The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian agencies and government agencies since November 2024.
“The monitored campaign targets Colombian judicial agencies and other government or private organizations, with high infection rates,” Checkpoint said in a new analysis.
“One of these campaigns took place around December 19, 2024 affected more than 1,600 casualties. This infection rate is important considering Blind Eagle’s targeting approach.”
The Blind Eagle, which has been active since at least 2018, has also been tracked as Aguilaciega, APT-C-36, and APT-Q-98. It is known for its ultra-specific targeting of entities in South America, particularly Colombia and Ecuadorian.
An attack chain, organized by threat actors, often uses social engineering tactics in the form of spear phishing emails, gaining initial access to the target system and ultimately drops remote access trojans such as Asyncrat, NJRAT, Quasar Rat, and Remcos Rat, which are available.
The latest intrusion set is notable for three reasons. Using the currently patched Microsoft Windows flaw (CVE-2024-43451) exploit variant, adoption of a new packer As-A-Service (PAAS) called HeartCrypt, and distribution of payloads via Bitbucket and Gith Drigbox and Google Drive.
Specifically, HeartCrypt is used to protect malicious executables, which are variants of the person responsible for launching Remcos rat malware hosted in the currently removed Bitbucket or Github repository.
CVE-2024-43451 refers to the NTLMV2 hash disclosure vulnerability fixed by Microsoft in November 2024. For each checkpoint, Blind Eagle incorporated a variant of this attack.
“This variant doesn’t actually publish an NTLMV2 hash, but it notifies threat actors that the file has been downloaded due to the same unusual user file interaction,” the cybersecurity company said.
“A device vulnerable to CVE-2024-43451 triggers a WebDav request before the user interacts with the file manually with the same anomalous behavior. Meanwhile, on both patched and unpaid systems, click on the malicious .url file to begin downloading and performing the next stage of payment.”
Checkpoint noted that “quick response” helps to highlight the group’s technical expertise and the ability to adapt and pursue new attack methods in the face of evolving security defenses.
It is GitHub repository that serves smoking guns for the origins of the threat actor, and it has been revealed that the threat actors operate in the UTC-5 time zone and are working with several South American countries.
That’s not all. In what appears to be an operational error, analysis of repository commit history revealed a file containing account password pairs containing 1,634 unique email addresses.
The HTML file named “veratos del formulaio.html” was removed from the repository on February 25, 2025, but is known to contain details such as username, password, email, email password, and ATM pins related to individuals, government agencies, educational institutions, and operators in Colombia.
“A key element of success is the ability to leverage legitimate file sharing platforms like Google Drive, Dropbox, Bitbucket and GitHub, allowing traditional security measures to be used to distribute malware secretly,” Check Point said.
“In addition, the use of underground Crimeware tools such as Remcos Rat, HeartClypt and Purecrypter will enhance deep connections with the cybercrime ecosystem and grant access to sophisticated evasion techniques and persistent ways of access.”
Source link
