Blind Eagle, also known as APT-C-36, has been making waves in the cybersecurity world with its increased focus on Colombian governmental, financial, and critical infrastructure organizations. Since its inception in 2018, this Advanced Persistent Threat group has shown remarkable adaptability by incorporating sophisticated exploit techniques and malware into its operations.
The recent campaign by Blind Eagle resulted in the infection of over 1,600 victims, showcasing the group’s wide-ranging impact. One of the key strengths of Blind Eagle lies in its ability to quickly integrate new exploits into its attack methods. For example, when Microsoft released a patch for a vulnerability known as CVE-2024-43451 on November 12, 2024, Blind Eagle had already developed a variant of the exploit within six days. This variant was designed to serve as a notification mechanism for the threat actors rather than exposing the NTLMv2 hash.
The group’s use of malicious .url files as a distribution method has proven to be particularly effective, as they can trigger WebDAV requests even on patched systems. This stealthy tactic has allowed Blind Eagle to fly under the radar of many antivirus engines, maintaining their operational secrecy. Additionally, by leveraging legitimate file-sharing platforms like Google Drive and Dropbox to distribute malware, the group has further complicated detection efforts by security tools.
Blind Eagle’s recent campaigns, conducted between December 2024 and February 2025, utilized a consistent attack chain that involved delivering malicious .url files via email. These files would then download a HeartCrypt-packed malware, which in turn would deliver a .NET Remote Access Trojan (RAT) to the victim’s system. The RAT collects detailed system information, encrypts it using AES, and sends it to command and control servers with constantly changing domain names.
Analysis of a GitHub repository linked to Blind Eagle revealed that the group operates in the UTC-5 timezone, hinting at a potential South American origin. The repository was regularly updated with new malicious executables and then deleted after use, showcasing the group’s operational security measures. However, a slip-up on February 25, 2025, led to the accidental upload of an HTML file containing personally identifiable information from previous phishing activities, confirming Blind Eagle’s focus on Colombian victims.
Blind Eagle’s impact on Colombian governmental organizations has been severe, especially on entities within the justice system. By mimicking official legal communications in malicious filenames, the group has tricked victims into interacting with their malware. The infections caused by Blind Eagle’s campaigns have reached significant numbers, with over 9,000 systems affected during one week in December 2024. A data leak from the group exposed over 8,400 entries of personally identifiable information, including email addresses linked to Colombian government agencies.
Check Point Research, which has been closely monitoring Blind Eagle’s activities, considers the group to be one of the most active and dangerous threat actors in Latin America. Their rapid evolution, effective social engineering tactics, and broad targeting of public and private sector entities pose a substantial threat to Colombia’s national security and economic stability. Organizations are advised to implement proactive threat intelligence, advanced security defenses, and continuous monitoring to defend against the adaptable adversary that is Blind Eagle.