Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

South American Cyberspies Impersonate Colombian Government in Recent Campaign

The South American cyberespionage group Blind Eagle has been observed impersonating a Colombian government tax agency in recent attacks.

A South American cyberespionage group has been observed impersonating a Colombian government tax agency in recent attacks against key industries in the country, BlackBerry reports.

Tracked as APT-C-36 and Blind Eagle, the threat actor has been active since at least 2019, mainly focused on organizations in Colombia and Ecuador, but also targeting entities in Chile and Spain.

As part of a new campaign in late February, Blind Eagle was seen targeting Colombian organizations in the financial, health, immigration and law enforcement sectors, and a peace negotiation agency in the country.

The attack vector was a spear-phishing email with a PDF attachment, which uses the official email address of the Bogota Chamber of Commerce. To evade spam filters, the attackers used the ‘Bcc’ (Blind Carbon Copy) field instead of the ‘To’ field in their emails.

The message informs the recipient of alleged ‘outstanding obligations’, claiming they are behind with a tax payment and encouraging them to click on a link in the invoice, which is attached to the email as a password-protected PDF.

The link masquerades as the official URL for the website of Colombia’s Directorate of National Taxes and Customs, but instead redirects to a bogus website where the victim is encouraged to view another PDF, which initiates the download of a file from the Discord content delivery network (CDN).

Delivered in the form of a RAR archive, the file contains a VBS script that executes PowerShell code to ultimately infect the victim’s device with the AsyncRAT remote access trojan (RAT). Blind Eagle was also seen using njRAT, LimeRAT, QuasarRAT, and RemcosRAT in its attacks.

The threat actor uses Dynamic DNS (DDNS) services to connect their RATs to the command-and-control (C&C) infrastructure.

Advertisement. Scroll to continue reading.

Previously seen attacks employed similar tactics, techniques & procedures (TTPs), with Blind Eagle impersonating other Colombian government branches and relying on password-protected ZIP or RAR archives to infect the intended victim with QuasarRAT.

“This campaign continues to operate for the purposes of information theft and espionage. The modus operandi used has mostly stayed the same as the group’s previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work,” BlackBerry concludes.

Related: Hackers Can Exploit GE Historian Vulnerabilities for ICS Espionage, Disruption

Related: Chinese Cyberspies Target Telecom Companies in America, Asia, Europe

Related: Enterprises in Americas, Europe Targeted With Valak Information Stealer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.