惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
H
Hacker News: Front Page
N
News and Events Feed by Topic
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
K
Kaspersky official blog
Forbes - Security
Forbes - Security
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
P
Privacy & Cybersecurity Law Blog
H
Heimdal Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
T
Tenable Blog
T
Tailwind CSS Blog
P
Privacy International News Feed
WordPress大学
WordPress大学
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
博客园 - Franky
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
Vercel News
Vercel News
A
About on SuperTechFans
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
The Last Watchdog
The Last Watchdog
Engineering at Meta
Engineering at Meta
Spread Privacy
Spread Privacy
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 司徒正美
量子位
博客园 - 三生石上(FineUI控件)
J
Java Code Geeks
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Martin Fowler
Martin Fowler
Project Zero
Project Zero

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
BlindEagle Deploys Caminho and DCRAT | ThreatLabz
Gaetano Pellegrino · 2025-12-17 · via Security Research | Blog

Technical Analysis

The following sections explore how BlindEagle’s campaign leverages in-memory scripts, legitimate internet services like Discord, steganography, and the deployment of Caminho and DCRAT. The analysis breaks down the methods and tools used in the attack to provide a clear understanding of the execution flow.

Attack chain

The figure below summarizes the attack chain from the initial phishing email to the final payload.

A high-level overview of the BlindEagle attack chain leading to the execution of Caminho and DCRAT.

Figure 1: A high-level overview of the BlindEagle attack chain leading to the execution of Caminho and DCRAT.

Compromised email

BlindEagle’s attack began with a phishing email targeting a shared email address likely used and monitored by the IT team of the organization. The phishing email was sent from another shared email address belonging to the same agency, making it appear legitimate and increasing its chances of being acted upon. ThreatLabz analyzed the email metadata and the configuration of the email domain, and found the following:

  • The sender and receiver domains were properly configured for email security protocols (DMARC, DKIM, and SPF). No evident flaws were observed.
  • The trajectory of the phishing email from sender to recipient, appeared legitimate and didn’t include any suspicious hops. All the “Received” headers referenced servers belonging to Microsoft 365 / Exchange, including the originating server.
  • Despite the Microsoft 365 servers being authorized by the SPF policy, the DMARC, DKIM, and SPF checks were not applied to the email.

Based on these observations, ThreatLabz assesses that the attacker controlled the sender’s email account and used it to deliver a phishing attempt to another address within the same organization. DKIM and SPF checks were likely not applied because the message was handled entirely within the organization’s Microsoft 365 tenant.

Fraudulent web portal

The phishing email used a legal-themed design to lure the recipient. The email was created to appear as an official message from the Colombian judicial system, referencing a labor lawsuit with an authentic-sounding case number and date. The email pressures the recipient to confirm receipt immediately, leveraging authority, fear of legal consequences, and confidentiality warnings to trick the recipient into taking an action, namely opening the attachment.

The figure below shows the SVG image attached to the phishing email. 

The SVG attachment included in BlindEagle’s phishing email.

Figure 2: The SVG attachment included in BlindEagle’s phishing email. 

The image above is fully clickable, and when clicked, a Base64-encoded HTML page embedded within the SVG image is decoded and opened in a new tab. 

As shown in the figure below, the HTML page mimics an official web portal from the Colombian judicial branch.

Fraudulent web portal presented to the user during BlindEagle’s attack.

Figure 3: Fraudulent web portal presented to the user during BlindEagle’s attack.

The fraudulent web portal is designed to deliver a JavaScript file named ESCRITO JUDICIAL AGRADECEMOS CONFIRMAR RECIBIDO NOTIFICACION DE ADMISION DEMANDA LABORAL ORDINARIA E S D.js, which downloads automatically a few seconds after the user opens the portal.

JavaScript files and PowerShell command

After the user double-clicks on the fraudulent receipt downloaded from the fraudulent web portal, a file-less attack chain composed of three JavaScript code snippets followed by a PowerShell command is initiated.

The first two JavaScript files share the same structure and purpose: deobfuscating and executing the next step. Each script begins by defining a long array of integers that represents the obfuscated payload. This array is then processed using a simple deobfuscation algorithm, which reconstructs the executable code and launches the next script in the chain.

A Python translation of this deobfuscation algorithm is provided in the code sample below.

def deobfuscate(obf_code: List[int], step: int) -> str:
   deobf_code = ""
   for i in obf_code:
       # int_to_char() is similar to chr() but it ignores surrogate characters.
       c = int_to_char(i - step) 
       deobf_code += c
   return deobf_code

The third stage JavaScript file introduces added complexity by intermixing the executable code with sections containing Unicode-based comments. 

As illustrated in the figure below, the deobfuscation procedure used in this step differs from the techniques applied in the previous scripts. To obtain the final payload, two replacement steps are performed. These steps strip out sequences of Unicode characters embedded in a dynamically composed string.

Excerpt of the last JavaScript stage executed along the attack chain.

Figure 4: Excerpt of the last JavaScript stage executed along the attack chain.

