BlindEagle Targets Colombian Government Agency With Caminho and DCRAT

    Friday, December 19, 2025 In: Threat Research Print

    Date: 12/19/2025

    Severity: High

    Summary

    BlindEagle launched a spear-phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT), using emails sent from a compromised internal account to bypass security controls. The attack leveraged fake web portals, layered JavaScript and PowerShell, steganography, and the Caminho downloader to ultimately deploy DCRAT, reflecting an evolution toward more complex, multi-stage attack chains.

    Indicators of Compromise (IOC) List

    IP Address

    https://archive.org/download/optimized_msi_20250821/optimized_MSI.png'

    startmenuexperiencehost.ydns.eu

    Hash

    961ebce4327b18b39630bfc4edb7ca34

    3983a5b4839598ba494995212544da05087b811b

    d0fe6555bc72a7a45a836ea137850e6e687998eb1c4465b8ad1fb6119ff882ab

    d80237d48e1bbc2fdda741cbf006851a

    722a4932576734a08595c7196d87395e6ec653d7

    8f3dc1649150961e2bac40d8dabe5be160306bcaaa69ebe040d8d6e634987829

    c98eb5fcddf0763c7676c99c285f6e80

    3ab2aa4e9a7a8abcf1ea42b51152f6bb15a1b3c5

    03548c9fad49820c52ff497f90232f68e044958027f330c2c51c80f545944fc1

    4284e99939cebf40b8699bed31c82fd6

    21e95fed5fc5c4a10fafbc3882768cce1f6cd7af

    08a5d0d8ec398acc707bb26cb3d8ee2187f8c33a3cbdee641262cfc3aed1e91d

    9799484e3942a6692be69aec1093cb6c

    b3fb8a805d3acc2eda39a83a14e2a73e8b244cf4

    c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4

    bbb99dfd9bf3a2638e2e9d13693c731c

    4397920a0b08a31284aff74a0bed9215d5787852

    d139bfe642f3080b461677f55768fac1ae1344e529a57732cc740b23e104bff0

    97adb364d695588221d0647676b8e565

    38b0e360d58d4ddb17c0a2c4d97909be43a3adc0

    e7666af17732e9a3954f6308bc52866b937ac67099faa212518d5592baca5d44

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://archive.org/download/optimized_msi_20250821/optimized_MSI.png" or siteurl like "https://archive.org/download/optimized_msi_20250821/optimized_MSI.png" or url like "https://archive.org/download/optimized_msi_20250821/optimized_MSI.png" or domainname like "startmenuexperiencehost.ydns.eu" or siteurl like "startmenuexperiencehost.ydns.eu" or url like "startmenuexperiencehost.ydns.eu"

    Detection Query 2 :

    md5hash IN ("bbb99dfd9bf3a2638e2e9d13693c731c","97adb364d695588221d0647676b8e565","d80237d48e1bbc2fdda741cbf006851a","961ebce4327b18b39630bfc4edb7ca34","4284e99939cebf40b8699bed31c82fd6","9799484e3942a6692be69aec1093cb6c","c98eb5fcddf0763c7676c99c285f6e80")

    Detection Query 3 :

    sha1hash IN ("b3fb8a805d3acc2eda39a83a14e2a73e8b244cf4","4397920a0b08a31284aff74a0bed9215d5787852","38b0e360d58d4ddb17c0a2c4d97909be43a3adc0","722a4932576734a08595c7196d87395e6ec653d7","3983a5b4839598ba494995212544da05087b811b","21e95fed5fc5c4a10fafbc3882768cce1f6cd7af","3ab2aa4e9a7a8abcf1ea42b51152f6bb15a1b3c5")

    Detection Query 4 :

    sha256hash IN ("e7666af17732e9a3954f6308bc52866b937ac67099faa212518d5592baca5d44","d0fe6555bc72a7a45a836ea137850e6e687998eb1c4465b8ad1fb6119ff882ab","c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4","03548c9fad49820c52ff497f90232f68e044958027f330c2c51c80f545944fc1","08a5d0d8ec398acc707bb26cb3d8ee2187f8c33a3cbdee641262cfc3aed1e91d","8f3dc1649150961e2bac40d8dabe5be160306bcaaa69ebe040d8d6e634987829","d139bfe642f3080b461677f55768fac1ae1344e529a57732cc740b23e104bff0")

    Reference:    

    https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat


    Tags

    MalwareThreat ActorBLIND EAGLEPhishingSpear PhishingColombiaGovernment Services and FacilitiesRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.