Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered new developments in the espionage activities of the BlindEagle Advanced Persistent Threat (APT) group. This group, also known as APT-C-36, has updated its tactics, including the introduction of a new espionage plugin and the use of Brazilian file-hosting sites during infections.
BlindEagle, active since 2018, is notorious for its targeted attacks on organizations and individuals in Latin America, particularly in Colombia. According to Kaspersky, the group has previously employed open-source Remote Access Trojans (RATs) such as njRAT, Lime-RAT, and BitRAT to spy on victims and steal financial information. However, their latest campaign demonstrates a significant evolution in their methods.
In May 2024, BlindEagle launched a campaign using an updated version of njRAT, enhanced with a plugin extension that supports the execution of binaries and .NET files. This allows the group to deploy additional espionage modules and collect more sensitive information, such as keylogging data, webcam feeds, and detailed system information.
Kaspersky researchers noted a shift in BlindEagle’s operations, with the malware dropper now containing artifacts in Portuguese, rather than the previously dominant Spanish. This suggests possible collaboration with external threat actors.
The group also launched a separate campaign in June 2024, employing the DLL sideloading technique, which is unusual for BlindEagle. This method involved tricking victims into downloading malicious files disguised as legal documents, leading to a system infection.
Kaspersky said 87% of the recent targets were in Colombia, affecting sectors including government, education, health, and transportation. Kaspersky’s findings underscore the evolving nature of cyber threats in the region.