{
	"id": "7da47155-75aa-4fdb-aa80-78cae4772fcf",
	"created_at": "2026-04-21T02:19:24.481029Z",
	"updated_at": "2026-04-21T02:20:18.231537Z",
	"deleted_at": null,
	"sha1_hash": "595664701f4cf78f3a37fc1d41aaf41d8d0f7759",
	"title": "The Growing Danger of Blind Eagle: One of Latin America’s Most Dangerous Cyber Criminal Groups Targe ...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78399,
	"plain_text": "The Growing Danger of Blind Eagle: One of Latin America’s Most\r\nDangerous Cyber Criminal Groups Targe ...\r\nBy rohann@checkpoint.com\r\nPublished: 2025-03-10 · Archived: 2026-04-21 02:13:13 UTC\r\nExecutive Summary \r\nCheck Point Research (CPR) has uncovered a series of ongoing, targeted cyber campaigns by Blind Eagle\r\n(APT-C-36)—one of Latin America’s most dangerous threat actors\r\nDays after Microsoft released a fix for CVE-2024-43451, the group began employing a comparable\r\ntechnique involving harmful .url files, showing how attackers can turn security updates into weapons\r\nagainst their victims\r\nCPR found over 9,000 infections in just one week\r\nAttacks leverage trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute\r\npayloads, bypassing traditional security defenses\r\nThe final malware, Remcos RAT, enables data theft, remote execution, and persistent access\r\nBlind Eagle’s Cyber Espionage Tactics Are Evolving—Fast\r\nCyber criminals move quickly, but Blind Eagle (APT-C-36) is proving just how fast. The notorious advanced\r\npersistent threat (APT) group, known for targeting Colombia’s justice system, government institutions, and private\r\norganizations, has launched a new campaign that demonstrates how attackers can weaponize security patches\r\nagainst their targets.\r\nJust six days after Microsoft patched CVE-2024-43451, Blind Eagle incorporated a similar method into their\r\nattack arsenal, using malicious .url files to track victims and execute malware. This technique allows them to\r\nidentify potential targets without any interaction from the victim, making their approach stealthier than traditional\r\nphishing campaigns.\r\nCPR uncovered more than 1,600 infections from a single campaign—a staggering number given the targeted\r\nnature of APT attacks. What’s particularly alarming is the group’s ability to bypass security measures by using\r\nlegitimate cloud platforms like Google Drive, Dropbox, GitHub, and Bitbucket to deliver their malware.\r\nThis campaign underscores the growing sophistication of cyber threats and the need for proactive defenses to\r\ncounter them.\r\nWeaponizing a Microsoft Patch: How Blind Eagle is Using .URL Files to Target Victims\r\nhttps://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia/\r\nPage 1 of 4\n\nOn November 12, 2024, Microsoft patched CVE-2024-43451, a vulnerability that exposed NTLMv2 hashes,\r\nallowing attackers to hijack user credentials. In response, Blind Eagle developed a technique using .url files, not to\r\nexploit the vulnerability directly, but to track victims and trigger malware downloads.\r\nThis attack method is particularly dangerous because it requires minimal user interaction. Simply right-clicking,\r\ndeleting, or dragging the file can trigger a WebDAV request, which notifies the attackers that the file has been\r\naccessed. If the victim then clicks on the file, the next-stage payload is downloaded and executed, leading to a\r\nfull-blown compromise.\r\nThe stealth of this method makes detection difficult. Unlike traditional malware that requires a user to open an\r\nattachment or enable macros, these .url files act passively, reporting back to attackers even before they are\r\nexecuted. This can allow Blind Eagle to identify and prioritize potential victims before deploying the full malware\r\npayload, as their malicious .url files notify attackers when accessed.\r\nTrusted Cloud Platforms: The New Malware Delivery Mechanism\r\nBlind Eagle has previously leveraged legitimate cloud-based services and continues to do so, making it more\r\ndifficult for security tools to detect and flag their malicious activity compared to suspicious domains.\r\nCPR identified Blind Eagle leveraging:\r\nGoogle Drive\r\nDropbox\r\nGitHub\r\nBitbucket\r\nBy disguising malware as harmless-looking files hosted on trusted services, Blind Eagle can evade traditional\r\nsecurity filters. When a victim interacts with the malicious file, the malware downloads and executes a remote\r\naccess trojan (RAT), giving attackers complete control over the compromised system.\r\nThis method also enables Blind Eagle to quickly update their malware payloads without needing to reconfigure\r\ntheir attack infrastructure. If one hosting account is taken down, they can simply upload their malware to a new\r\ncloud storage account and continue operations.