The threat actor known as Blind Eagle has launched a series of targeted campaigns against Colombian institutions and government entities since November 2024. According to Check Point’s analysis, these attacks have achieved significant infection rates, with over 1,600 victims affected during a single campaign in December 2024.
Active since at least 2018, Blind Eagle (also tracked as AguilaCiega, APT-C-36, and APT-Q-98) specializes in targeting entities in South America, particularly Colombia and Ecuador. The group typically employs spear-phishing emails to gain initial access before deploying remote access trojans like AsyncRAT, NjRAT, Quasar RAT, and Remcos RAT.
## Key Innovations in Recent Attacks
The latest campaign stands out for three significant developments:
1. Exploitation of a recently patched Microsoft Windows vulnerability (CVE-2024-43451)
2. Adoption of a new packer-as-a-service called HeartCrypt
3. Distribution of malware through Bitbucket and GitHub repositories, expanding beyond their previous use of Google Drive and Dropbox
Notably, Blind Eagle incorporated a variant of the CVE-2024-43451 exploit just six days after Microsoft released a patch, demonstrating their technical agility. The attack begins when victims click a malicious .URL file in a phishing email, triggering the download of HeartCrypt-protected malware that ultimately deploys Remcos RAT.
## Operational Security Failure
In a significant operational error, researchers discovered a file in the group’s GitHub repository containing 1,634 unique email addresses with corresponding passwords. This file, named “Ver Datos del Formulario.html,” contained sensitive information from Colombian individuals, government agencies, educational institutions, and businesses before being deleted on February 25, 2025.
Analysis of the repository commit history also revealed that the threat actor operates in the UTC-5 timezone, consistent with several South American countries, further supporting their suspected origin.
Blind Eagle’s success stems largely from their exploitation of legitimate file-sharing platforms to bypass traditional security measures, combined with their effective use of underground crimeware tools that provide sophisticated evasion techniques and persistent access methods.