December 3, 2023

Researchers have discovered a new multi-stage attack chain conducted by the Blind Eagle cyberespionage group that leads to the deployment of NjRAT on infected systems.

In the latest attack campaign, Blind Eagle leverages social engineering, custom malware, and spear-phishing attacks.

A JavaScript downloader is being utilized to run a PowerShell script that is hosted in Discord CDN. It leads to the deployment of another PowerShell script, a Windows batch file, and the storage of a VBScript file in the Windows startup folder, enabling persistence. 


The VBScript code runs the batch file, which is then deobfuscated to execute the previously delivered PowerShell script. Finally, the PowerShell script is utilized to launch NjRAT, which allows the attacker to take control of the compromised system through a user interface.

Blind Eagle or APT-C-36 is believed to be a Spanish-speaking group that primarily targets private and public sector entities in Colombia. However, the group’s attacks have also been observed in Ecuador, Chile, and Spain.

The threat actors impersonated a Colombian government tax agency to target key sectors.


Blind Eagle’s modus operandi has remained the same since its emergence, which indicates that it is comfortable conducting spear-phishing campaigns as they continue to hit the target. Therefore, upgrade your security posture to stay safe. Moreover, training employees on how to detect phishing emails is much recommended.

This research was documented by researchers from ThreatMon

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: