[ad_1]
The risk actor generally known as Blind Eagle has been attributed with excessive confidence to the usage of the Russian bulletproof internet hosting service Proton66.
Trustwave SpiderLabs, in a report printed final week, mentioned it was capable of make this connection by pivoting from Proton66-linked digital belongings, resulting in the invention of an lively risk cluster that leverages Visual Basic Script (VBS) recordsdata as its preliminary assault vector and installs off-the-shelf distant entry trojans (RATS).
Many risk actors depend on bulletproWhile Visual Basic Script (VBS) may appear outdated, it is nonetheless aof internet hosting suppliers like Proton66 as a result of these companies deliberately ignore abuse studies and authorized takedown requests. This makes it simpler for attackers to run phishing websites, command-and-control servers, and malware supply methods with out interruption.
The cybersecurity firm mentioned it recognized a set of domains with the same naming sample (e.g., gfast.duckdns[.]org, njfast.duckdns[.]org) starting in August 2024, all of which resolved to the identical IP tackle (“45.135.232[.]38”) that is related to Proton66.
The use of dynamic DNS companies like DuckDNS additionally performs a key position in these operations. Instead of registering new domains every time, attackers rotate subdomains tied to a single IP tackle — making detection more durable for defenders.
“The domains in query had been used to host a wide range of malicious content material, together with phishing pages and VBS scripts that function the preliminary stage of malware deployment,” safety researcher Serhii Melnyk mentioned. “These scripts act as loaders for second-stage instruments, which, on this marketing campaign, are restricted to publicly out there and sometimes open-source RATs.”
While VBS may appear outdated, it is nonetheless a go-to software for preliminary entry as a consequence of its compatibility with Windows methods and skill to run silently within the background. Attackers use it to obtain malware loaders, bypass antivirus instruments, and mix into regular person exercise. These light-weight scripts are sometimes step one in multi-stage assaults, which later deploy RATs, information stealers, or keyloggers.
The phishing pages have been discovered to authentic Colombian banks and monetary establishments, together with Bancolombia, BBVA, Banco Caja Social, and Davivienda. Blind Eagle, also referred to as AguilaCiega, APT-C-36, and APT-Q-98, is understood for its concentrating on of entities in South America, notably Colombia and Ecuador.
The misleading websites are engineered to reap person credentials and different delicate info. The VBS payloads hosted on the infrastructure come fitted with capabilities to retrieve encrypted executable recordsdata from a distant server, basically appearing as a loader for commodity RATS like AsyncRAT or Remcos RAT.
Furthermore, an evaluation of the VBS codes has revealed overlaps with Vbs-Crypter, a software linked to a subscription-based crypter service referred to as Crypters and Tools that is used to obfuscate and pack VBS payloads with an intention to keep away from detection.
Trustwave mentioned it additionally found a botnet panel that permits customers to “management contaminated machines, retrieve exfiltrated information, and work together with contaminated endpoints via a broad set of capabilities sometimes present in commodity RAT administration suites.”
The disclosure comes as Darktrace revealed particulars of a Blind Eagle marketing campaign that has been concentrating on Colombian organizations since November 2024 by exploiting a now-patched Windows flaw (CVE-2024-43451) to obtain and execute the next-stage payload, a habits that was first documented by Check Point in March 2025.
“The persistence of Blind Eagle and skill to adapt its ways, even after patches had been launched, and the velocity at which the group had been capable of proceed utilizing pre-established TTPs highlights that well timed vulnerability administration and patch utility, whereas important, shouldn’t be a standalone protection,” the corporate mentioned.