Blind Eagle's attacks commence with the distribution of Colombia tax authority-spoofing phishing emails luring recipients into clicking embedded links redirecting to a Google Drive folder-hosted ZIP archive that facilitates BlotchyQuasar execution.
Attackers leveraged a malicious DLL from the Microsoft Word app to retrieve from open-source remote desktop and remote admin software UltraVNC a launcher that would facilitate injections of the CXCLNT malware and CLTEND remote access tool.
Intrusions leveraging the vulnerability have facilitated the distribution of not only the GOREVERSE reverse proxy server but also the Condi malware, the Mirai botnet variant Jenx, and four other cryptocurrency mining payloads.
Developers have been subjected to intrusions involving the exploitation of LinkedIn to deliver a ZIP file purporting to be a Python coding challenge but contains the novel COVERTCATCH malware.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Attacks from a China-based command-and-control server involved MacroPack-based documents uploaded from China-, Taiwan-, and Pakistan-based IP addresses that ordered the installation of macros that facilitated Brute Ratel and Havoc distribution between May and July.