Cyber espionage group reappears with new attack chain.

Apr 20 2023

Gone Phishing Banner

Welcome to Gone Phishing, your cybersecurity newsletter that bullies cybercriminals like Dominic Rabb bullies… Well, everyone. 

Today’s hottest cyber security stories:

  • Blind Eagle cyber espionage group reappears with new attack chain
  • WhatsApp with the UK’s online safety bill?
  • Google TAGs Russian spy group phishing in Ukraine’s waters


Talk about the blind leading the stupid. Hey, no victim blaming! Fine. So, what’s the scoop? Basically, there’s a group called Blind Eagle, or APT-C-36 if you wanna get all technical, who love to strike private and public entities in Colombia, as well as causing trouble in Ecuador, Chile, and Spain.

Yes, it’s sweeping the Latin world like that song that Justin Bieber adapted or appropriated, depending on your political leanings, for white audiences. And unfortunately, it doesn’t act ‘despacito’ (slowly).

Here’s another thing about the Blind Eagle collective: they’re not actually blind (no sh*t!), they just can’t see straight! And their weapon of choice? Spear-phishing lures!

No, not the ones you use to catch fish, silly! They use them to deliver malware like BitRAT and AsyncRAT, which are particularly nasty strains of malware delivered to carefully selected targets (that’s what spear-phishing is, FYI).

And get this, they’re even using Python loaders that can launch a Meterpreter payload! We don’t even know what that means, but it sounds scary.

The geniuses over at ThreatMon discovered that Blind Eagle is now using a JavaScript downloader to execute a PowerShell script hosted on Discord CDN. They’re dropping all sorts of crazy files like PowerShell scripts, Windows batch files, and VBScript files all over the place!

It’s like they’re making their victims play a screwed up version of “Where’s Wally?” (that’s ‘Waldo’ to you Yanks!) except instead of Wally, it’s viruses, which is decidedly less fun.

They may be Blind, but they’re definitely not dumb!

Anyway, if Blind Eagle ever comes knocking on your computer’s door, just remember: they might be blind, but they’re definitely not dumb!

Indeed, as ThreatMon explained in a report posted on Tuesday: “The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics, and spear-phishing attacks.”

I smell a RAT

In the final stage of infection (yikes!), the aforementioned PowerShell script is used to execute njRAT.

“njRAT, also known as Bladabindi is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user’s computer,” the cybersecurity firm said.

In the enduring words of The Dude from The Big Lebowski: “I hate the f*cking Eagles, man!


Does this Signal the end of protected encryption online? This one made us sit up and take notice because if something causes two sworn enemies (okay, rivals) to join forces then it must be pretty bad, right? Or bad for those affected, at least.

So WhatsApp and Signal have buried the hatchet to take on the UK’s online safety bill. But why? Sounds innocuous enough, right? Yep, but they always do.

I mean that’s probably why the Bush administration named that piece of legislation ‘The Patriot Act’ and not the ‘let us spy on anyone and everyone whenever we want and for as long we want’ act.

Another great thing about doing this is that if anyone disagrees the creators can say ‘what’s the matter? Don’t you love America? Hey, this guy hates America!’

Or, in the case of the online safety bill: ‘Oh, so you’re anti-online safety?’ Clever stuff, huh? Well, not really but you’d be surprised how effective it can be!

In an open letter signed by the heads of both organisations as well as five other encrypted chat apps, the executives say the bill could be used to in effect outlaw end-to-end encryption.

“The bill provides no explicit protection for encryption,” they say, “and if implemented as written, could empower Ofcom to try to force the proactive scanning of private messages on end-to-end encrypted communication services, nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users.

“In short, the bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copycat laws.”


Basically, when you see ‘online safety’ in the context of this new bill, think anti-privacy, anti-encryption, anti-freedom.

There, UK government: FIFY!  


Got room for one more phish finger? That’s phish stick to our American readers. Gosh, this is getting tiring.

So, Russia’s elite squad of hackers is at it again and once again they’ve got Ukraine in their crosshairs. These sneaky devils are using some serious phishing skills to try and get their grubby mitts on some juicy intel and shape public opinion about the ongoing war.

But don’t worry, Google’s Threat Analysis Group (TAG) is on the case. They’re keeping a close eye on these cybercriminals, who are going by the name FROZENLAKE.

These jokers go by many names,  like APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy. Seriously, who comes up with this stuff? Sounds like they’re trying to win some kind of cyber-espionage beauty pageant.

But let’s not forget, these guys mean business. They’ve been at it since 2009, hacking into media, governments, and military entities to get their grubby little hands on some top-secret info.

So, if you’re in Ukraine and get an email from FROZENLAKE asking for your NI or social security number – maybe just hit delete.

So long and thanks for reading all the phish!

Recent articles