Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks

The Hacker News by The Hacker News
June 30, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jun 30, 2025Ravie LakshmananCybercrime / Vulnerability

The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66.

Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its initial attack vector and installs off-the-shelf remote access trojans (RATS).

Many threat actors rely on bulletproof hosting providers like Proton66 because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites, command-and-control servers, and malware delivery systems without interruption.

The cybersecurity company said it identified a set of domains with a similar naming pattern (e.g., gfast.duckdns[.]org, njfast.duckdns[.]org) beginning in August 2024, all of which resolved to the same IP address (“45.135.232[.]38”) that’s associated with Proton66.

The use of dynamic DNS services like DuckDNS also plays a key role in these operations. Instead of registering new domains each time, attackers rotate subdomains tied to a single IP address — making detection harder for defenders.

Cybersecurity

“The domains in question were used to host a variety of malicious content, including phishing pages and VBS scripts that serve as the initial stage of malware deployment,” security researcher Serhii Melnyk said. “These scripts act as loaders for second-stage tools, which, in this campaign, are limited to publicly available and often open-source RATs.”

While Visual Basic Script (VBS) might seem outdated, it’s still a go-to tool for initial access due to its compatibility with Windows systems and ability to run silently in the background. Attackers use it to download malware loaders, bypass antivirus tools, and blend into normal user activity. These lightweight scripts are often the first step in multi-stage attacks, which later deploy remote access trojans (RATs), data stealers, or keyloggers.

The phishing pages have been found to legitimate Colombian banks and financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda. Blind Eagle, also known as AguilaCiega, APT-C-36, and APT-Q-98, is known for its targeting of entities in South America, particularly Colombia and Ecuador.

The deceptive sites are engineered to harvest user credentials and other sensitive information. The VBS payloads hosted on the infrastructure come fitted with capabilities to retrieve encrypted executable files from a remote server, essentially acting as a loader for commodity RATS like AsyncRAT or Remcos RAT.

Furthermore, an analysis of the VBS codes has revealed overlaps with Vbs-Crypter, a tool linked to a subscription-based crypter service called Crypters and Tools that’s used to obfuscate and pack VBS payloads with an aim to avoid detection.

Trustwave said it also discovered a botnet panel that allows users to “control infected machines, retrieve exfiltrated data, and interact with infected endpoints through a broad set of capabilities typically found in commodity RAT management suites.”

Cybersecurity

The disclosure comes as Darktrace revealed details of a Blind Eagle campaign that has been targeting Colombian organizations since November 2024 by exploiting a now-patched Windows flaw (CVE-2024-43451) to download and execute the next-stage payload, a behavior that was first documented by Check Point in March 2025.

“The persistence of Blind Eagle and ability to adapt its tactics, even after patches were released, and the speed at which the group were able to continue using pre-established TTPs highlights that timely vulnerability management and patch application, while essential, is not a standalone defense,” the company said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Regensburg Netz GmbH lanza una expansión con soluciones Corinex para la visibilidad de la red

Regensburg Netz GmbH lanza una expansión con soluciones Corinex para la visibilidad de la red

Recommended.

Zilliz gibt allgemeine Verfügbarkeit von Zilliz Cloud BYOC auf GCP bekannt

Zilliz gibt allgemeine Verfügbarkeit von Zilliz Cloud BYOC auf GCP bekannt

June 24, 2025
Oracle teams up with AMD, Nvidia to boost cloud infrastructure

Oracle teams up with AMD, Nvidia to boost cloud infrastructure

October 14, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio