The threat actor group Blind Eagle (also known as AguilaCiega, APT-C-36, or APT-Q-98) has been linked to the Russian bulletproof hosting service Proton66 in a campaign targeting Colombian financial institutions. Trustwave SpiderLabs assessed this connection with high confidence after tracing Proton66-linked infrastructure to active clusters deploying phishing tools and remote access trojans (RATs) against banks like Bancolombia, BBVA, Banco Caja Social, and Davivienda.
Proton66 Hosting Infrastructure
Trustwave SpiderLabs found that Blind Eagle exploited Proton66’s bulletproof hosting, which intentionally ignores abuse reports and legal takedown requests. This allowed the group to operate phishing sites and malware delivery systems uninterrupted. Key infrastructure elements included: Domains like gfast.duckdns.org and njfast.duckdns.org resolved to Proton66-associated IP address 45.135.232.38. Attackers rotated subdomains tied to a single IP to evade detection while hosting malicious content.
Attack Methodology
SpiderLabs found that phishing pages mimicked Colombian bank login portals to steal credentials. VBS Scripts served as initial loaders, downloading encrypted payloads from Proton66 servers. These scripts bypassed defenses using obfuscation tools like Vbs-Crypter. Deployed malware then loaded commodity RATs like AsyncRAT and Remcos RAT for remote control, data exfiltration, and command execution.
Targeting and Tactics
• Geographic Focus: Primarily Colombian banks, with infrastructure also targeting Ecuador and Brazil.
• Minimal Obfuscation: Operated with little effort to conceal infrastructure; phishing kits and botnet panels were often in open directories.
• Expanded Toolset: Earlier campaigns used spear-phishing emails impersonating Colombia’s tax authority (DIAN) to distribute malicious PDFs and VBS scripts.
