A phishing link is clicked in a partner’s office in Brazil. The email looks like a routine customs form, so the employee opens the file. He doesn’t expect its true origins: a sophisticated threat actor known as APT-C-36 or Blind Eagle.
Hours later, the attacker has a foothold.
Days later, they pivot into the network of a logistics firm in Chicago, deploying ransomware that brings operations to a standstill.
This is a real-world example of modern supply chain security risks. Geography is no longer a firewall. Regional attacks are now global threats.
This cyber threat analysis of the Blind Eagle threat actor breaks down our intelligence on their latest campaign. We will show how a regional attack becomes a global problem, helping you improve your supply chain cyber risk management and providing insights for your proactive threat hunting tools.
Deconstructing Blind Eagle
Our Blind Eagle threat actor analysis reveals a blueprint for modern cybercrime. While their targets are often in Brazil, their methods are global, making them a key case study for organizations worldwide.
Their evolution shows a mastery of adaptation. Their operations began in 2018 with targeted spear-phishing using malicious Word documents with VBScripts. They quickly grew in scope, blending espionage with financial crime.
This is where their local threat becomes a global lesson:
Commodity Malware, Expertly Deployed
They don’t develop new tools. Instead, APT-C-36 adopts and customizes a variety of commodity Remote Access Trojans (RATs) like AsyncRAT, njRAT, and DCRat. These are commodity RATs, meaning they are widely available for sale or download on criminal marketplaces, rather than custom-built. Blind Eagle, therefore, uses the same tools that defenders are likely to come across in Cybercrime-as-a-Service operations from Bogotá to Berlin.
Hiding in Plain Sight
APT-C-36 have perfected the art of abusing trusted services like Google Drive and Dropbox to deliver malware. This tactic exploits the trust employees (and security tools) place in everyday platforms. More advanced campaigns use fake UUE files and geolocation filters through URL shorteners. These redirect anyone outside of Latin America to a harmless site. This creates a significant challenge for supply chain cyber risk management.
Blind Eagle is agile and effective, constantly refining their process based on what they learn. Understanding their latest campaign is essential in developing an effective defense.
Anatomy of an Attack: The Blind Eagle Playbook
This cyber threat analysis breaks down a recent attack sample from the Lumu Maltiverse Threat Observatory. This example from an attack targeting Colombia shows the step-by-step playbook Blind Eagle is using now.
The Lure: Localized Social Engineering
The attack begins with a psychological weapon. We observed a phishing email carrying the file:
01_Documentos_de_la_demanda_juzgado_penal_de_control_de_garantias.zip
For a recipient in Colombia, the file name triggers immediate alarm. It translates to Documents of the lawsuit from the penal court, implying urgent legal trouble. While the language is Spanish, the technique is universal. The same lure in Ohio might be named something like: IRS_Audit_Notice.zip
The Weapon: DCRat Malware
The ZIP file’s payload is DCRat, a potent Remote Access Trojan (RAT). As the user unzips the file, however, it doesn’t reveal a single, obvious piece of malware. Instead, it unpacks a mix of files, such as an executable, a DLL, and harmless icons, designed to look like a legitimate software package. To evade detection, the RAT then hijacks legitimate Windows processes, like the .NET framework. This living-off-the-land technique makes its activity blend in with normal system operations, fooling many traditional antivirus tools.
The Foothold: Persistence and Evasion
With the RAT now running, the malware’s next job is to ensure it can survive a system reboot and communicate with its masters.
First, it ensures persistence on the system. It writes itself into the Windows Registry, a common technique to ensure it automatically launches every time the computer starts.
Then it makes contact for Command & Control (C2). The RAT reaches out to a server at envio2121.duckdns.org. The use of DuckDNS (a dynamic DNS service) allows the attackers to change the IP address of their C2 server. This makes it difficult for security teams to block via simple IP-based rules. This low-cost, high-evasion C2 method is a staple for cybercriminals globally.
