{
	"id": "38b5dc9a-3296-40e8-8258-c0bf501b0e9c",
	"created_at": "2026-04-06T00:06:51.74119Z",
	"updated_at": "2026-04-10T03:35:20.367227Z",
	"deleted_at": null,
	"sha1_hash": "0df1518059b88e4fa815acd97325f2d03319cac8",
	"title": "Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 752336,
	"plain_text": "Blind Eagle Hacks Colombian Institutions Using NTLM Flaw,\r\nRATs and GitHub-Based Attacks\r\nBy The Hacker News\r\nPublished: 2025-03-11 · Archived: 2026-04-05 13:35:28 UTC\r\nThe threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian\r\ninstitutions and government entities since November 2024.\r\n\"The monitored campaigns targeted Colombian judicial institutions and other government or private\r\norganizations, with high infection rates,\" Check Point said in a new analysis.\r\n\"More than 1,600 victims were affected during one of these campaigns which took place around December 19,\r\n2024. This infection rate is significant considering Blind Eagle's targeted APT approach.\"\r\nBlind Eagle, active since at least 2018, is also tracked as AguilaCiega, APT-C-36, and APT-Q-98. It's known for\r\nits hyper-specific targeting of entities in South America, specifically Colombia and Ecuador.\r\nAttack chains orchestrated by the threat actor entail the use of social engineering tactics, often in the form of\r\nspear-phishing emails, to gain initial access to target systems and ultimately drop readily available remote access\r\ntrojans like AsyncRAT, NjRAT, Quasar RAT, and Remcos RAT.\r\nhttps://thehackernews.com/2025/03/blind-eagle-hacks-colombian.html\r\nPage 1 of 3\n\nThe latest set of intrusions are notable for three reasons: The use of a variant of an exploit for a now-patched\r\nMicrosoft Windows flaw (CVE-2024-43451), the adoption of a nascent packer-as-a-service (PaaS) called\r\nHeartCrypt, and the distribution of payloads via Bitbucket and GitHub, going beyond Google Drive and Dropbox.\r\nSpecifically, HeartCrypt is used to protect the malicious executable, a variant of PureCrypter that's then\r\nresponsible for launching the Remcos RAT malware hosted on a now-removed Bitbucket or GitHub repository.\r\nCVE-2024-43451 refers to an NTLMv2 hash disclosure vulnerability that was fixed by Microsoft in November\r\n2024. Blind Eagle, per Check Point, incorporated a variant of this exploit into its attack arsenal a mere six days\r\nafter the release of the patch, causing unsuspecting victims to advance the infection when a malicious .URL\r\ndistributed via a phishing email is manually clicked.\r\n\"While this variant does not actually expose the NTLMv2 hash, it notifies the threat actors that the file was\r\ndownloaded by the same unusual user-file interactions,\" the cybersecurity company said.\r\n\"On devices vulnerable to CVE-2024-43451, a WebDAV request is triggered even before the user manually\r\ninteracts with the file with the same unusual behavior. Meanwhile, on both patched and unpatched systems,\r\nmanually clicking the malicious .URL file initiates the download and execution of the next-stage payload.\"\r\nCheck Point pointed out that the \"rapid response\" serves to highlight the group's technical expertise and its ability\r\nto adapt and pursue new attack methods in the face of evolving security defenses.\r\nServing as a smoking gun for the threat actor's origins is the GitHub repository, which has revealed that the threat\r\nactor operates in the UTC-5 timezone, aligning with several South American countries.\r\nThat's not all. In what appears to be an operational error, an analysis of the repository commit history has\r\nuncovered a file containing account-password pairs with 1,634 unique email addresses.\r\nWhile the HTML file, named \"Ver Datos del Formulario.html,\" was deleted from the repository on February 25,\r\n2025, it has been found to contain details such as usernames, passwords, email, email passwords, and ATM PINs\r\nhttps://thehackernews.com/2025/03/blind-eagle-hacks-colombian.html\r\nPage 2 of 3\n\nassociated with individuals, government agencies, educational institutions, and businesses operating in Colombia.\r\n\"A key factor in its success is its ability to exploit legitimate file-sharing platforms, including Google Drive,\r\nDropbox, Bitbucket, and GitHub, allowing it to bypass traditional security measures and distribute malware\r\nstealthily,\" Check Point said.\r\n\"Additionally, its use of underground crimeware tools such as Remcos RAT, HeartCrypt, and PureCrypter\r\nreinforces its deep ties to the cybercriminal ecosystem, granting access to sophisticated evasion techniques and\r\npersistent access methods.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2025/03/blind-eagle-hacks-colombian.html\r\nhttps://thehackernews.com/2025/03/blind-eagle-hacks-colombian.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thehackernews.com/2025/03/blind-eagle-hacks-colombian.html"
	],
	"report_names": [
		"blind-eagle-hacks-colombian.html"
	],
	"threat_actors": [
		{
			"id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813",
			"created_at": "2022-10-25T15:50:23.688973Z",
			"updated_at": "2026-04-10T02:00:05.390055Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"APT-C-36",
				"Blind Eagle"
			],
			"source_name": "MITRE:APT-C-36",
			"tools": [
				"Imminent Monitor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "be597b07-0cde-47bc-80c3-790a8df34af4",
			"created_at": "2022-10-25T16:07:23.407484Z",
			"updated_at": "2026-04-10T02:00:04.58656Z",
			"deleted_at": null,
			"main_name": "Blind Eagle",
			"aliases": [
				"APT-C-36",
				"APT-Q-98",
				"AguilaCiega",
				"G0099"
			],
			"source_name": "ETDA:Blind Eagle",
			"tools": [
				"AsyncRAT",
				"BitRAT",
				"Bladabindi",
				"BlotchyQuasar",
				"Imminent Monitor",
				"Imminent Monitor RAT",
				"Jorik",
				"LimeRAT",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"Warzone",
				"Warzone RAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bd43391b-b835-4cb3-839a-d830aa1a3410",
			"created_at": "2023-01-06T13:46:38.925525Z",
			"updated_at": "2026-04-10T02:00:03.147197Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"Blind Eagle"
			],
			"source_name": "MISPGALAXY:APT-C-36",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775792120,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0df1518059b88e4fa815acd97325f2d03319cac8.pdf",
		"text": "https://archive.orkl.eu/0df1518059b88e4fa815acd97325f2d03319cac8.txt",
		"img": "https://archive.orkl.eu/0df1518059b88e4fa815acd97325f2d03319cac8.jpg"
	}
}