defense-related entities, and notably the institutions involved in Colombia’s peace negotiations. These campaigns deploy RATs with full remote access capabilities, including file exfiltration, screenshot capture, webcam and microphone access, giving the operators persistent surveillance over high-value government targets.
BlindEagle cluster – SOCRadar Threat Hunting
Who Does BlindEagle Target?
Colombia is the overwhelming primary target, with Kaspersky reporting 87% of victims in Colombia during May-June 2024 espionage operations. Secondary targets are Ecuador, Chile, Panama, and Spain, with extensions in 2024 into Spanish-speaking organizations in North America. The phishing lures were still in Spanish, aimed at Spanish-speaking employees working in North American manufacturing firms.
BlindEagle’s targeting spans both public and private sectors across Latin America, with a heavy concentration in Colombia:
- Colombian Government: DIAN (tax authority), Fiscalia General, Ministry of Foreign Affairs, Rama Judicial, Ministry of Commerce, Industry and Tourism (MCIT)
- Banking (Colombia, Ecuador)
- Energy and Oil & Gas
- Other Sectors
- Insurance
- Education
- Healthcare
- Judiciary
- Manufacturing
BlindEagle Targets
How Does a BlindEagle Attack Work?
Initial Access: Phishing and Geofenced Delivery
The infection chain begins with a Spanish-language spear-phishing email impersonating various organizations (in previous cases, they were DIAN, the Fiscalia, the Ministry of Foreign Affairs, or the judicial organizations).
There are also cases where the sender is a compromised legitimate account within the target organization itself. In the September 2025 campaign against an agency under Colombia’s Ministry of Commerce, Industry and Tourism (MCIT), the phishing email was sent from a shared internal email address to another shared address within the same agency. Because the message stayed entirely within the organization’s Microsoft 365 tenant, SPF, DKIM, and DMARC checks were never applied at all, making the email indistinguishable from normal internal communication.
Attachments vary across campaigns: PDF, DOCX, password-protected RAR/ZIP, various other formats like UUE archives, LHA, BZ2, and most recently, SVG image files with embedded JavaScript code.
Embedded links route through URL shorteners with geofencing logic that redirect non-Latin-American IPs to the legitimate impersonated organization’s website, while LATAM-sourced clicks proceed to dynamic-DNS-hosted droppers on duckdns.org, ip-ddns.com, con-ip.com, linkpc.net, publicvm.com, kozow.com, or ydns.eu. This approach causes most non-LATAM defenders detonating samples in their sandboxes to see a clean page and conclude the email is benign.
Infection Chain: From Dropper to Payload
BlindEagle’s infection chains follow a consistent multi-stage logic, but the specific tools and services shift from campaign to campaign. The general pattern is: a phishing email delivers an initial dropper (usually a compressed or obfuscated file), which executes a script that fetches a second-stage payload from a legitimate web service, which then loads a RAT into memory through process hollowing.
The details change depending on the operation. In one infrastructure, the dropper was a heavily obfuscated 2-3 MB VBScript file named “sostener.vbs,” padded with junk data, which decoded a Base64 payload and built an in-memory PowerShell script at runtime. The second stage pulled components from the Internet Archive and paste[.]ee, embedding payloads inside JPEG files or text.
In the September 2025 campaign against an agency under MCIT the chain was different, where an SVG attachment with embedded JavaScript triggered a PowerShell command that downloaded a PNG image from the Internet Archive, then extracted a hidden .NET payload using “BaseStart-” and “-BaseEnd” markers. That payload was Caminho, a Brazilian-origin downloader that fetched the final DCRAT payload from Discord CDN.
Across campaigns more broadly, Kaspersky has observed the group staging payloads on Pastebin, GitHub, and Brazilian image-hosting sites, and rotating between different RATs, including AsyncRAT, Remcos, njRAT, and LimeRAT.
The constant across all variants is the abuse of trusted, high-reputation platforms for hosting and the use of process hollowing into signed Microsoft binaries to execute the final payload.
Loaders and Crypters: A Rotating Toolkit
The group rotates through a mix of commodity and crimeware-market tools, adopting new ones as they become available and discarding old ones between campaigns.
In a March 2024 campaign targeting Spanish-speaking manufacturers in North America, the group used Ande Loader to deliver Remcos RAT and NjRAT through RAR and BZ2 archives. That same investigation revealed BlindEagle was using crypters developed by two individuals known as “Roda” and “Pjoao1578,” with one of Roda’s crypters containing a hardcoded server that also hosted components used in the campaign.
By mid-2024, the group had added DLL side-loading to its toolset. In a campaign against Colombian judicial bodies, the delivered archive contained a clean executable that initiated infection through side-loading, alongside a loader called HijackLoader, which decrypted and loaded the final payload.
In the September 2025 campaign against an agency under MCIT, the chain was different again: the group used the previously mentioned Caminho, a Brazilian-origin downloader that first appeared in underground markets around May 2025. BlindEagle was among the early adopters. The payload was decoded from Base64, loaded as a .NET assembly using reflection, and ultimately delivered DCRAT.
The consistent thread is not any single tool but the sourcing pattern where BlindEagle buys or cracks whatever is available on the crimeware market rather than developing its own.
