Blind Eagle: …And Justice for All
March 11, 2025, 12:02 p.m.
Description
Check Point Research uncovered ongoing campaigns by Blind Eagle targeting Colombian institutions since November 2024. The group exploits a variant of CVE-2024-43451, using malicious .url files to deliver malware. Their attack chain includes HeartCrypt-packed executables, a .NET RAT, and Remcos RAT as the final payload. The campaigns have high infection rates, with over 1,600 victims in a single operation. Blind Eagle utilizes legitimate platforms like Google Drive and GitHub for malware distribution. The group's operating timezone suggests South American origins. An operational failure revealed past phishing activities targeting Colombian banks, resulting in over 8,000 stolen PII entries.
Tags
Date
- Created: March 10, 2025, 7:04 p.m.
- Published: March 10, 2025, 7:04 p.m.
- Modified: March 11, 2025, 12:02 p.m.
Indicators
- 75fed14fd61067a1c0c2a10d0eefcc349308e1f4a1993a075a9f0c768affab13
- 6587de22729bf3dd6f3632d67881fbc75275b9fd6d88597c7f04462ec1b2bcdf
- 5433726d3912a95552d16b72366eae777f5f34587e1bdaa0c518c5fcbc3d8506
- 2cedf60566ee524440c85a8779d5e12a203d1dff140f4c3d32374b7eab547ef6
- 62.60.226.64
- 181.131.217.244
- 177.255.85.101
- republicadominica2025.ip-ddns.com
- newstaticfreepoint24.ddns-ip.net
- elyeso.ip-ddns.com
- donato.con-ip.com
- comina998.ddns-ip.net
- 21ene.ip-ddns.com
- 17dic.ydns.eu
- servicioseguroenlineabb.com
- amuntgroupfree.ip-ddns.com
Attack Patterns
- Remcos RAT
- PureCrypter
- Blind Eagle
- T1012
- T1497
- T1573
- T1016
- T1547
- T1082
- T1057
- T1083
- T1071
- T1102
- T1055
- T1036
- T1204
- T1140
- T1132
- T1033
- T1027
- T1112
- T1566
- T1059
Additional Informations
- Defense
- Finance
- Government
- Colombia