Blind Eagle Exploits Proton66 Hosting for Cyber Attacks on Colombian Banks
June 30, 2025
Cybersecurity Update
A recent report by Trustwave SpiderLabs has traced the activities of the cyber threat group known as Blind Eagle, attributing their operations with high confidence to the Russian hosting service Proton66. This analysis arose from investigations into digital assets associated with Proton66, leading experts to uncover an active threat cluster that employs Visual Basic Script (VBS) files as an initial attack vector and utilizes readily available remote access trojans (RATs) for further exploitation.
Despite the perception that VBS is an outdated technology, it remains a favored method for cybercriminals. The simplicity with which these scripts can be bundled into phishing emails poses a significant risk to unsuspecting targets. The bulletproof nature of hosting services like Proton66 is particularly appealing to malicious actors, as these providers are known for overlooking abuse reports and ignoring legal takedown requests. This operational leniency allows criminals to establish and maintain phishing sites, command-and-control servers, and malware distribution networks with relative ease.
Trustwave’s investigation focused on a series of domains exhibiting a consistent naming pattern, including examples like gfast.duckdns[.]org and njfast.duckdns[.]org, which are indicative of the infrastructure utilized by Blind Eagle. The identified domains serve as a crucial part of the cybercriminals’ strategy, providing a foundation for their malicious endeavors against financial institutions.
The primary targets of Blind Eagle’s cyber campaigns appear to be banks located in Colombia, underscoring a focused effort to exploit the financial system within the region. As these banks are essential to the local economy, the implications of such attacks are far-reaching, not only compromising sensitive customer data but also potentially destabilizing trust in the banking system.
The tactics employed by Blind Eagle can be mapped to several techniques outlined in the MITRE ATT&CK framework. Initial access likely occurs through phishing attempts utilizing crafted VBS files. Persistence may be established through the deployment of RATs, allowing attackers to maintain control over compromised systems. Furthermore, privilege escalation may come into play as the attackers seek to expand their access within the network, thereby enhancing their ability to exfiltrate data and execute their malicious plans.
As businesses continue to face the evolving landscape of cyber threats, the case of Blind Eagle illustrates the importance of robust security measures. Understanding the tactics and techniques employed by such adversaries is vital for developing effective defenses against similar attacks. Cybersecurity vigilance remains paramount for organizations, especially those within the financial sector, as they navigate the complex interplay of technology and security in an increasingly digital world.
