Colombian institutions and government organizations have been subjected to a series of targeted attacks from the Blind Eagle cybercrower group, which has been operating since 2018. According to Check Point, since November 2024, hackers activated attacks that affected more than 1600 victims.
BLIND EAGLE, also known as Aguilaciega, APT-C-36 and APT-Q-98, specialized in attacks in South America, mainly in Colombia and Ecuador. The group uses social engineering methods like phishing letters for initial penetration into the victims’ systems. Subsequently, the attackers deploy remote Trojans such as Asyncrat, Njrat, Quasar Rat, and Remcos Rat.
The latest attacks by Blind Eagle are characterized by three main features. Firstly, hackers are using a modified version of the exploit for vulnerability CVE-2024-43451, which is linked to the disclosure of the NTLMV2 hash in Windows. Microsoft fixed this issue in November 2024, but Blind Eagle incorporated it into their arsenal just six days after the release of the patch.
Secondly, the attackers have started using a new service named Heartcrypt to bypass protective mechanisms. Thirdly, they have been distributing malicious software through platforms like Bitbucket and Github, expanding their use of legitimate file services beyond Google Drive and Dropbox.
The CVE-2024-43451 exploit allows attackers to manipulate user interactions with a malicious file, even without disclosing the NTLMV2 hash itself. On vulnerable devices, the WEBDAV request can run even before the victim manually opens the file. Clicking on the harmful URL file triggers the loading and execution of malicious code on all systems, regardless of patch status.
Blind Eagle has shown its ability to quickly adapt to changing cybersecurity conditions. Check Point suggests that the group’s use of tools like Remcos Rat, Heartcrypt, and Purecrypter indicates close connections to the shadow cybercriminal ecosystem.
Further evidence of the source of the attacks was discovered in one of the group’s GitHub loaders, operating in the UTC-5 time zone which aligns with several South American countries. Additionally, an error