FOCUS MODE
EXTRACT IOC
Threat Research

Blind Eagle: …And Justice for All

Checkpoint
Blind Eagle: …And Justice for All
Check Point Research has uncovered a series of cyber campaigns led by the group Blind Eagle (APT-C-36) targeting Colombian government and private sector institutions. The attacks, which began in late 2024, exploit a vulnerability (CVE-2024-43451) linked to NTLMv2 hash exposure but utilize a .url file that triggers a WebDAV request to notify attackers when the file is downloaded. The campaigns have resulted in over 1,600 infections and leverage known malware, including Remcos RAT, facilitated through platforms like Google Drive and GitHub. Affected: Colombian government institutions, private organizations

Keypoints :

  • Blind Eagle (APT-C-36) has been targeting Colombian institutions since November 2024.
  • Campaigns utilize malicious .url files resembling CVE-2024-43451 vulnerability actions.
  • This vulnerability exposes NTLMv2 hashes, allowing attackers to authenticate as users.
  • Though the .url files do not exploit the vulnerability directly, they notify attackers of interactions.
  • Over 1,600 victims were recorded during campaigns, particularly among government institutions.
  • Malware delivery often via Google Drive, Dropbox, Bitbucket, and GitHub.
  • Blind Eagle employs the HeartCrypt packer and Remcos RAT, among other commodities.
  • Phishing campaigns have previously harvested 8,400 entries of Personally Identifiable Information (PII).
  • Microsoft patched CVE-2024-43451 on November 12, 2024, but Blind Eagle rapidly adjusted strategies to exploit the situation.

MITRE Techniques :

  • T1071.001: Application Layer Protocol: WebDAV – The .url files initiate WebDAV requests to notify the attacker about the file download.
  • T1064: Scripting – The attack utilizes a .NET RAT to execute additional payloads after initial installation.
  • T1125: Video Capture – The Remcos RAT may have capabilities related to image or video capture based on known features.

Indicator of Compromise :

  • [URL] file://\62.60[.]226[.]64@80file4025_3980.exe
  • [URL] file://\62.60[.]226[.]64@80file3819_5987.exe
  • [IP Address] 92.42[.]96[.]30
  • [Domain] republicadominica2025[.]ip-ddns[.]com
  • [Domain] elyeso.ip-ddns[.]com

Full Story: https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/

Tags: IMPACT, VIRUS, CRITICAL INFRASTRUCTURE, COLLECTION, LATERAL MOVEMENT, TROJAN, PRIVILEGE, APT