Final Payloads and Command-and-Control Infrastructure
BlindEagle has consistently relied on commodity RATs rather than custom malware, but the specific RAT in use changes from campaign to campaign. The earliest documented campaigns in 2018-2019 used Imminent Monitor, a RAT that was later taken down in a 2019 international law enforcement operation.
By 2021, the group was rotating through njRAT, Remcos, AsyncRAT, LimeRAT, BitRAT, and Warzone RAT across different campaigns.
In 2024, the group started using BlotchyQuasar, a modified Quasar RAT variant customized for banking credential theft, being used against Colombian insurance companies.
Later, around September 2025, they delivered DCRAT against MCIT.
The C2 infrastructure follows a similar pattern of rotation. C2 traffic routing through Colombian residential ISPs such as Colombia Movil, Telmex, and Tigo was observed. BlindEagle infrastructure is also linked to Proton66, a Russian bulletproof hosting provider, and commercial VPN services such as Powerhouse Management, TorGuard, and FrootVPN
The takeaway here is the same as with the loaders, which is that BlindEagle does not commit to any single tool or infrastructure provider. It picks whatever is cheap, available, and fits the operation at hand.
BlindEagle Attack Chain
Why BlindEagle matters far beyond Colombia
- Spillover to other regions is now empirical. Recent telemetry shows a notable share of BlindEagle activity appearing inside U.S. networks, concentrated in manufacturing and financial services, two sectors deeply integrated with North American and European partners through supply chains. A Colombian factory or Brazilian bank compromise puts partner credentials, contracts, and intellectual property at risk regardless of where the headquarters sit.
- BlindEagle proves the commodity tools work at scale. With no in-house malware, the group infected thousands of endpoints by composing cracked AsyncRAT and Remcos with packers like HeartCrypt, commercial loaders, and culturally tuned lures. While these are not novel to BlindEagle, this path can be copied by other actors at scale, and defenders who dismiss “crimeware” RATs as low-tier threats would be mis-prioritizing.
- The patch-to-weaponization speed is close. BlindEagle integrated a CVE-2024-43451 variant six days after the official patch was released on November 12, 2024, using the WebDAV-trigger primitive (right-click, single-click, drag, or delete on a .url file fires an outbound auth request), not to leak NTLMv2 hashes but as a download notification beacon. This compresses the defender’s patch window from weeks to days for any newly disclosed Windows shell vulnerability.
Conclusion
BlindEagle is not the most technically sophisticated actor in any threat-intelligence dataset. But the group does not need to be. The reason behind BlindEagle’s effectiveness is a narrow geographic focus pairedwith high operational discipline. They use culturally precise lures, geofenced delivery that blinds outside analysts, consistent rotation of cheap commodity tools, and infrastructure that gets replaced before it gets burned.
Their entire attack lifecycle depends on the entry. If the target does not click, nothing else in the chain fires. There is no zero-day exploitation, no novel vulnerability research, no custom backdoor. Every technical stage that follows, from the obfuscated dropper to the process hollowing to the RAT deployment, only activates after a human being has been tricked into opening an attachment or clicking a link. That makes BlindEagle a social engineering operation with a malware delivery backend.
This also means the model is transferable. The lures can be translated into any language and themed around any country’s authorities or judicial system. The tooling is rented from the same crimeware markets that serve every other mid-tier actor. The geofencing logic works for any geography.
One aspect worth noting is the gap between BlindEagle’s collection capability and any observable monetization. The group harvests banking credentials and PII at scale, yet no public reporting has confirmed stolen funds, underground market sales, or ransom demands tied to this data. At the same time, the espionage targeting shows a persistent focus on judiciary bodies, prosecutors’ offices, and institutions involved in Colombia’s peace negotiations, entities that hold significant value for organized criminal networks operating in the region.
No vendor has publicly drawn this connection, and there is no confirmed evidence linking BlindEagle to any specific criminal organization. However, the combination of sustained interest in law enforcement and judicial targets, the apparent absence of conventional cybercriminal monetization, and the group’s deep familiarity with Colombian institutional structures leaves open the possibility that BlindEagle serves, or is connected to, interests beyond typical cybercrime. This remains speculative and should be treated as an analytical gap rather than an assessed finding.
How Can SOCRadar Help?
SOCRadar can support defense against BlindEagle by providing targeted visibility across phishing infrastructure, underground activity, and APT operations.
Dark Web Monitoring enables organizations to track BlindEagle-linked activities, credential dumps, and underground marketplaces where stolen government and financial data surfaces, helping identify compromised accounts or exposed employee credentials early in the attack cycle.
Threat Actor Intelligence provides ongoing insight into BlindEagle’s infrastructure rotations, RAT deployments, and campaign patterns, allowing security teams to anticipate shifts in phishing lures, loader tooling, and C2 domains before they reach inboxes.
Attack Surface Management (ASM) identifies exposed email gateways, misconfigured Microsoft 365 tenants, and public-facing services that BlindEagle can abuse for initial access and internal trust exploitation, reducing entry points before they are leveraged.
Threat Intelligence Feeds deliver actionable indicators of compromise and observed TTPs associated with BlindEagle, including dynamic DNS domains, commodity RAT C2 addresses, and phishing URLs, enabling faster detection, threat hunting, and security control updates.
Together, these SOCRadar modules help organizations detect phishing campaigns earlier, reduce attack surface risk, and strengthen preparedness against persistent, regionally targeted APT operations.
What Are the MITRE ATT&CK TTPs of BlindEagle?
