Cyber security news for all


    Ande Loader Malware Sets Sights on Manufacturing Sector in North America

    The actor of menace known as Blind Eagle has been observed utilizing a loader malware dubbed Ande Loader to disseminate remote access trojans (RATs) such as Remcos RAT and NjRAT.

    The incursions, camouflaged as deceitful electronic communications, targeted Spanish-speaking individuals within the manufacturing sector situated in North America, as per eSentire’s report.

    Blind Eagle (alias APT-C-36) is a threat actor driven by financial incentives, boasting a track record of orchestrating cyber assaults against establishments in Colombia and Ecuador, delivering an array of RATs, inclusive of AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT.


    The latest revelations signify an expansion of the threat actor’s scope of targeting, while also leveraging phishing tactics involving RAR and BZ2 archives to instigate the chain of infection.

    The password-protected RAR archives arrive accompanied by a malevolent Visual Basic Script (VBScript) file tasked with establishing persistence within the Windows Startup directory and initializing the Ande Loader, which, in turn, deploys the Remcos RAT payload.

    In an alternate attack scenario documented by the Canadian cybersecurity entity, a BZ2 archive harboring a VBScript file is disseminated via a Discord content delivery network (CDN) hyperlink. In this scenario, the Ande Loader malware substitutes Remcos RAT with NjRAT.

    “Blind Eagle threat actor(s) have been employing crypters authored by Roda and Pjoao1578,” remarked eSentire. “One of the crypters devised by Roda features the hardcoded server housing both injector components of the crypter and supplementary malware utilized in the Blind Eagle campaign.”


    This development arises as SonicWall sheds light on the operational mechanics of yet another loader malware lineage termed DBatLoader, elucidating its utilization of a legitimate yet susceptible driver associated with RogueKiller AntiMalware software (truesight.sys) to incapacitate security solutions as part of a Bring Your Own Vulnerable Driver (BYOVD) assault, ultimately disseminating Remcos RAT.

    “The malware arrives encapsulated within an archive as an electronic communication attachment and is exceedingly obfuscated, containing numerous tiers of encrypted data,” the corporation disclosed earlier this month.

    Recent Articles

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here