Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Blind Eagle Uses VBS Scripts to Deploy RATs

July 1, 2025
Reading Time: 2 mins read
in Alerts
C4 Bomb Cracks Chrome Cookie Encryption

The threat actor known as Blind Eagle has been linked with high confidence to the Russian bulletproof hosting service Proton66. Trustwave SpiderLabs made this connection by pivoting from the service’s digital assets to discover an active threat cluster. Many threat actors rely on bulletproof hosting providers because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites and malware delivery systems without any fear of interruption. The researchers first identified a set of domains with a similar naming pattern beginning in August of 2024.

The phishing pages have been found to mimic legitimate Colombian banks and many other well-known financial institutions.

Some of the specific targets included Bancolombia, BBVA, Banco Caja Social, and the financial services company Davivienda. The threat actor Blind Eagle is well known for its specific targeting of entities within South America. These deceptive websites are engineered by the attackers to harvest user credentials and other very sensitive personal information. The Visual Basic Scripts on the infrastructure act as loaders for publicly available remote access trojans like AsyncRAT.

The VBS payloads that are hosted on the infrastructure come fitted with capabilities to retrieve encrypted executable files. These scripts essentially act as a loader for commodity remote access trojans like AsyncRAT or the Remcos RAT. An analysis of the VBS codes has also revealed significant overlaps with a tool known as Vbs-Crypter. This is a subscription-based crypter service that is used to obfuscate and pack the VBS script payloads. The primary aim of using this service is to avoid detection by standard antivirus and other security solutions.

The campaign also uses privilege escalation and Windows Defender exclusions to maintain its persistent foothold on infected systems.

Trustwave also discovered a botnet panel that allows the attackers to control the infected machines from a remote location. This panel allows the threat actors to retrieve exfiltrated data and interact with all the infected endpoints. The botnet management panel features a Brazilian Portuguese interface and shows hundreds of infected machines in its dashboard. The campaign uses Base64-encoded strings executed via PowerShell and scheduled tasks to ensure system persistence after initial infection. The group’s persistence and ability to adapt its tactics highlights that simple patching is not a standalone defense.

Reference:

  • Blind Eagle Campaign Uses Old School VBS Scripts To Deploy Modern RAT Malware
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJuly 2025
ADVERTISEMENT

Related Posts

AMOS Mac Stealer Adds Persistent Backdoor

AMOS Mac Stealer Adds Persistent Backdoor

July 8, 2025
AMOS Mac Stealer Adds Persistent Backdoor

NordDragonScan Malware Steals Windows Data

July 8, 2025
AMOS Mac Stealer Adds Persistent Backdoor

New Ransomware BERT Targets ESXi Systems

July 8, 2025
hpingbot Botnet Uses Pastebin C2 Channel

APT36 Targets Indian Defense Linux Systems

July 7, 2025
hpingbot Botnet Uses Pastebin C2 Channel

Hackers Abuse Driver Signing For Malware

July 7, 2025
hpingbot Botnet Uses Pastebin C2 Channel

hpingbot Botnet Uses Pastebin C2 Channel

July 7, 2025

Latest Alerts

New Ransomware BERT Targets ESXi Systems

NordDragonScan Malware Steals Windows Data

AMOS Mac Stealer Adds Persistent Backdoor

APT36 Targets Indian Defense Linux Systems

hpingbot Botnet Uses Pastebin C2 Channel

Hackers Abuse Driver Signing For Malware

Subscribe to our newsletter

    Latest Incidents

    French Chip Firm Semco Hacked During IPO

    Louis Vuitton Korea Hit By Cyberattack

    Virginia School District Hit By Cyberattack

    Ransomware Attack Causes Outage at Ingram

    Call of Duty Players Hacked on Game Pass

    RansomHub Claims Theft of Coppell City Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial