Full Report
The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024. "The monitored campaigns targeted Colombian judicial institutions and other government or private organizations, with high infection rates," Check Point said in a new analysis. "More than 1,600 victims were affected during one of
Analysis Summary
# Threat Actor: Blind Eagle
## Attribution & Identity
* **Primary Name:** Blind Eagle
* **Known Aliases:** AguilaCiega, APT-C-36, APT-Q-98
* **Origin Indicators:** Operates within the UTC-5 timezone, aligning with several South American countries.
## Activity Summary
Blind Eagle has been actively conducting campaigns targeting Colombian institutions and government entities since November 2024. A significant campaign around December 19, 2024, affected over 1,600 victims. The group exhibits a high degree of technical adaptability, reacting quickly to new vulnerabilities.
## Tactics, Techniques & Procedures
* **Initial Access:** Employed spear-phishing emails containing malicious `.URL` files.
* **Exploitation:** Used a variant of an exploit for Microsoft Windows NTLM flaw **CVE-2024-43451** (NTLMv2 hash disclosure) just six days after the patch was released.
* **Payload Delivery:** Distributed final payloads via hosting services like **Bitbucket** and **GitHub**, moving beyond traditional services like Google Drive/Dropbox.
* **Obfuscation:** Utilized a nascent packer-as-a-service dubbed **HeartCrypt** to protect malicious executables.
* **Post-Exploitation:** Deployed **PureCrypter** variants, which subsequently launched Remote Access Trojans (RATs).
## Targeting
* **Sectors:** Judicial institutions, government entities, and private organizations.
* **Geography:** Hyper-specific targeting of entities in **South America**, primarily **Colombia**, with some known activity in Ecuador.
* **Victims:** Colombian judicial institutions and other government/private organizations.
## Tools & Infrastructure
* **Malware Families Used:** AsyncRAT, NjRAT, Quasar RAT, Remcos RAT (often launched after PureCrypter execution).
* **Infrastructure:** Payloads hosted on **Bitbucket** and **GitHub** repositories.
* **C2/URLs:** (No specific C2 domains or IPs were detailed in the summary, only repository locations).
## Implications
Blind Eagle demonstrates strong technical proficiency and rapid operational tempo, particularly concerning vulnerability exploitation (as seen with their near-immediate adoption of the CVE-2024-43451 exploit variant). Their targeted, high-volume approach against a specific national infrastructure indicates a persistent and focused threat actor, likely operating with state or highly motivated backing related to South American interests.
## Mitigations
* Implement robust email filtering and user training emphasizing suspicion of `.URL` files distributed via phishing.
* Ensure timely patching, especially for critical flaws like NTLM vulnerabilities (e.g., CVE-2024-43451).
* Monitor for unusual user-file interactions that might indicate attempts to prematurely trigger WebDAV requests associated with NTLM exploitation techniques.
* Block or restrict access to potentially malicious code hosting repositories (GitHub, Bitbucket) for known actor use, if feasible.
* Employ advanced endpoint detection and response (EDR) capable of detecting packer activity (HeartCrypt) and known RAT execution chains.