A brand new cyber-threat marketing campaign focusing on Colombian authorities establishments and organizations since November 2024 has been linked to the menace group Blind Eagle, also referred to as APT-C-36. The attackers have been distributing malicious .url information that mimic the results of the lately patched CVE-2024-43451 vulnerability.
The vulnerability CVE-2024-43451, patched by Microsoft on November 12 2024, allowed attackers to extract NTLMv2 hashes, which could possibly be used for authentication assaults.
Whereas Blind Eagle’s .url variant doesn’t exploit this vulnerability straight, it nonetheless triggers a WebDAV request when the file is interacted with in particular methods – corresponding to right-clicking, deleting or dragging it. This motion informs the attackers that the file has been downloaded. If the consumer clicks the file, it initiates the obtain of a second-stage payload through one other WebDAV request, executing the malware.
Simply six days after Microsoft issued the patch, Blind Eagle integrated this new assault vector into its operations. The group primarily focused Colombian judicial establishments, non-public organizations and different authorities companies.
One of many largest noticed campaigns, on December 19 2024, contaminated over 1600 victims. Given Blind Eagle’s traditionally selective focusing on, this quantity is critical.
Supply Strategies and Malware Evaluation
Blind Eagle has been recognized to distribute its malware by official file-sharing platforms like Google Drive and Dropbox. In response to a brand new advisory by Test Level Analysis (CPR), it has lately expanded to utilizing Bitbucket and GitHub to host its payloads.
The assault chain consists of the usage of HeartCrypt, a packer-as-a-service, to guard a .NET RAT believed to be a variant of PureCrypter. The ultimate stage payload is Remcos RAT, a distant entry trojan.
In January 2025, a brand new wave of campaigns labeled “socialismo” and “miami” concerned the distribution of malicious .url information through compromised Google Drive accounts. The malware executed a fancy an infection chain that resulted in knowledge exfiltration and system compromise.
The group’s GitHub repository, incessantly up to date within the UTC-5 timezone, aligns with South American time zones, reinforcing suspicions about its origin.
One other marketing campaign in December 2024, named “Parasio,” leveraged Bitbucket as an alternative of GitHub to distribute the Remcos RAT payload. This marketing campaign alone resulted in roughly 9000 infections over one week.
Learn extra on cybersecurity threats in Latin America: Mekotio Trojan Targets Latin American Banking Credentials
Previous Phishing Campaigns and Knowledge Publicity
CPR additionally found proof of a further phishing marketing campaign run by Blind Eagle. In February 2025, the group mistakenly uncovered an HTML file containing personally identifiable data (PII) from a phishing marketing campaign that impersonated Colombian banks.
The dataset included 8075 legitimate entries, with credentials and ATM PINs among the many compromised data. A number of Colombian authorities electronic mail accounts have been additionally among the many focused victims.
“Blind Eagle stays probably the most lively and harmful menace actors in Latin America, with a selected give attention to Colombia’s private and non-private sectors,” CPR warned.
“A key think about its success is its skill to take advantage of official file-sharing platforms, together with Google Drive, Dropbox, Bitbucket, and GitHub, permitting it to bypass conventional safety measures and distribute malware stealthily.”
To counter this menace, organizations are suggested to implement strict safety insurance policies, disable NTLM authentication the place attainable and monitor community exercise for uncommon WebDAV requests.
