Full Report
In June 2025, LevelBlue SpiderLabs published Tracing Blind Eagle to Proton66, in which we assessed with high confidence that Blind Eagle (also tracked as APT-C-36, APT-Q-98, TAG-144, AguilaCiega), a threat actor focused on Latin America, had moved part of its VBScript delivery infrastructure onto the Russian bulletproof hosting provider Proton66. A year later, we're still tracking this cluster closely, and the group hasn't slowed down. If anything, it has kept building.
Analysis Summary
# Threat Actor: Blind Eagle
## Attribution & Identity
* **Primary Name:** Blind Eagle
* **Aliases:** APT-C-36, APT-Q-98, TAG-144, AguilaCiega.
* **Associations:** Assessed to be a threat group primarily focused on Latin America. They are known to utilize Russian bulletproof hosting (Proton66) and commercial VPN services for their infrastructure.
## Activity Summary
The actor remains highly active as of mid-2026. Recent operations (May–July 2026) involve the deployment of evolved toolkits via newly exposed staging servers. Key developments include the use of complex multi-language droppers, infrastructure hosted on the "Proton66" platform, and the deployment of a significantly upgraded AsyncRAT variant (JC-46).
## Tactics, Techniques & Procedures
* **Delivery & Execution:**
* Use of VBScript, JavaScript, and AutoIt3-based droppers.
* Staging payloads through `raw.githubusercontent.com` to bypass security allow-lists.
* Deployment of RunPE loaders to execute payloads in memory (fileless).
* **Persistence:**
* Scheduled Tasks: Creating tasks disguised as legitimate software (e.g., “Photo Studio”) triggered at logon.
* **Defense Evasion:**
* **Obfuscation:** Custom AES S-box permutations in JavaScript; string encryption using fixed-key XOR (0xE0).
* **Self-Mutation:** Self-rewriting scripts that modify their own source on disk.
* **Payload Encoding:** Custom "Base28" encoding for the JC-46 loader.
* **Malware Capabilities:**
* **Process Injection:** Windows Notification Facility (WNF) injection technique.
* **Credential Theft:** Bypassing Google Chrome App-Bound Encryption (ABE) v20.
* **Financial Fraud:** Using Hidden VNC (HVNC) and browser profile cloning for banking theft.
## Targeting
* **Sectors:** Primarily focused on South American organizations and banking customers.
* **Geography:** Latin America (specifically Colombia and Ecuador, based on historical context and specific local language artifacts).
* **Victims:** Financial institutions and their users; organizations in South America.
## Tools & Infrastructure
* **Malware:**
* **AsyncRAT (Variant JC-46):** Materially upgraded version with HVNC and WNF injection.
* **AutoIt3 Interpreter:** Used for RunPE loading.
* **VBScript/JavaScript Droppers.**
* **Infrastructure:**
* **Staging Servers (Open Directories):**
* 46[.]246.84.5
* 181[.]235.8.24
* 178[.]16.52.80
* 64[.]89.160.17
* **Hosting:** Russian bulletproof host "Proton66".
* **C2 Trends:** Heavy reliance on dynamic DNS and commercial VPN exit pools (unchanged since 2023).
## Implications
Blind Eagle demonstrates a high operational tempo despite a relatively narrow and "noisy" infrastructure profile. Their willingness to iterate on obfuscation techniques—such as custom crypto permutations and WNF injection—shows a transition toward more sophisticated evasion despite using common, off-the-shelf malware like AsyncRAT. The move to target Chrome’s ABE v20 indicates they are keeping pace with modern browser security updates.
## Mitigations
* **Network Monitoring:** Monitor or block traffic to known bulletproof hosting providers like Proton66 and strictly audit the use of Dynamic DNS (DynDNS) services.
* **Policy:** Implement strict execution policies for VBScript, AutoIt3, and PowerShell. Block or alert on unauthorized scripts running from the `%TEMP%` directory.
* **Application Control:** Limit the execution of known tools like `AutoIt3.exe` unless explicitly required for business operations.
* **Threat Hunting:** Hunt for Scheduled Tasks with suspicious names (e.g., “Photo Studio”) or those that execute scripts from user-writable directories.
* **GitHub Inspection:** Monitor traffic to `raw.githubusercontent.com` for unusual file downloads (e.g., `.pif`, `.html`, or `.vbs` files) occurring outside of developer workflows.