In a big improvement within the cybersecurity panorama, APT-C-36, extra generally generally known as Blind Eagle, has intensified its operations focusing on Colombian governmental, monetary, and significant infrastructure organizations.
Energetic since 2018, this Superior Persistent Risk group has not too long ago expanded its arsenal with refined exploit methods and malware, demonstrating an alarming skill to adapt to evolving safety measures.
The risk actor has contaminated greater than 1,600 victims in a single marketing campaign, highlighting the dimensions and effectiveness of their operations.
Blind Eagle has demonstrated outstanding agility in incorporating new exploits into its assault strategies.
On November 12, 2024, Microsoft patched a newly found vulnerability, CVE-2024-43451, which was being actively exploited within the wild utilizing malicious .url recordsdata.
Inside simply six days of the patch launch, Blind Eagle had already built-in a variant of this exploit into its assault arsenal.
This variant differs from the unique exploit in that it doesn’t expose the NTLMv2 hash however as a substitute serves as a notification mechanism for the risk actors when a focused consumer downloads the malicious file.
The group’s skill to quickly adapt to newly disclosed vulnerabilities underscores their technical sophistication and chronic risk capabilities.
The malicious .url recordsdata are significantly efficient as a result of they’ll set off WebDAV requests on unpatched machines by way of uncommon consumer interactions comparable to right-clicking, deleting, or dragging the file.
Even on patched programs, these recordsdata can nonetheless result in malware an infection if a consumer manually clicks on them.
Regardless of being in use for over two months, many of those .url recordsdata stay undetected by antivirus engines on VirusTotal, permitting Blind Eagle to take care of stealth of their operations.
The group’s techniques now embrace leveraging official file-sharing platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malware, additional complicating detection efforts by safety instruments.
Marketing campaign Infrastructure and Subtle Malware Chain
Between December 2024 and February 2025, Blind Eagle carried out a number of campaigns recognized by inside codenames comparable to “socialismo,” “miami,” “PARAISO,” “marte,” and “saturno”.
These campaigns utilized a constant assault chain: malicious .url recordsdata delivered through e mail (typically by way of compromised Google Drive accounts) would obtain a HeartCrypt-packed malware.
This malware would then extract and inject a packed .NET loader into official Home windows processes like csc.exe, finally delivering a .NET Distant Entry Trojan (RAT) that seems to be a variant of PureCrypter1.
The technical sophistication continues all through the assault chain. The .NET RAT collects detailed details about the sufferer’s system, together with username, working system model, put in antivirus, and machine specs.
This information is then encrypted utilizing AES and despatched to command and management (C&C) servers with domains that ceaselessly change however typically resolve to the identical IP addresses.
In response, the C&C server gives a URL for downloading the ultimate payload – sometimes Remcos RAT – which is hosted on GitHub or BitBucket repositories maintained by the attackers.
Evaluation of the GitHub repository “Oscarito20222/file” revealed that every one repository updates had been dedicated within the UTC-5 timezone, probably indicating Blind Eagle’s origin in South American nations.
This repository can be repeatedly up to date with new malicious executables, then deleted after use, demonstrating the group’s operational safety consciousness.
Notably, on February 25, 2025, the group by accident uploaded an HTML file containing personally identifiable data (PII) from earlier phishing actions, revealing their focusing on of Colombian financial institution clients and confirming the deal with Colombian victims.
Extreme Affect on Colombian Public and Non-public Sectors
The affect of Blind Eagle’s campaigns has been substantial, significantly on Colombian governmental organizations.
Based mostly on filenames of malicious .url recordsdata, the group has been particularly focusing on varied Colombian justice system entities, together with courts dealing with legal instances, labor disputes, and safety measures.
The malicious filenames mimic official authorized communications, comparable to notifications of hearings, judicial complaints, and protecting orders, exploiting the belief in governmental communications to extend the probability of sufferer interplay.
Within the December 2024 “PARAISO” marketing campaign alone, greater than 1,600 Colombian programs had been contaminated with Remcos RAT.
facturacioncol/truth Bitbucket repository.Contemplating the focused nature of APT teams like Blind Eagle, this an infection price is especially important and demonstrates their effectiveness.
The full infections throughout campaigns occurring over only one week in December approximated 9,000, revealing the in depth attain of their operations.
A knowledge leak from the group’s operations uncovered over 8,400 entries of personally identifiable data collected by way of phishing campaigns impersonating Colombian banks.
From the 1,634 recognized e mail addresses, 5 belonged to Colombian authorities companies, together with the nationwide police, tax authority, and comptroller’s workplace.
This means Blind Eagle’s persistent focusing on of governmental entities alongside monetary establishments and personal residents, making a complete risk to Colombia’s nationwide safety and financial stability.
Examine Level Analysis, which has been monitoring Blind Eagle’s actions, notes that the group stays one of the energetic and harmful risk actors in Latin America.
Their speedy evolution, efficient social engineering techniques, and deal with each private and non-private sector entities require organizations to implement proactive risk intelligence, superior safety defenses, and steady monitoring to mitigate the danger posed by this adaptable adversary.
Are you from SOC/DFIR Groups?: Analyse Malware Incidents & get dwell Entry with ANY.RUN -> Begin Now for Free.
