top of page

New multi-stage attack chain linked to Blind Eagle cyber espionage actor

A new study has found that the cyber espionage actor known as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems. The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics, and spear-phishing attacks. According to a Tuesday report from ThreatMon, Blind Eagle has been linked to a new attack chain that begins with a JavaScript downloader. The JavaScript downloader then executes a PowerShell script that is hosted on Discord CDN. The PowerShell script then drops another PowerShell script and a Windows batch file onto the compromised system. The batch file is then deobfuscated to run the PowerShell script. In the final stage, the PowerShell script is used to execute njRAT. This is just the latest discovery from ThreatMon regarding the techniques used by Blind Eagle. Earlier this year, infection chains documented by Check Point and BlackBerry revealed the use of spear-phishing lures to deliver commodity malware families like BitRAT, AsyncRAT, and in-memory Python loaders capable of launching a Meterpreter payload. Blind Eagle, also referred to as APT-C-36, is a suspected Spanish-speaking group that chiefly strikes private and public sector entities in Colombian. Attacks orchestrated by the group have also targeted Ecuador, Chile, and Spain.


bottom of page