The goal of the third JavaScript stage is to execute a PowerShell command. Specifically, it leverages Windows Management Instrumentation (WMI) to obtain a Win32_Process instance. The PowerShell command is executed via the Create() method of the Win32_Process object, while the ShowWindow property of the Win32_ProcessStartup object is set to zero.

The decoded PowerShell is shown in the figure below.

Decoded BlindEagle Powershell command.

Figure 5: Decoded BlindEagle PowerShell command.

This command is designed to download an image file from the Internet Archive. Once downloaded, the script carves out a Base64-encoded payload embedded between two specific markers: BaseStart- and -BaseEnd. An example of the first marker is shown in the figure below.

Content deobfuscated by the PowerShell command.

Figure 6: Content deobfuscated by the PowerShell command.

After isolating the payload, the script decodes it from Base64 format and dynamically loads it as a .NET assembly using reflection. This process culminates with the invocation of the VAI method within the ClassLibrary1.Home class of the loaded routine.

Caminho

ThreatLabz identified the assembly loaded by the PowerShell command in the attack chain as a malware downloader known as Caminho (and VMDetectLoader), which can be traced back to May 2025. BlindEagle was one of the early adopters of Caminho, likely using it in a campaign documented in June 2025. Since that time, Caminho has been utilized by several threat actors to deliver a variety of malware, including XWorm.

Evidence suggests that Caminho may have originated within the Brazilian cybercriminal ecosystem. Two key factors support this hypothesis:

  • The widespread use of this malware in attacks against Brazilian organizations.
  • The presence of Portuguese words in the malware’s code, including argument names as shown below. 
public static void VAI(
 string QBXtX, 
 string startupreg, 
 string caminhovbs, 
 string namevbs, 
 string netframework, 
 string nativo, 
 string nomenativo, 
 string persitencia, 
 string url, 
 string caminho, 
 string nomedoarquivo, 
 string extençao, 
 string minutos, 
 string startuptask, 
 string taskname, 
 string vmName, 
 string startup_onstart
)

The export VAI invoked by the PowerShell script contains arguments written in Portuguese, such as “caminho” meaning “path” and hence the malware’s name.

The codebase of the sample analyzed by ThreatLabz is heavily obfuscated, featuring techniques such as code flattening, junk code, and anti-debugging measures.

The main purpose of the VAI method is to download a text file named AGT27.txt from the following Discord URL:

hXXps://cdn.discordapp[.]com/attachments/1402685029678579857/1410251798123511808/AGT27.txt?ex=68b056d5&is=68af0555&hm=3ef2cf8f65a9a6f4955ecd0292af0cd68e65864907d07543c416ab28a2acfa6d&

The URL is obfuscated, encoded in Base64 and reversed before being passed to the VAI method. Caminho deobfuscates the URL and downloads AGT27.txt using System.Net.WebClient.downloadString(). It is worth noting that the file never touches the disk; instead, it is loaded directly in memory.

Once the file is downloaded, AGT27.txt, which contains Base64-encoded and reversed content, is deobfuscated by Caminho. The decoded payload is then executed using a technique known as process hollowing, where a legitimate Windows utility, MSBuild.exe, is launched and hollowed out to host the malicious code. The payload injected in this case is a DCRAT executable.

DCRAT

The final stage of the attack chain delivers DCRAT, an open-source RAT developed in C# that offers a variety of features including keylogging, disk access, and more. It is one of the prevalent variants of AsyncRAT, but distinguishes itself with new capabilities, such as patching Microsoft’s Antimalware Scan Interface (AMSI) to evade detection.

In this campaign, the DCRAT configuration is encrypted using AES-256 encryption, with a symmetric key of aPZ0ze9qOhazFFqspYVRZ8BW14nGuRUe. Additionally, the configuration includes a certificate having two critical functions:

  1. The certificate is used to ensure the integrity of the configuration and prevent tampering. This particular feature is also present in DCRAT’s publicly available source code.
  2. The certificate is a key component for C2 server authentication. This functionality is not part of DCRAT’s original source code and was added later.

The use of certificate-based server authentication allowed ThreatLabz to identify 24 hosts worldwide that expose a certificate with the same issuer, as listed in the table below. 

ANALYST NOTE: Only a subset of these hosts are likely part of the infrastructure operated by the threat actor behind this attack, as DCRAT is an open-source malware available for general use.

45.74.34.32

45.133.180.138

45.133.180.154

45.153.34.67

46.246.6.9

74.124.24.240

83.147.37.31

103.20.102.130

103.20.102.151

103.186.108.212

103.236.70.158

104.194.154.39

146.70.49.42

146.70.215.50

178.16.54.45

179.13.4.196

179.13.11.235

181.131.217.135

181.206.158.190

181.235.3.119

185.18.222.5

191.91.178.101

191.93.118.254

203.104.42.92

Table 1: List of hosts exposing an X.509 certificate issued by the same source as the certificate embedded in the DCRAT sample used by BlindEagle.