BlindEagle Targets Colombian Government Agency with Caminho and DCRAT

Introduction

In early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. 

In this blog post, ThreatLabz explores the attack chain and analyzes the techniques employed, including the use of a fake web portal, nested JavaScript and PowerShell scripts, steganography to conceal malicious payloads, Caminho as a downloader, and DCRAT as the final payload.

Key Takeaways

• BlindEagle continues to target Colombian institutions, including agencies under the Ministry of Commerce, Industry and Tourism (MCIT).
• The attack started with a phishing email that was likely sent from a compromised account within the targeted organization to abuse trust and bypass email security controls.
• Evidence suggests BlindEagle may have started using Caminho, a downloader malware likely sold in underground marketplaces.
• BlindEagle has evolved their attack chains from deploying a single malware strain to a more sophisticated, multi-layer flow, with Caminho acting as a downloader for a Remote Access Trojan (RAT) payload, which in this case is DCRAT.

Technical Analysis

The following sections explore how BlindEagle’s campaign leverages in-memory scripts, legitimate internet services like Discord, steganography, and the deployment of Caminho and DCRAT. The analysis breaks down the methods and tools used in the attack to provide a clear understanding of the execution flow.

Attack chain

The figure below summarizes the attack chain from the initial phishing email to the final payload.

Figure 1: A high-level overview of the BlindEagle attack chain leading to the execution of Caminho and DCRAT.

Compromised email

BlindEagle’s attack began with a phishing email targeting a shared email address likely used and monitored by the IT team of the organization. The phishing email was sent from another shared email address belonging to the same agency, making it appear legitimate and increasing its chances of being acted upon. ThreatLabz analyzed the email metadata and the configuration of the email domain, and found the following:

• The sender and receiver domains were properly configured for email security protocols (DMARC, DKIM, and SPF). No evident flaws were observed.
• The trajectory of the phishing email from sender to recipient, appeared legitimate and didn’t include any suspicious hops. All the “Received” headers referenced servers belonging to Microsoft 365 / Exchange, including the originating server.
• Despite the Microsoft 365 servers being authorized by the SPF policy, the DMARC, DKIM, and SPF checks were not applied to the email.

Based on these observations, ThreatLabz assesses that the attacker controlled the sender’s email account and used it to deliver a phishing attempt to another address within the same organization. DKIM and SPF checks were likely not applied because the message was handled entirely within the organization’s Microsoft 365 tenant.

Fraudulent web portal

The phishing email used a legal-themed design to lure the recipient. The email was created to appear as an official message from the Colombian judicial system, referencing a labor lawsuit with an authentic-sounding case number and date. The email pressures the recipient to confirm receipt immediately, leveraging authority, fear of legal consequences, and confidentiality warnings to trick the recipient into taking an action, namely opening the attachment.

The figure below shows the SVG image attached to the phishing email. 

Figure 2: The SVG attachment included in BlindEagle’s phishing email. 

The image above is fully clickable, and when clicked, a Base64-encoded HTML page embedded within the SVG image is decoded and opened in a new tab. 

As shown in the figure below, the HTML page mimics an official web portal from the Colombian judicial branch.

Figure 3: Fraudulent web portal presented to the user during BlindEagle’s attack.

The fraudulent web portal is designed to deliver a JavaScript file named ESCRITO JUDICIAL AGRADECEMOS CONFIRMAR RECIBIDO NOTIFICACION DE ADMISION DEMANDA LABORAL ORDINARIA E S D.js, which downloads automatically a few seconds after the user opens the portal.

JavaScript files and PowerShell command

After the user double-clicks on the fraudulent receipt downloaded from the fraudulent web portal, a file-less attack chain composed of three JavaScript code snippets followed by a PowerShell command is initiated.

The first two JavaScript files share the same structure and purpose: deobfuscating and executing the next step. Each script begins by defining a long array of integers that represents the obfuscated payload. This array is then processed using a simple deobfuscation algorithm, which reconstructs the executable code and launches the next script in the chain.

