Latin America Under Cyberattack: BlindEagle’s New Malware Campaign
Researchers at Kaspersky Lab have reported new activity by the cyber group BlindEagle, which has been conducting cyber espionage campaigns targeting organizations and individuals in Latin America since 2018. In June 2024, the group updated its methods, introducing a new espionage plugin and utilizing legitimate Brazilian file-sharing services to disseminate malware.
BlindEagle’s primary targets remain government institutions, energy, and oil and gas companies, as well as financial organizations, particularly in Colombia. According to experts, 87% of the attacks in May and June 2024 were directed at this country. The group’s main objectives are espionage and the theft of financial information, achieved through the use of remote access trojans (RATs) such as njRAT, Lime-RAT, and BitRAT.
During its May 2024 campaign, BlindEagle actively employed the njRAT trojan, which enables the monitoring of user activities on an infected device, including keylogging, screen capture, and system information collection.
Recent versions of the malware have been augmented with plugins that extend its capabilities, allowing attackers to gather even more confidential information and install additional malicious software.
The infection process begins with the distribution of targeted phishing emails, which are disguised as official notifications from government agencies. These emails often contain attachments masked as PDF files, which in reality, trigger malicious scripts that compromise the victims’ devices.
Moreover, BlindEagle has increasingly utilized the Portuguese language and Brazilian domains, which may indicate collaboration with other cybercriminal groups. The group has used Brazilian image hosting services to distribute malicious code, and previously leveraged platforms like Discord and Google Drive.
In June 2024, the cyber group employed a new tactic—DLL Sideloading, which had not previously been characteristic of its operations. In this campaign, malicious files were disguised as legal documents distributed via ZIP archives. Inside the archives were executable files that initiated the infection process, along with additional malicious components.
Kaspersky Lab experts continue to monitor BlindEagle’s activities and recommend that organizations in Latin America strengthen their security measures to protect against such threats.
