A recent cyber-threat campaign targeting Colombian government institutions and organizations has been making headlines since November 2024. This campaign has been linked to the threat group Blind Eagle, also known as APT-C-36. The attackers have been distributing malicious .url files that mimic the effects of the recently patched CVE-2024-43451 vulnerability.
The CVE-2024-43451 vulnerability, which was patched by Microsoft on November 12, 2024, allowed attackers to extract NTLMv2 hashes that could be used for authentication attacks. Blind Eagle’s .url variant, while not directly exploiting this vulnerability, triggers a WebDAV request when interacted with in specific ways. This action alerts the attackers that the file has been downloaded, leading to the initiation of a second-stage payload download and execution of the malware if the file is clicked.
Just six days after Microsoft released the patch, Blind Eagle incorporated this new attack vector into its operations, primarily targeting Colombian judicial institutions, private organizations, and government agencies. One of the largest observed campaigns on December 19, 2024, infected over 1600 victims, a significant number considering Blind Eagle’s history of selective targeting.
Blind Eagle has been utilizing various delivery methods to distribute its malware, including legitimate file-sharing platforms like Google Drive and Dropbox. Recently, the group has expanded its operations to include Bitbucket and GitHub to host its payloads. The attack chain involves the use of HeartCrypt to protect a .NET RAT believed to be a variant of PureCrypter, with the final payload being the Remcos RAT, a remote access trojan.
In January 2025, new campaigns labeled “socialismo” and “miami” involved the distribution of malicious .url files via compromised Google Drive accounts, leading to data exfiltration and system compromise. The group’s GitHub repository, updated in the UTC-5 timezone, aligns with South American time zones, further supporting suspicions about its origin.
Another campaign in December 2024, named “Parasio,” used Bitbucket to distribute the Remcos RAT payload. This campaign alone resulted in approximately 9000 infections within a week. Additionally, CPR discovered evidence of an additional phishing campaign by Blind Eagle in February 2025, which exposed personally identifiable information from a phishing campaign impersonating Colombian banks.
The dataset included 8075 valid entries, with compromised credentials and ATM PINs, with several Colombian government email accounts targeted. CPR warned that Blind Eagle remains one of the most active and dangerous threat actors in Latin America, particularly focusing on Colombia’s public and private sectors.
To combat this threat, organizations are advised to implement strict security policies, disable NTLM authentication where possible, and monitor network activity for unusual WebDAV requests. The continued vigilance and proactive defense measures are crucial in mitigating the impact of cyber threats like those posed by Blind Eagle.