Since 2018, the advanced persistent threat (APT) group known as Blind Eagle, or APT-C-36, has been orchestrating sophisticated cyberattacks targeting critical sectors across Latin America, with a pronounced focus on Colombia. Their operations have primarily involved government institutions, financial organizations, and critical infrastructure, employing meticulously crafted phishing campaigns and deploying various Remote Access Trojans (RATs) to infiltrate and compromise systems.
Operational Tactics and Techniques
Blind Eagle’s modus operandi centers on social engineering, particularly through phishing emails embedded with malicious links or attachments. These emails often masquerade as communications from legitimate entities, such as Colombia’s National Directorate of Taxes and Customs (DIAN), to deceive recipients into engaging with the content. Upon interaction, these emails initiate a sequence that leads to the deployment of malware, granting the attackers unauthorized access to the victim’s system.
A notable aspect of their strategy is the exploitation of known vulnerabilities. For instance, they have leveraged CVE-2024-43451, a Microsoft Windows flaw that allows for the disclosure of NTLMv2 password hashes with minimal user interaction. Despite Microsoft’s release of a patch in November 2024, Blind Eagle has continued to exploit this vulnerability, demonstrating their adaptability and persistence.
Recent Campaigns and Developments
In late 2024, Blind Eagle intensified its cyber operations. Reports indicate that between November and December 2024, the group launched a campaign resulting in over 9,000 infections within a single week, with approximately 1,600 victims identified, predominantly within judicial institutions. This escalation suggests a shift from targeted espionage to broader disruptive activities.
Their recent campaigns have also showcased advanced techniques, such as the use of malicious URL files that, when interacted with, trigger WebDAV requests. This method not only notifies the attackers of the file’s download but also facilitates the delivery of second-stage payloads, leading to malware execution on the compromised systems. Such tactics require minimal user interaction, enhancing the efficiency and stealth of their operations.
Command and Control Infrastructure
Blind Eagle employs a sophisticated command and control (C2) infrastructure to maintain persistent access to compromised systems. They utilize dynamic DNS services, which allow them to update DNS records automatically when IP addresses change, ensuring continuous communication with infected devices. This approach complicates detection and mitigation efforts by security teams.
For example, in a campaign observed in February 2025, a compromised device connected to external IP addresses geolocated in Germany, downloading executable payloads and establishing communications with dynamic DNS endpoints. The attackers used TCP port 1512 for command execution and exfiltrated approximately 65.6 MiB of data, underscoring their systematic approach to data theft.
Implications and Recommendations
The persistent and evolving nature of Blind Eagle’s cyberattacks poses significant threats to national security, economic stability, and public trust in affected regions. Their ability to rapidly adapt to new vulnerabilities and employ sophisticated social engineering tactics necessitates a proactive and comprehensive cybersecurity strategy.
Organizations, especially those within targeted sectors, should implement the following measures:
– Employee Training: Conduct regular cybersecurity awareness programs to educate staff on recognizing phishing attempts and other social engineering tactics.
– Patch Management: Ensure timely application of security patches to address known vulnerabilities, reducing the risk of exploitation.
– Network Monitoring: Deploy advanced monitoring tools to detect unusual network activities, such as unexpected WebDAV requests or communications with dynamic DNS services.
– Incident Response Planning: Develop and regularly update incident response plans to swiftly address and mitigate the impact of potential breaches.
By adopting these measures, organizations can enhance their resilience against the sophisticated and persistent threats posed by groups like Blind Eagle.
