Introduction

The cyber-threat landscape has been significantly impacted by the activities of Blind Eagle, also known as APT-C-36 [5] [6] [7] [8], a South American-based advanced persistent threat group [1]. Since November 2024 [1] [2] [4] [5] [6] [7] [8], this group has escalated its attacks on Colombian government institutions and judicial entities, raising concerns about their growing capabilities and strategic objectives. Their operations have shifted from focused espionage to potentially widespread disruption, targeting critical infrastructure and employing sophisticated tactics.

Description

A cyber-threat campaign linked to the South American-based group Blind Eagle, also known as APT-C-36 [5] [6] [7] [8], has intensified its attacks on Colombian government institutions and judicial entities since November 2024 [4]. This notorious advanced persistent threat group has primarily targeted critical infrastructure, resulting in over 9,000 infections attributed to their tactics within a single week. Notably, around 1,600 victims were reported, particularly affecting judicial institutions [6], in a campaign around December 19, 2024 [5]. The campaigns have raised concerns about Blind Eagle’s growing capabilities and strategic goals, suggesting a potential shift towards widespread disruption rather than solely focused espionage.

Blind Eagle has been distributing malicious url files that exploit the recently patched CVE-2024-43451 vulnerability [8], which allows attackers to extract NTLMv2 hashes for authentication attacks [8]. Although the url files do not directly exploit this vulnerability [2] [7] [8], they trigger a WebDAV request upon interaction [7] [8], notifying the attackers of the file’s download [6] [7] [8]. If a user clicks the file [8], it initiates the download of a second-stage payload [8], executing malware [7] [8] [9]. The group demonstrated remarkable adaptability by weaponizing this vulnerability just six days after the release of a Microsoft patch on November 12, 2024, integrating this attack vector into their operations [8].

The attackers employ sophisticated social engineering tactics [1], including spear-phishing emails with malicious attachments or links that deploy remote access trojans (RATs) such as NjRAT [1], AsyncRAT [1] [5] [6], Quasar RAT [5] [6], and Remcos [1] [2] [5] [6]. Their methods require minimal user interaction [3] [9], allowing attackers to stealthily identify potential targets [3]. Actions as simple as right-clicking or deleting a malicious file can trigger a WebDAV request [9], alerting the attackers to file access and facilitating further malicious activities even before execution.

Blind Eagle has been known to deliver malware through legitimate file-sharing platforms [7], including Google Drive [7], Dropbox [1] [2] [7] [9], Bitbucket [2] [5] [6] [7] [9], and GitHub [1] [2] [5] [6] [7], complicating detection by security systems [1]. An operational oversight revealed a deleted file from a GitHub repository containing sensitive information [5], including usernames [5], passwords [5], and ATM PINs of individuals and organizations in Colombia [5] [6]. This incident underscores the group’s ability to exploit legitimate platforms to evade security measures and distribute malware effectively [5]. In January 2025 [7], new campaigns named “socialismo” and “miami” emerged [7], involving the distribution of malicious url files via compromised Google Drive accounts [7], leading to data exfiltration and system compromise [7]. Another campaign in December 2024 [7], called “Parasio,” utilized Bitbucket for distributing the Remcos RAT payload [7], resulting in approximately 9,000 infections within a week [7]. Previous phishing campaigns have also led to the collection of around 8,400 entries of Personally Identifiable Information (PII) [2].

The high infection rates and the group’s innovative tactics underscore the urgent need for enhanced cybersecurity defenses, particularly in government and critical sectors [1]. The focus on Colombia [1], a significant economy in South America [1], highlights the geopolitical context of these cyberattacks [1], with judicial institutions and critical infrastructure viewed as valuable targets for intelligence gathering and disruption [1]. The group’s GitHub repository is frequently updated in the UTC-5 timezone [7], suggesting a South American origin and indicating their adaptability in exploiting vulnerabilities. Traditional security measures face challenges from the group’s use of legitimate cloud services and their ability to exploit security patches rather than relying solely on zero-day vulnerabilities.

To counter the sophisticated tactics of Blind Eagle [9], organizations must implement comprehensive security strategies [9], including real-time endpoint protection [9], enhanced email security [9], and continuous monitoring of network traffic [9], especially connections to legitimate cloud services that may be exploited for malware delivery [9]. Security teams are urged to enhance their patch management strategies and adopt AI-driven threat prevention solutions to proactively identify and mitigate emerging threats. Additionally, the group has begun utilizing a new packer-as-a-service called HeartCrypt to protect its malicious executables [6], further complicating detection efforts and reinforcing its position within the cybercriminal ecosystem.

Conclusion

The activities of Blind Eagle highlight the evolving nature of cyber threats, emphasizing the need for robust cybersecurity measures. The group’s ability to adapt quickly to new vulnerabilities and exploit legitimate platforms poses significant challenges to traditional security systems. Organizations [1] [4] [5] [6] [7] [8] [9], particularly those in government and critical sectors [1], must prioritize comprehensive security strategies [1] [9], including real-time monitoring and AI-driven threat prevention, to effectively counter these sophisticated threats [9]. As Blind Eagle continues to refine its tactics, the global cybersecurity community must remain vigilant and proactive in addressing emerging threats.

References

[1] https://undercodenews.com/apt-blind-eagle-cyberattacks-target-colombian-government-institutions/
[2] https://www.hendryadrian.com/blind-eagle-and-justice-for-all/
[3] https://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia/
[4] https://cyber.vumetric.com/security-news/2025/03/11/blind-eagle-hacks-colombian-institutions-using-ntlm-flaw-rats-and-github-based-attacks/
[5] https://codesanitize.com/blind-eagle-hacks-colombian-establishments-utilizing-ntlm-flaw-rats-and-github-based-mostly-assaults/
[6] https://www.ihash.eu/2025/03/blind-eagle-hacks-colombian-institutions-using-ntlm-flaw-rats-and-github-based-attacks/
[7] https://www.infosecurity-magazine.com/news/blind-eagle-targets-colombian-gov/
[8] https://osintcorp.net/blind-eagle-targets-colombian-government-with-malicious-url-files/
[9] https://cybersecuritynews.com/blind-eagle-hackers-leveraging-google-drive-dropbox-github/