The Goal: From Access to Impact
With a stable foothold, DCRat gives APT-C-36 the power to:
- log keystrokes
- steal credentials
- access the webcam and microphone
- exfiltrate files and data
This is the pivot point. The attackers can now target the victim for financial theft and espionage. But the impact doesn’t stop there. Those same stolen credentials can grant access to international partners, turning a local breach into a global supply chain security risk.
The View From Above: Tracking a Global Threat in Real Time
A single attack shows the tactic, but aggregated data reveals the strategy. Telemetry from the Lumu Maltiverse Threat Observatory confirms a notable surge in APT-C-36 activity across Latin America during September and October 2025. Blind Eagle is an active and a widespread threat with direct implications for global supply chain security.
Targeting the Supply Chain
First, let’s look at who they’re targeting. Our data shows APT-C-36 is focused on sectors critical to the global economy.
(Chart: Industry impact based on Lumu Maltiverse Threat Observatory detections)
The heavy focus on Manufacturing (31.3%) and Financial Services (12.5%) is a strategic choice. These sectors are deeply interconnected with international partners. A breach at a Colombian factory can expose intellectual property shared by a German firm. Compromised credentials at a Brazilian financial services company can be used to attack parent institutions in the United States. This makes this a critical issue for supply chain cyber risk management.
The Ripple Effect Across Borders
Now, let’s look at where they’re targeting. The geographic data we gathered confirms the threat has crossed borders.
(Chart: Regional distribution of APT-C-36 sightings by Lumu Maltiverse Threat Observatory)
While Brazil and Colombia are the epicenter, nearly 13% of all sightings are in the United States. This is direct evidence of the ripple effect: the problem is no longer regional. In a connected world, you are always within the blast radius.
Building a Borderless Defense
A perimeter-only defense is destined to fail against a threat actor like Blind Eagle. Countering this borderless threat requires a proactive defense built on visibility and intelligence. Here’s how to start.
Strengthen Your Perimeter
A strong perimeter is the essential first line of defense for filtering common threats.
Use intelligent email filtering. Configure email gateways to flag or block emails containing URL shorteners and links from dynamic DNS domains (like .duckdns.org). This is a core tactic used by APT-C-36.
Train employees to recognize social engineering tactics, like urgent requests from supposed tax authorities, not just specific lures.
Monitor your external attack surface to ensure that your security teams act on any weaknesses before the attackers do.
Assume Breach, Hunt for Threats
Resilient organizations assume attackers will eventually get in, shifting their focus from pure prevention to rapid detection and response.
Use proactive endpoint threat hunting tools to look for signs of living off the land, such as suspicious VBS or PowerShell spikes, which are common in their attack chain.
Monitor outbound traffic and hunt for anomalous network activity. This includes monitoring WebDAV traffic, connections on non-standard ports, and specifically searching for the outbound C2 traffic that signals a RAT like DCRat is active on your network.
Integrate Threat Intelligence
How do you know what to hunt for? A list of malicious IPs isn’t enough. You need context.
Integrating a threat intelligence feed is the crucial third layer of a borderless defense. This is what allows your security team to connect a random alert to a global campaign targeting your industry. All Indicators of Compromise (IoCs) from the Blind Eagle campaign, for instance, can be fed into your security tools to enable proactive hunting for their specific fingerprints.
From Reactive to Proactive With Lumu Maltiverse
Without context, security teams work blind. A suspicious domain alert is just noise, disconnected from the real threat. This reactive posture keeps you one step behind attackers like APT-C-36, always waiting for the next incident.
The Lumu Maltiverse platform provides that context. It turns isolated alerts into a clear threat picture. You see a suspicious domain isn’t random, it is a known C2 server for Blind Eagle. This empowers your team to hunt threats proactively and stop attacks before they cause damage.
To explore the IoCs from this campaign and see how Maltiverse can enhance your threat hunting, visit our Lumu Maltiverse threat intelligence platform page and open your free account today.
P.S. To find out more about Blind Eagle, their IoCs, and stay ahead of other threat actors, check out the new Lumu Threat Glossary.