Blind Eagle gang targets Colombian Institutions
Learn More
Blind Eagle gang has been linked to an ongoing series of cyberattacks targeting Colombian institutions and government entities beginning in November 2024. According to a new analysis from Check Point, these campaigns have resulted in significant infection rates with more than 1,600 victims affected during a single campaign on December 19, 2024.
Blind Eagle, also known as AguilaCiega, APT-C-36, and APT-Q-98, has executed attacks focused on entities in South America, particularly Colombia and Ecuador. The group employs sophisticated social engineering tactics, primarily spear-phishing emails, to gain initial access to target systems.
The latest attack campaign stands out for three significant technical advances:
- Exploitation of CVE-2024-43451 - tracked as an NTLMv2 hash disclosure vulnerability that was patched by Microsoft in November 2024. Blind Eagle incorporated a variant of this exploit only six days after the patch release. While this variant doesn't actually expose the NTLMv2 hash, it notifies the threat actors when the malicious file is downloaded through unusual user-file interactions.
- Adoption of HeartCrypt - a new packer-as-a-service (PaaS) used to protect malicious executables. This packer is a variant of PureCrypter that launches Remcos RAT malware.
- Expanded Distribution Channels - moving beyond traditional platforms like Google Drive and Dropbox to include Bitbucket and GitHub repositories for payload delivery.
The attack typically begins with spear-phishing emails containing malicious .URL files. When victims click these files, the infection progresses, ultimately deploying remote access trojans including AsyncRAT, NjRAT, Quasar RAT, and Remcos RAT.
Researchers discovered a file containing account-password pairs with 1,634 unique email addresses in the group's GitHub repository. This HTML file, named "Ver Datos del Formulario.html," was deleted on February 25, 2025, but contained sensitive information including:
- usernames,
- passwords,
- email credentials,
- ATM PINs
The data is associated with Colombian individuals, government agencies, educational institutions, and businesses.
Analysis of the GitHub repository revealed that the threat actor operates in the UTC-5 timezone, which aligns with several South American countries, supporting the attribution to a group operating in that region.