A Python translation of this deobfuscation algorithm is provided in the code sample below.

def deobfuscate(obf_code: List[int], step: int) -> str:
   deobf_code = ""
   for i in obf_code:
       # int_to_char() is similar to chr() but it ignores surrogate characters.
       c = int_to_char(i - step) 
       deobf_code += c
   return deobf_code

The third stage JavaScript file introduces added complexity by intermixing the executable code with sections containing Unicode-based comments. 

As illustrated in the figure below, the deobfuscation procedure used in this step differs from the techniques applied in the previous scripts. To obtain the final payload, two replacement steps are performed. These steps strip out sequences of Unicode characters embedded in a dynamically composed string.

Figure 4: Excerpt of the last JavaScript stage executed along the attack chain.

The goal of the third JavaScript stage is to execute a PowerShell command. Specifically, it leverages Windows Management Instrumentation (WMI) to obtain a Win32_Process instance. The PowerShell command is executed via the Create() method of the Win32_Process object, while the ShowWindow property of the Win32_ProcessStartup object is set to zero.

The decoded PowerShell is shown in the figure below.

Figure 5: Decoded BlindEagle PowerShell command.

This command is designed to download an image file from the Internet Archive. Once downloaded, the script carves out a Base64-encoded payload embedded between two specific markers: BaseStart- and -BaseEnd. An example of the first marker is shown in the figure below.

Figure 6: Content deobfuscated by the PowerShell command.

After isolating the payload, the script decodes it from Base64 format and dynamically loads it as a .NET assembly using reflection. This process culminates with the invocation of the VAI method within the ClassLibrary1.Home class of the loaded routine.

Caminho

ThreatLabz identified the assembly loaded by the PowerShell command in the attack chain as a malware downloader known as Caminho (and VMDetectLoader), which can be traced back to May 2025. BlindEagle was one of the early adopters of Caminho, likely using it in a campaign documented in June 2025. Since that time, Caminho has been utilized by several threat actors to deliver a variety of malware, including XWorm.

Evidence suggests that Caminho may have originated within the Brazilian cybercriminal ecosystem. Two key factors support this hypothesis:

• The widespread use of this malware in attacks against Brazilian organizations.
• The presence of Portuguese words in the malware’s code, including argument names as shown below. 

public static void VAI(
 string QBXtX, 
 string startupreg, 
 string caminhovbs, 
 string namevbs, 
 string netframework, 
 string nativo, 
 string nomenativo, 
 string persitencia, 
 string url, 
 string caminho, 
 string nomedoarquivo, 
 string extençao, 
 string minutos, 
 string startuptask, 
 string taskname, 
 string vmName, 
 string startup_onstart
)

The export VAI invoked by the PowerShell script contains arguments written in Portuguese, such as “caminho” meaning “path” and hence the malware’s name.

The codebase of the sample analyzed by ThreatLabz is heavily obfuscated, featuring techniques such as code flattening, junk code, and anti-debugging measures.

The main purpose of the VAI method is to download a text file named AGT27.txt from the following Discord URL:

hXXps://cdn.discordapp[.]com/attachments/1402685029678579857/1410251798123511808/AGT27.txt?ex=68b056d5&is=68af0555&hm=3ef2cf8f65a9a6f4955ecd0292af0cd68e65864907d07543c416ab28a2acfa6d&

The URL is obfuscated, encoded in Base64 and reversed before being passed to the VAI method. Caminho deobfuscates the URL and downloads AGT27.txt using System.Net.WebClient.downloadString(). It is worth noting that the file never touches the disk; instead, it is loaded directly in memory.

Once the file is downloaded, AGT27.txt, which contains Base64-encoded and reversed content, is deobfuscated by Caminho. The decoded payload is then executed using a technique known as process hollowing, where a legitimate Windows utility, MSBuild.exe, is launched and hollowed out to host the malicious code. The payload injected in this case is a DCRAT executable.

