BlindEagle (APT-C-36) Targets Latin American Government & Telecom Sectors in Spear-Phishing-Driven Espionage Campaign
BlindEagle (APT‑C‑36), an advanced persistent threat group, has been linked to a recent cyberattack on Latin American government, telecom, finance, critical infrastructure. The incident leveraged Spear-phishing attachments/links, RAT delivery (Gh0stCringe, Remcos, AsyncRAT variants), WebDAV payloads, dynamic DNS to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We’ll also explore where Obsidian Security’s capabilities align with prevention and response.
Who is BlindEagle (APT‑C‑36)?
BlindEagle, or APT-C-36, is a Latin American cyber espionage group targeting government, telecom, finance, and critical infrastructure through spear-phishing campaigns that deliver remote access trojans such as Gh0stCringe and Remcos. Their intrusions are often strategically timed to coincide with regional political and economic events.
What Happened?
In early 2025, the threat group BlindEagle (also known as APT‑C‑36) launched a spear-phishing-driven espionage campaign targeting organizations throughout Latin America, especially government and telecom infrastructure. This Latin America–focused threat group active since at least 2018, has been historically targeting government, financial, and critical infrastructure organizations in Colombia, Ecuador, Chile, Panama, and other countries in the region.
How Did The Attack Work?
BlindEagle began its attacks by delivering carefully crafted phishing emails that lured recipients into clicking malicious links or opening attachments. These emails initiated the download of custom malware, often remote access trojans (RATs) such as Gh0stCringe, HoldingHands, or variants like BlotchyQuasar. Once activated, the malware would establish persistent and stealthy command and control connections, enabling the attackers to exfiltrate sensitive intelligence and evade typical security monitoring. The group also demonstrated advanced tactics by exploiting recently patched vulnerabilities and leveraging obfuscation techniques, making their campaigns difficult to detect and stop
Why It Matters
This campaign reveals the increasing capability and ambition of regional APTs to compromise critical infrastructure and exfiltrate valuable data beyond their traditional targets. BlindEagle’s use of advanced phishing techniques underscores the need for Latin American organizations, especially those in government and telecom—to adopt dynamic phishing-resistant controls. The repeated exploitation of software vulnerabilities further highlights the importance of swift patch management and user security awareness to guard against sophisticated, persistent threats.
How to Defend Against BlindEagle (APT‑C‑36) - Style Attacks
To defend against threats similar to those used by BlindEagle (APT-C-36) in spear-phishing-driven espionage campaigns:
- Phishing-Resistant MFA
Require FIDO2, certificate-based, or passwordless authentication to mitigate credential theft. - Email Security Controls
Filter malicious attachments and links before delivery, and apply sandboxing for unknown file types. - Behavioral Endpoint Detection
Deploy EDR capable of detecting RAT behavior, dynamic DNS use, and non-standard port activity. - Patch Management
Rapidly patch high-severity vulnerabilities, particularly those exploited in recent campaigns (e.g., CVE-2024-43451).
Where Obsidian Security Can Help
ITDR identifies suspicious SaaS access patterns and malicious OAuth grants used for persistence. SSPM ensures least-privilege access and blocks unnecessary integrations to limit data exfiltration paths.
Conclusion
BlindEagle (APT‑C‑36)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.
