Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0099

Blind Eagle

Aliases

APT-C-36

Type

Cyberespionage group.

Target

Financial Sectors, Government, Law Enforcement

Malware

AsyncRAT, njRAT, droppers, and loaders.

Country

South America South America

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Blind Eagle

Who is Blind Eagle?

Blind Eagle is a Spanish-speaking cyberespionage group from South America. The group has been active since at least 2015.

It focuses almost entirely on targets in Colombia. These include government agencies, banks, and critical infrastructure like oil and gas companies. They steal sensitive data for political and strategic reasons.

Common Tactics and Tools

The group’s main attack method is spear-phishing. They use lures that are designed for their specific targets. They might impersonate the Attorney General’s office or tax authorities. The attachments are disguised as legal papers, financial reports, or security alerts.

Blind Eagle uses multi-stage attacks. They mix public and custom tools.

  • Commodity RATs: The group uses public Remote Access Trojans like AsyncRAT and njRAT. These tools can log keystrokes, capture screens, steal files, and control systems remotely.
  • Scripting languages: The group uses scripts like VBScript and AutoHotKey for its droppers and loaders. This helps them hide their final malware and avoid antivirus software.
  • Legitimate services for C2:  Eagle abuses public services like Discord, to host malware payloads and manage its command-and-control (C2) infrastructure. This helps its traffic blend in with normal network activity.

How to Defend Against Blind Eagle

Defense against Blind Eagle needs strong user awareness and technical controls to disrupt their infection chain.

  • Region-specific phishing training: Train staff to question emails that seem to be from local government or banks. Be extra careful with emails that create a sense of urgency.
  • Restrict script execution: Use endpoint security to block or control harmful script files. Pay attention to scripts launched from emails or Office.
  • Monitor for anomalous traffic: Use Network Detection and Response (NDR) to watch for network connections to unusual services like Discord or dynamic DNS providers. This traffic is not normal for most business servers.
  • Block risky attachments: Set up email gateways to block or hold risky attachments. This includes executables, scripts, and password-protected zip files.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.