Admins, check the logs: msbuild.exe and InstallUtil may not be working for you
APT-C-36 deployed anti-detection at a new level
APT-C-36 deployed anti-detection at a new level
The APT-C-36 group (Blind Eagle) stepped up its activity in May 2025, focusing attacks on government agencies and large enterprises in Colombia, as well as several South American countries including Ecuador, Chile, and Panama. Active since at least 2018, this group is known for targeted phishing campaigns against the financial and insurance sectors. In its latest operation, it introduced for the first time more sophisticated evasion techniques — multi-layered anti-virtualization checks and advanced code obfuscation, significantly complicating sandbox detection and manual reverse engineering.
The infection chain begins with phishing emails containing an SVG attachment, themed around the Colombian judicial system. The file includes a link to Bitbucket and a password for an archive that holds an executable file and three libraries. Two of them are legitimate GitKraken components, while the third, libnettle-8.dll, is malicious. Running the executable initiates a side-loading mechanism, loading the malicious DLL, which then employs fake control structures and control-flow flattening to hinder analysis.
The malware conducts low-level environment checks via CPUID and calls to kernelbase.EnumSystemFirmwareTables, identifying whether it is running inside a virtual machine. If so, it terminates. It collects a broad set of data: computer and username, OS version, hardware details, local IP, directory listings, and .NET Framework version. Next, it creates the directory %USERPROFILE%\SystemRootDoc, copies the original files there, and adds a persistence entry in the registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
For execution of the main code, the attackers use process hollowing. Processes AddInProcess32.exe, msbuild.exe, and InstallUtil.exe from the .NET Framework directory are spawned in a suspended state, and the payload is injected into their address space using NtAllocateVirtualMemory, RtlAllocateHeap, and NtWriteVirtualMemory. Once resumed, a RAT module executes.
The final component is a DcRAT client, a popular open-source C# remote administration tool among cybercriminals. The embedded configuration specifies an AES256 key, port 3020, C2 domain envio16-05.duckdns.org, mutex name DcRatMutex_qwqdanchun, and working directory %AppData%. By default, anti-debugging, anti-analysis, and VM checks are disabled, but the server can activate them on command, adapting behavior to the environment.
DcRAT supports WMI-based virtualization checks, termination of analysis tools (ProcessHacker, Process Explorer, Windows Defender), and alternative persistence methods with or without admin privileges. Continuous C2 communication allows the attacker not only to control the infected host but also to load additional modules if needed.
Attribution to APT-C-36 is supported by overlaps in phishing themes, victim targeting, the use of process hollowing via msbuild.exe, the deployment of DcRAT as the main platform, and repeated infrastructure elements — DuckDNS for C2 and Bitbucket for hosting malicious files. The novelty in this campaign lies in the systematic use of anti-detection methods not previously observed in the group’s operations.