\r\nhttps://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia/\r\nPage 2 of 4\n\nWhat Happens After Infection? The Full Attack Chain\r\nOnce executed, the malware deployed by Blind Eagle is designed for stealth, persistence, and data exfiltration.\r\nThe final payload used in this campaign is Remcos RAT, a widely used remote access trojan that grants attackers\r\ncomplete control over an infected machine.\r\nAfter infection, the malware can:\r\nCapture user credentials by logging keystrokes and stealing stored passwords.\r\nModify and delete files, allowing attackers to sabotage systems or encrypt data for ransom.\r\nEstablish persistence by creating scheduled tasks and registry modifications, ensuring it survives reboots.\r\nExfiltrate sensitive information, sending it back to command-and-control (C2) servers operated by Blind\r\nEagle.\r\nCPR found that one campaign alone led to over 9,000 victims in just one week, indicating that these tactics are\r\nproving highly effective.\r\nBlind Eagle’s Rapid Adaptation: A New Trend in Cyber Attacks?\r\nThe speed at which Blind Eagle weaponized a newly patched vulnerability raises a critical concern: Are cyber\r\ncriminals adapting faster than defenders?\r\nThis case highlights a worrying trend in modern cyber warfare—threat actors are no longer waiting for zero-day\r\nvulnerabilities to be disclosed. Instead, they are closely monitoring security patches, analyzing them, and finding\r\nways to mimic or repurpose the behavior of the exploit before organizations have fully implemented defenses.\r\nBlind Eagle’s ability to quickly integrate a patched exploit into their campaigns suggests that cyber criminals are\r\nbecoming more agile, innovative, and prepared. Security teams must respond by accelerating their patch\r\nmanagement strategies and implementing AI-driven threat prevention solutions to detect emerging threats before\r\nthey can take hold.\r\nHow Organizations Can Defend Against Blind Eagle’s Attacks\r\nWith APT groups evolving their tactics rapidly, organizations must move beyond traditional security models and\r\nadopt a proactive defense strategy.\r\nKey steps to mitigate these threats include:\r\nStrengthening email security – Blind Eagle primarily relies on phishing emails to deliver its payloads. A\r\nrobust email security solution can detect and block malicious attachments before they reach users.\r\nImplementing real-time endpoint protection – Behavioral-based detection with Harmony Endpoint can\r\nrecognize suspicious file interactions and block malware execution before damage occurs.\r\nhttps://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia/\r\nPage 3 of 4\n\nMonitoring web traffic and DNS activity – Since Blind Eagle leverages cloud storage services, security\r\nteams must analyze outbound network connections and flag unusual requests to trusted platforms.\r\nEnhancing security awareness training – Employees remain the weakest link in cyber security. Regular\r\ntraining on identifying phishing attempts and suspicious file behavior can prevent successful attacks.\r\nLeveraging advanced threat prevention solutions—Traditional signature-based security tools struggle\r\nagainst rapidly evolving threats. Check Point Threat Emulation, together with Harmony Endpoint, provides\r\ncomprehensive protection across attack tactics, file types, and operating systems, defending against the\r\nexact threats described in this report.\r\nTo learn more about Blind Eagle, read Check Point Research’s comprehensive report here.\r\nProtection Names:\r\nExploit.Wins.CVE-2024-43451.ta.A\r\nInfostealer.Win.Generic.F\r\nInjector.Win.RunPE.A\r\nInfostealer.Win.PasswordStealer.A\r\nTrojan.Win.Unpacme.gl.I\r\nExploit.Win.UnDefender.A\r\nPacker.Win.VBNetCrypter.H\r\nPacker.Win.VBNetCrypter.E\r\nPacker.Win.DotNetCrypter.G\r\nTrojan.Win.Benjaminbo_test.gl.A\r\nbehavioral.win.suspautorun.a\r\nbehavioral.win.imagemodification.g\r\nSource: https://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups\r\n-targets-colombia/\r\nhttps://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia/"
	],
	"report_names": [
		"the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia"
	],
	"threat_actors": [],
	"ts_created_at": 1776737964,
	"ts_updated_at": 1776738018,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/595664701f4cf78f3a37fc1d41aaf41d8d0f7759.pdf",
		"text": "https://archive.orkl.eu/595664701f4cf78f3a37fc1d41aaf41d8d0f7759.txt",
		"img": "https://archive.orkl.eu/595664701f4cf78f3a37fc1d41aaf41d8d0f7759.jpg"
	}
}