CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Blind Eagle's Five Clusters Target Colombian Government and Other Sectors

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Between May 2024 and July 2025, five distinct activity clusters linked to the persistent threat actor Blind Eagle targeted various sectors in Colombia, primarily government entities. The attacks used remote access trojans (RATs), phishing lures, and dynamic DNS infrastructure. The group's operations reflect both cyber espionage and financially driven motivations, with targets including judiciary, tax authorities, and sectors such as finance, energy, and healthcare. The campaigns involved spear-phishing, compromised email accounts, and the use of legitimate internet services for staging payloads. The group's tactics, techniques, and procedures (TTPs) include the use of open-source and cracked RATs, dynamic domain providers, and legitimate internet services (LIS) for staging. The attacks span Colombia, Ecuador, Chile, Panama, and Spanish-speaking users in North America.

Timeline

  1. 27.08.2025 12:28 1 articles · 1mo ago

    Blind Eagle's Five Clusters Target Colombian Government and Other Sectors

    Between May 2024 and July 2025, five distinct activity clusters linked to Blind Eagle targeted various sectors in Colombia, primarily government entities. The attacks used remote access trojans (RATs), phishing lures, and dynamic DNS infrastructure. The group's operations reflect both cyber espionage and financially driven motivations, with targets including judiciary, tax authorities, and sectors such as finance, energy, and healthcare. The campaigns involved spear-phishing, compromised email accounts, and the use of legitimate internet services for staging payloads. The group's tactics, techniques, and procedures (TTPs) include the use of open-source and cracked RATs, dynamic domain providers, and legitimate internet services (LIS) for staging. The attacks span Colombia, Ecuador, Chile, Panama, and Spanish-speaking users in North America.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT41 targets U.S. trade officials with phishing campaigns amid negotiations

APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators, as well as ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab

MixShell Malware Targets U.S. Supply Chain Manufacturers via Contact Forms

A sophisticated social engineering campaign, codenamed ZipLine, targets U.S. supply chain manufacturers with MixShell malware. Attackers use legitimate contact forms to initiate conversations, eventually delivering malicious ZIP files. The campaign spans multiple sectors and countries, focusing on critical supply chain industries. The MixShell malware operates in-memory, using DNS tunneling and HTTP for command-and-control (C2) communications. It employs advanced evasion techniques and leverages legitimate services to blend into normal network activity. The attackers use abandoned or dormant domains to increase the credibility of their phishing attempts. The campaign poses significant risks, including intellectual property theft, ransomware, financial fraud, and supply chain disruptions. The attackers target a wide range of industries, including industrial manufacturers, hardware, semiconductors, consumer goods, biotech, and pharma companies.

Open in new tab

Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Open in new tab