The notorious Latin American threat actor known as Blind Eagle (also identified as APT-C-36) continues to pose a significant and evolving risk to financial institutions across the region. Recent intelligence indicates a worrying trend in their operations, with the group increasingly leveraging the infrastructure of Proton66, a Russian-based bulletproof hosting provider, to enhance their attack capabilities and evade detection.
Blind Eagle, active since at least 2018, has a long history of targeting governmental and financial entities, primarily in Colombia, but also extending its reach to other Latin American countries like Ecuador, Chile, and Panama. Their modus operandi often begins with sophisticated social engineering tactics, predominantly spear-phishing emails. These emails are meticulously crafted to impersonate legitimate organizations, luring unsuspecting victims into clicking malicious links or downloading infected attachments.
In recent campaigns, Blind Eagle has demonstrated rapid adaptation, even weaponizing newly patched vulnerabilities. For instance, shortly after Microsoft addressed CVE-2024-43451 (a Windows flaw that could expose NTLMv2 hashes), Blind Eagle quickly incorporated a similar technique involving malicious .url files. While their variant didn’t directly exploit the vulnerability to steal hashes, it still triggered WebDAV requests, notifying the attackers of file interaction and laying the groundwork for subsequent payload delivery.
The group’s malware arsenal typically includes commodity Remote Access Trojans (RATs) such as Remcos RAT, AsyncRAT, and NjRAT, often protected by packers like HeartCrypt. These RATs grant attackers extensive control over compromised systems, enabling data theft, remote execution, and persistent access. Blind Eagle also leverages legitimate cloud platforms like Google Drive, Dropbox, Bitbucket, and GitHub to host their malicious payloads, further complicating detection efforts.
The emergence of Proton66 in Blind Eagle’s operational infrastructure marks a concerning escalation. Proton66 (AS198953) is a “bulletproof” hosting service known for its tolerance of illicit activities, providing a haven for cybercriminals. By utilizing such a service, Blind Eagle can more effectively obscure their command-and-control (C2) servers and phishing pages, making it harder for cybersecurity defenders to track and disrupt their activities. Security researchers have observed a surge in malicious traffic originating from Proton66 since January 2025, with technology and financial organizations being common targets globally.
This strategic shift highlights Blind Eagle’s ongoing commitment to sophisticated attacks and their willingness to exploit available resources in the cybercriminal underground. Financial institutions in Latin America must remain highly vigilant, bolstering their email security, actively monitoring network traffic for unusual connections, and implementing comprehensive threat intelligence to anticipate and defend against this persistent and evolving threat.
