HQ/EMEAFind out how we can help your business
The cybercriminal group Blind Eagle has been linked to a series of attacks on Colombian institutions, exploiting an NTLM vulnerability to deliver remote access trojans (RATs) through spear-phishing emails. The group, also known as AguilaCiega, APT-C-36, and APT-Q-98, has a history of targeting South American organisations, particularly in Colombia and Ecuador.
NTLM (NT LAN Manager) is a Microsoft authentication protocol used to verify user identities in Windows systems. It relies on a challenge-response mechanism instead of directly transmitting passwords. Though once widely used, NTLM is now considered outdated and vulnerable to cyber-attacks.
Blind Eagle’s recent campaign, which affected over 1,600 victims in December 2024, relied on social engineering tactics to gain initial access. Attackers sent phishing emails containing malicious `.URL` files that, when clicked, exploited CVE-2024-43451, an NTLMv2 hash disclosure flaw patched by Microsoft in November 2024. While the exploit did not expose the NTLMv2 hash, it allowed attackers to track user interactions and advance the infection process. On vulnerable devices, a WebDAV request was triggered even before the user manually interacted with the file.
Once inside a system, the attackers deployed RATs such as AsyncRAT, NjRAT, Quasar RAT, and Remcos RAT. To evade detection, they used HeartCrypt, a packer-as-a-service (PaaS) that protected their malware executables. The malware was then delivered via PureCrypter, a known loader for launching RATs, which was hosted on Bitbucket or GitHub repositories.
The tactics demonstrated by Blind Eagle showed its ability to adapt quickly.
The group incorporated the CVE-2024-43451 exploit into its operations just six days after Microsoft’s patch was released. Additionally, the attackers abused legitimate file-sharing platforms like Google Drive, Dropbox, Bitbucket, and GitHub to distribute malware and bypass traditional security measures.
An analysis of the group’s GitHub repository revealed an operational error that exposed 1,634 unique email addresses, along with usernames, passwords, email credentials, and ATM PINs linked to individuals, government agencies, educational institutions, and businesses in Colombia. A file named Ver Datos del Formulario.html, containing these sensitive details, was deleted from GitHub on February 25, 2025, but had already been analysed by security researchers.
Blind Eagle’s continued exploitation of file-sharing services and underground crimeware tools highlights its deep connections to the cybercriminal ecosystem. As the group refines its techniques, organisations must remain vigilant against phishing attacks and ensure their systems are updated to prevent exploitation.
