The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66.
Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its initial attack vector and installs off-the-shelf remote access trojans (RATS).
Many threat actors rely on bulletproof hosting providers like Proton66 because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites, command-and-control servers, and malware delivery systems without interruption.
The cybersecurity company said it identified a set of domains with a similar naming pattern (e.g., gfast.duckdns[.]org, njfast.duckdns[.]org) beginning in August 2024, all of which resolved to the same IP address (“45.135.232[.]38”) that’s associated with Proton66.
The use of dynamic DNS services like DuckDNS also plays a key role in these operations. Instead of registering new domains each time, attackers rotate subdomains tied to a single IP address — making detection harder for defenders.
“The domains in question were used to host a variety of malicious content, including phishing pages and VBS scripts that serve as the initial stage of malware deployment,” security researcher Serhii Melnyk said. “These scripts act as loaders for second-stage tools, which, in this campaign, are limited to publicly available and often open-source RATs.”
While Visual Basic Script (VBS) might seem outdated, it’s still a go-to tool for initial access due to its compatibility with Windows systems and ability to run silently in the background. Attackers use it to download malware loaders, bypass antivirus tools, and blend into normal user activity. These lightweight scripts are often the first step in multi-stage attacks, which later deploy remote access trojans (RATs), data stealers, or keyloggers.
The phishing pages have been found to legitimate Colombian banks and financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda. Blind Eagle, also known as AguilaCiega, APT-C-36, and APT-Q-98, is known for its targeting of entities in South America, particularly Colombia and Ecuador.
The deceptive sites are engineered to harvest user credentials and other sensitive information. The VBS payloads hosted on the infrastructure come fitted with capabilities to retrieve encrypted executable files from a remote server, essentially acting as a loader for commodity RATS like AsyncRAT or Remcos RAT.
Furthermore, an analysis of the VBS codes has revealed overlaps with Vbs-Crypter, a tool linked to a subscription-based crypter service called Crypters and Tools that’s used to obfuscate and pack VBS payloads with an aim to avoid detection.
Trustwave said it also discovered a botnet panel that allows users to “control infected machines, retrieve exfiltrated data, and interact with infected endpoints through a broad set of capabilities typically found in commodity RAT management suites.”
The disclosure comes as Darktrace revealed details of a Blind Eagle campaign that has been targeting Colombian organizations since November 2024 by exploiting a now-patched Windows flaw (CVE-2024-43451) to download and execute the next-stage payload, a behavior that was first documented by Check Point in March 2025.
“The persistence of Blind Eagle and ability to adapt its tactics, even after patches were released, and the speed at which the group were able to continue using pre-established TTPs highlights that timely vulnerability management and patch application, while essential, is not a standalone defense,” the company said.
