An investigation by Trustwave SpiderLabs has uncovered a direct connection between the cybercrime group known as Blind Eagle and a Russian hosting provider called Proton66—an operation notorious for disregarding takedown requests and abuse complaints.
During the probe, analysts traced a live network used in the campaign, which relied on Visual Basic Script (VBS) files to deliver well-known remote access tools, including AsyncRAT and Remcos. While VBS may seem outdated, it continues to be a favored method for attackers due to its quiet execution on Windows and its ability to retrieve and launch follow-up malware without alerting the user.
The researchers identified a string of subdomains—such as gfast.duckdns.org and njfast.duckdns.org—appearing around mid-2024. Each was found to point to the same IP address: 45.135.232[.]38, which is part of infrastructure attributed to Proton66.
Associated with Proton66, they used dynamic DNS services like DuckDNS to rotate subdomains without changing IPs, making detection harder.
To trap victims, Blind Eagle created fake websites imitating major Colombian banks—Bancolombia, BBVA, Banco Caja Social, and Davivienda. These phishing pages harvested credentials while VBS scripts launched malware in the background. The scripts acted as loaders, fetching encrypted executables from remote sources. They bore clear signs of being obfuscated with Vbs-Crypter, linked to a paid Telegram-promoted service called “Crypters and Tools.”
Trustwave also discovered an exposed botnet panel—written in Brazilian Portuguese—with real-time control over infected machines, mostly in Argentina.The control panel uncovered by researchers offered full visibility into the operation—showing logs of infected machines, deployment links for malicious payloads, and remote access to compromised systems.
Despite going after high-profile financial institutions, the group’s infrastructure lacked discretion. Many of the servers had open directories that openly hosted malware, administrative portals, and phishing kits mimicking legitimate banking websites. Patterns of reused domain names, SSL certificates, and toolkits made their setup easier to trace.
This isn’t Blind Eagle’s first appearance. Earlier activity linked to the same group was documented by cybersecurity firms including Darktrace and Check Point in late 2024. In those incidents, attackers exploited a known Windows vulnerability (CVE-2024-43451) that had already been patched—highlighting their ability to reuse known methods and still find success.
Trustwave is advising financial institutions and other organizations across Latin America to stay on alert. Regional phishing campaigns remain a serious threat, especially when paired with publicly available RATs. Stronger email filtering, employee training, and endpoint defenses—along with tools like MailMarshal—can help to remove these risks. Regular monitoring for local threat indicators and infrastructure patterns is also key as groups like Blind Eagle continue evolving their tactics.