DCRAT

The final stage of the attack chain delivers DCRAT, an open-source RAT developed in C# that offers a variety of features including keylogging, disk access, and more. It is one of the prevalent variants of AsyncRAT, but distinguishes itself with new capabilities, such as patching Microsoft’s Antimalware Scan Interface (AMSI) to evade detection.

In this campaign, the DCRAT configuration is encrypted using AES-256 encryption, with a symmetric key of aPZ0ze9qOhazFFqspYVRZ8BW14nGuRUe. Additionally, the configuration includes a certificate having two critical functions:

1. The certificate is used to ensure the integrity of the configuration and prevent tampering. This particular feature is also present in DCRAT’s publicly available source code.
2. The certificate is a key component for C2 server authentication. This functionality is not part of DCRAT’s original source code and was added later.

The use of certificate-based server authentication allowed ThreatLabz to identify 24 hosts worldwide that expose a certificate with the same issuer, as listed in the table below. 

ANALYST NOTE: Only a subset of these hosts are likely part of the infrastructure operated by the threat actor behind this attack, as DCRAT is an open-source malware available for general use.

Table 1: List of hosts exposing an X.509 certificate issued by the same source as the certificate embedded in the DCRAT sample used by BlindEagle.

Threat Attribution

ThreatLabz attributes this attack to BlindEagle, with medium confidence, based on the following factors.

• Infrastructure: Since its first registration, the C2 domain for DCRAT consistently resolves to Swedish IP addresses under ASN 42708 (GleSYS AB). BlindEagle is known for utilizing infrastructure from this hosting provider. Additionally, the use of Dynamic DNS (DDNS) services is a documented preference of the threat actor. The provider ydns[.]eu, a DDNS service used in this campaign, has been previously employed by BlindEagle.
• Victimology: Colombia is the primary target of BlindEagle’s operations. The threat actor has a documented history of targeting Colombian government entities and institutions.
• Phishing lure: BlindEagle frequently utilizes legal themes in its phishing campaigns. Recent campaigns have impersonated the Rama Judicial de Colombia (Judicial Branch of Colombia), further aligning with the group’s known tactics.
• Tooling: Caminho has been previously documented as being used by the threat actor known as Hive0131, where it was referred to as VMDetectLoader. Hive0131 shares extensive TTPs and indicators with BlindEagle. In addition, BlindEagle has a history of deploying .NET-based malware. Known examples include AsyncRAT variants and other .NET tools such as Remcos. The use of these tools reflects BlindEagle’s consistent preference for .NET malware. Moreover, BlindEagle's tactics often incorporate legitimate services, such as Discord to host artifacts alongside employing steganography to conceal payloads.
• Caminho’s main method contains argument names written in Portuguese, reinforcing the hypothesis that  this malware was developed by Portuguese-speaking developers. BlindEagle is known to have previously used tools (such as crypters) distributed by individuals associated with the Portuguese-speaking cybercriminal community in past operations.

Conclusion

Zscaler ThreatLabz identified a malware campaign by BlindEagle targeting a Colombian government agency under the control of MCIT using an email account that was likely compromised. The attack involved in-memory scripts, Discord to host the DCRAT malware payload, steganography, and Caminho. ThreatLabz continues to actively monitor BlindEagle’s activity to protect its customers.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to DCRAT at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for DCRAT.

Figure 7: Zscaler Cloud Sandbox report for the DCRAT sample, which is part of the AsyncRAT malware family.

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to BlindEagle at various levels with the following threat names:

• Win32.Trojan.BlindEagle
• HTML.Malurl.Gen.LZ
• HTML.Malurl.Gen.NC
• HTML.Malurl.Gen.TT
• HTML.Phish.Gen.LZ
• Win32.Backdoor.Asyncrat.BS
• Win32.Backdoor.Bladabindi.LZ
• Win32.Backdoor.Dcrat.BS
• Win32.Backdoor.Njrat.BS
• Win32.Backdoor.Quasarrat.LZ
• Win32.Backdoor.Remcosrat.BS
• Win32.Trojan.Agent

Indicators Of Compromise (IOCs)

MITRE ATT&CK Framework