Full Report
Blind Eagle has been running campaigns targeting the Colombian government with malicious .url files and phishing attacks
Analysis Summary
# Threat Actor: Blind Eagle (APT-C-36)
## Attribution & Identity
* **Name:** Blind Eagle
* **Aliases:** APT-C-36
* **Association:** Identified as an active and dangerous threat actor in Latin America, with a particular focus on Colombia.
## Activity Summary
The actor has been running a cyber-threat campaign targeting Colombian government institutions, judicial institutions, private organizations, and other government agencies since November 2024.
* **Recent Campaigns (Jan 2025):** Campaigns labeled “socialismo” and “miami” distributed malicious `.url` files via compromised Google Drive accounts, leading to data exfiltration and system compromise.
* **Recent Campaigns (Dec 2024):** A campaign named “Parasio” leveraged Bitbucket to distribute the Remcos RAT payload, resulting in approximately 9000 infections over one week.
* **CVE-2024-43451 Mimicry:** Blind Eagle incorporated an attack vector mimicking the effects of the recently patched Microsoft vulnerability CVE-2024-43451 by using malicious `.url` files, achieving download notification via WebDAV requests.
* **Historical Activity (Feb 2025):** Exposed PII/credentials/ATM PINs from a phishing campaign impersonating Colombian banks, compromising data from 8,075 entries, including Colombian government email accounts.
* **Scope:** One large observed campaign on December 19, 2024, infected over 1600 victims.
## Tactics, Techniques & Procedures
* **Delivery:** Distribution of malicious `.url` files designed to trigger WebDAV requests upon interaction (right-clicking, deleting, dragging) to confirm download status, and initiate second-stage payload execution via another WebDAV request upon clicking.
* **Payload Hosting:** Exploitation of legitimate file-sharing platforms to host payloads, including **Google Drive, Dropbox, Bitbucket, and GitHub**.
* **Evasion/Obfuscation:** Use of **HeartCrypt**, described as a packer-as-a-service, to protect the initial stage .NET RAT.
* **Execution:** Infected systems execute a .NET RAT variant (believed to be PureCrypter) which leads to the final payload stage.
* **Goal:** Initial reconnaissance (WebDAV hash confirmation), system compromise, and data exfiltration.
## Targeting
* **Sectors:** Judicial institutions, private organizations, government agencies, and organizations affiliated with the Colombian banking sector (via phishing).
* **Geography:** Primarily **Colombia** (South America). The group's GitHub repository usage aligns with South American time zones (UTC-5).
* **Victims:** Colombian government institutions, Colombian judicial institutions, and Colombian banks (via phishing).
## Tools & Infrastructure
* **Malware Families Used:**
* **.NET RAT** (believed to be a variant of **PureCrypter**)
* **Remcos RAT** (Remote Access Trojan - Final payload)
* **Infrastructure:**
* Payload hosting on **Google Drive, Dropbox, Bitbucket, and GitHub**.
* Activity suggests usage aligned with **UTC-5** timezone operations.
## Implications
Blind Eagle remains one of the most active and dangerous threat actors in Latin America. Their success is heavily reliant on abusing legitimate cloud services (Google Drive, GitHub, etc.) to distribute malware, allowing them to bypass conventional security signatures and network perimeter defenses. The recent adoption of attack vectors mimicking high-profile vulnerabilities (CVE-2024-43451) shows rapid adaptation to recent patch cycles. Compromises often lead to significant data exposure (PII, credentials) and remote system control.
## Mitigations
* Implement strict security policies regarding file execution from untrusted origins.
* **Monitor network activity for unusual WebDAV requests**, especially those associated with file interaction or downloads.
* Disable NTLM authentication where possible to mitigate risks associated with techniques like extracting NTLMv2 hashes.
* Organizations should treat files downloaded from public file-sharing services with extreme scrutiny.