Security Experts:

Connect with us

Hi, what are you looking for?



South American Cyberspies Impersonate Colombian Government in Recent Campaign

The South American cyberespionage group Blind Eagle has been observed impersonating a Colombian government tax agency in recent attacks.

A South American cyberespionage group has been observed impersonating a Colombian government tax agency in recent attacks against key industries in the country, BlackBerry reports.

Tracked as APT-C-36 and Blind Eagle, the threat actor has been active since at least 2019, mainly focused on organizations in Colombia and Ecuador, but also targeting entities in Chile and Spain.

As part of a new campaign in late February, Blind Eagle was seen targeting Colombian organizations in the financial, health, immigration and law enforcement sectors, and a peace negotiation agency in the country.

The attack vector was a spear-phishing email with a PDF attachment, which uses the official email address of the Bogota Chamber of Commerce. To evade spam filters, the attackers used the ‘Bcc’ (Blind Carbon Copy) field instead of the ‘To’ field in their emails.

The message informs the recipient of alleged ‘outstanding obligations’, claiming they are behind with a tax payment and encouraging them to click on a link in the invoice, which is attached to the email as a password-protected PDF.

The link masquerades as the official URL for the website of Colombia’s Directorate of National Taxes and Customs, but instead redirects to a bogus website where the victim is encouraged to view another PDF, which initiates the download of a file from the Discord content delivery network (CDN).

Delivered in the form of a RAR archive, the file contains a VBS script that executes PowerShell code to ultimately infect the victim’s device with the AsyncRAT remote access trojan (RAT). Blind Eagle was also seen using njRAT, LimeRAT, QuasarRAT, and RemcosRAT in its attacks.

The threat actor uses Dynamic DNS (DDNS) services to connect their RATs to the command-and-control (C&C) infrastructure.

Previously seen attacks employed similar tactics, techniques & procedures (TTPs), with Blind Eagle impersonating other Colombian government branches and relying on password-protected ZIP or RAR archives to infect the intended victim with QuasarRAT.

“This campaign continues to operate for the purposes of information theft and espionage. The modus operandi used has mostly stayed the same as the group’s previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work,” BlackBerry concludes.

Related: Hackers Can Exploit GE Historian Vulnerabilities for ICS Espionage, Disruption

Related: Chinese Cyberspies Target Telecom Companies in America, Asia, Europe

Related: Enterprises in Americas, Europe Targeted With Valak Information Stealer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...