Beyond Phishing: A Closer Look at Blind Eagle’s New, More Stealthy Attacks
The APT-C-36 group (Blind Eagle) intensified its operations in May 2025, focusing attacks on Colombian government institutions and major corporations, as well as on organizations in other South American countries, including Ecuador, Chile, and Panama. Active since at least 2018, the group is notorious for targeted phishing campaigns against the financial and insurance sectors. In its latest operation, however, it employed more advanced anti-analysis methods for the first time—introducing multi-layered anti-virtualization checks and sophisticated code obfuscation, which significantly hinder both sandbox detection and manual reverse engineering.
The infection chain begins with the distribution of phishing emails containing SVG attachments themed around the Colombian judicial system. Each file embeds a Bitbucket link and a password for an archive that holds an executable file along with three libraries. Two of these libraries are legitimate GitKraken components, while the third—libnettle-8.dll—is malicious. Executing the EXE triggers a side-loading mechanism, which loads the rogue DLL. Once executed, the malicious code employs deceptive control structures and control-flow flattening techniques to complicate analysis.
The malware then conducts low-level environment checks through CPUID and calls to kernelbase.EnumSystemFirmwareTables to determine if it is running inside a virtual machine. If virtualization is detected, the program terminates. Otherwise, it collects a broad range of system information: computer and user names, OS version, hardware details, local IP address, directory listings, and the installed .NET Framework version. It creates a directory at %USERPROFILE%\SystemRootDoc, copies its files there, and establishes persistence via a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
To deploy its main payload, the malware leverages process hollowing. It spawns processes such as AddInProcess32.exe, msbuild.exe, and InstallUtil.exe from the .NET Framework directory, suspends them, and injects its code into their address space using NtAllocateVirtualMemory, RtlAllocateHeap, and NtWriteVirtualMemory. Once the threads are resumed, a RAT module is executed.
The final stage involves DcRAT, a widely used open-source remote access trojan written in C#. Its embedded configuration specifies an AES-256 key, port 3020, the command-and-control domain envio16-05.duckdns.org, a mutex name DcRatMutex_qwqdanchun, and the working directory %AppData%. In its default state, anti-debugging, anti-analysis, and VM-detection features are disabled, but these can be activated remotely by the server, allowing the malware to adapt dynamically to its environment.
DcRAT supports WMI-based virtualization checks, termination of analysis tools (ProcessHacker, Process Explorer, Windows Defender), and alternative persistence mechanisms with or without administrative privileges. Its continuous communication with the C2 infrastructure enables the attacker to fully control the infected host and, when required, deploy additional modules.
Attribution to APT-C-36 is supported by multiple overlapping indicators: the phishing themes and victimology, the use of process hollowing via msbuild.exe, deployment of DcRAT as the primary platform, and recurring infrastructure patterns—namely DuckDNS for C2 hosting and Bitbucket for malware distribution. What distinguishes this latest wave is the systematic adoption of anti-detection techniques not previously observed in the group’s campaigns, marking a notable escalation in its operational sophistication.
