The menace actor often called Blind Eagle has been linked to a collection of ongoing campaigns focusing on Colombian establishments and authorities entities since November 2024.
“The monitored campaigns focused Colombian judicial establishments and different authorities or non-public organizations, with excessive an infection charges,” Examine Level mentioned in a brand new evaluation.
“Greater than 1,600 victims have been affected throughout one in every of these campaigns which passed off round December 19, 2024. This an infection price is critical contemplating Blind Eagle’s focused APT strategy.”
Blind Eagle, energetic since at the very least 2018, can be tracked as AguilaCiega, APT-C-36, and APT-Q-98. It is recognized for its hyper-specific focusing on of entities in South America, particularly Colombia and Ecuador.
Assault chains orchestrated by the menace actor entail using social engineering ways, typically within the type of spear-phishing emails, to achieve preliminary entry to focus on programs and in the end drop available distant entry trojans like AsyncRAT, NjRAT, Quasar RAT, and Remcos RAT.
The most recent set of intrusions are notable for 3 causes: Using a variant of an exploit for a now-patched Microsoft Home windows flaw (CVE-2024-43451), the adoption of a nascent packer-as-a-service (PaaS) known as HeartCrypt, and the distribution of payloads through Bitbucket and GitHub, going past Google Drive and Dropbox.
Particularly, HeartCrypt is used to guard the malicious executable, a variant of PureCrypter that is then answerable for launching the Remcos RAT malware hosted on a now-removed Bitbucket or GitHub repository.
CVE-2024-43451 refers to an NTLMv2 hash disclosure vulnerability that was mounted by Microsoft in November 2024. Blind Eagle, per Examine Level, integrated a variant of this exploit into its assault arsenal a mere six days after the discharge of the patch, inflicting unsuspecting victims to advance the an infection when a malicious .URL distributed through a phishing e-mail is manually clicked.
“Whereas this variant doesn’t truly expose the NTLMv2 hash, it notifies the menace actors that the file was downloaded by the identical uncommon user-file interactions,” the cybersecurity firm mentioned.
“On units susceptible to CVE-2024-43451, a WebDAV request is triggered even earlier than the consumer manually interacts with the file with the identical uncommon conduct. In the meantime, on each patched and unpatched programs, manually clicking the malicious .URL file initiates the obtain and execution of the next-stage payload.”
Examine Level identified that the “fast response” serves to spotlight the group’s technical experience and its capability to adapt and pursue new assault strategies within the face of evolving safety defenses.
Serving as a smoking gun for the menace actor’s origins is the GitHub repository, which has revealed that the menace actor operates within the UTC-5 timezone, aligning with a number of South American international locations.
That is not all. In what seems to be an operational error, an evaluation of the repository commit historical past has uncovered a file containing account-password pairs with 1,634 distinctive e-mail addresses.
Whereas the HTML file, named “Ver Datos del Formulario.html,” was deleted from the repository on February 25, 2025, it has been discovered to comprise particulars similar to usernames, passwords, e-mail, e-mail passwords, and ATM PINs related to people, authorities businesses, academic establishments, and companies working in Colombia.
“A key consider its success is its capability to use legit file-sharing platforms, together with Google Drive, Dropbox, Bitbucket, and GitHub, permitting it to bypass conventional safety measures and distribute malware stealthily,” Examine Level mentioned.
“Moreover, its use of underground crimeware instruments similar to Remcos RAT, HeartCrypt, and PureCrypter reinforces its deep ties to the cybercriminal ecosystem, granting entry to classy evasion methods and chronic entry strategies.”
