BlindEagle Targets Colombian Government Agency with Caminho and DCRAT
Essential information
- Published
- 17/12/2025 02:49
- Modified
- 21/12/2025 19:33
- Tags
- 2025-12-17 dcrat discord powershell spear-phishing
- Related entities
- 24 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware, 3 others
Description
A spear phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism was discovered in September 2025. The attack, attributed to BlindEagle, utilized a compromised email account within the organization to bypass security controls. The campaign employed a sophisticated multi-layer attack chain, including a fake web portal, nested JavaScript and PowerShell scripts, steganography, and the deployment of Caminho as a downloader for DCRAT. The attack leveraged legal-themed lures, in-memory execution, and abuse of legitimate services like Discord. BlindEagle's evolution in tactics and use of new tools like Caminho demonstrates their ongoing threat to Colombian institutions.