Blind Eagle Linked to Russian Host Proton66 in Latin America Attacks

Trustwave SpiderLabs, a leading cybersecurity research team, has confidently connected the cyber threat group known as Blind Eagle (also called APT-C-36) with Proton66, a Russian company that provides bulletproof hosting services.

Blind Eagle is an active threat actor notorious for targeting organizations across Latin America, with a particular focus on financial institutions in Colombia. Reportedly, this link results from SpiderLabs’ continuous monitoring of Proton66’s infrastructure for several months.

****The Attack Infrastructure****

According to SpiderLabs’ investigation, shared with Hackread.com, their analysts made this connection by examining assets tied to Proton66, which led them to an interconnected network of domains and IP addresses. This infrastructure, which became notably active in the summer of 2024 (with specific domain registrations observed starting August 12, 2024), relies heavily on free Dynamic DNS (DDNS) services.

Image via Trustwave SpiderLabs

Its initial attack method exclusively uses Visual Basic Script (VBS) files. These scripts act as loaders for commonly available Remote Access Trojans (RATs), which are malicious software that allows attackers to control a compromised computer remotely.

Further analysis showed that some VBS code samples overlapped with previously identified samples generated by a service called Vbs-Crypter, used to hide and package malicious VBS payloads.

Despite the potential high value of their targets, the threat actors behind Blind Eagle showed surprisingly little effort to conceal their operational infrastructure. Researchers found numerous open directories containing identical malicious files, and in some cases, even complete phishing pages designed to impersonate well-known Colombian banks like Bancolombia, BBVA, Banco Caja Social, and Davivienda. These fake websites were crafted to steal user login details and other sensitive financial information.

Davivienda’s phishing page ( Image via Trustwave SpiderLabs)

****Targeting and Protection****

The phishing sites replicated legitimate banking login portals using standard web components. Alongside these fake pages, the infrastructure also hosted VBS scripts that served as the first stage of malware delivery. These scripts included code designed to gain administrative privileges on a victim’s computer and then download further payloads, typically commodity RATs such as Remcos or AsyncRATs.

Once a system is infected, these RATs establish a connection back to a C2 server, allowing the attackers to manage compromised hosts, steal data, and execute further commands. Trustwave even observed a botnet management panel with a Portuguese-language interface, showing a dashboard of infected machines, primarily in Argentina.

Trustwave previously confirmed that Proton66’s infrastructure is being exploited for malicious activities, including campaigns from SuperBlack ransomware operators and Android malware distribution.

As Hackread.com reported, the infrastructure is a hub for cyber threats, including the distribution of Android malware via hacked WordPress sites and targeted attacks deploying specific malware like XWorm and Strela Stealer. Trustwave also noted potential connections to Chang Way Technologies, indicating Proton66’s role as a key enabler for cybercriminal operations.

The company warns that organizations in Latin America, particularly those in the financial sector, must increase their protection. This includes strengthening email filtering systems, educating staff to recognize localized phishing attempts, and proactively monitoring for threat indicators and infrastructure specific to the region.