Blind Eagle: A Growing Cyber Threat to Colombia’s Government and Institutions

Listen to this Post

Since November 2024, a significant cyber-threat campaign has been targeting Colombian government entities and organizations. This wave of attacks, attributed to the threat group Blind Eagle (also known as APT-C-36), showcases a new method of exploiting security vulnerabilities. These attackers have been distributing malicious .url files, leveraging the recently patched CVE-2024-43451 vulnerability in a way that is different from traditional exploitation. Although Blind Eagle’s attacks do not directly exploit the vulnerability, they trigger WebDAV requests that allow them to monitor file interactions. This article explores these cyber-attacks in detail, focusing on the methods used by Blind Eagle, the scale of their campaigns, and their impact on Colombian institutions.

Since November 2024, Blind Eagle has launched an ongoing cyber-attack campaign aimed at various Colombian institutions, including government agencies, judicial bodies, and private organizations. The attackers have been distributing malicious .url files designed to mimic the CVE-2024-43451 vulnerability that was patched by Microsoft on November 12, 2024.

While these .url files do not directly exploit this particular vulnerability, they do trigger WebDAV requests that inform attackers when the files have been downloaded. These requests are activated when the file is interacted with in certain ways, such as right-clicking, deleting, or dragging it. If a user clicks on the malicious file, a second-stage payload is triggered through another WebDAV request, which delivers malware to the system.

Blind Eagle incorporated this attack technique just six days after Microsoft’s patch release, indicating their rapid adaptation to new methods. One of the largest campaigns occurred on December 19, 2024, infecting over 1600 victims, a significant number given the group’s history of selective targeting.

The

As part of these campaigns, in January 2025, Blind Eagle launched two new waves of attacks known as “socialismo” and “miami,” which relied on compromised Google Drive accounts to distribute the malicious .url files. The malware executed a complex infection chain, ultimately resulting in data exfiltration and system compromise. Additionally, a campaign called “Parasio” saw the group using Bitbucket to distribute the Remcos RAT payload, infecting approximately 9,000 users in one week.

Alongside these attacks, Blind Eagle has also been linked to phishing campaigns targeting Colombian citizens. In February 2025, the group accidentally exposed an HTML file containing personally identifiable information (PII) from a phishing campaign. This dataset included 8075 entries with sensitive data, including credentials and ATM PINs, along with several compromised Colombian government email accounts.

As Blind Eagle continues to target Colombian public and private sectors, they remain one of the most active and dangerous threat actors in the region. The group’s success is largely attributed to their ability to use legitimate platforms for malware distribution, making their attacks more difficult to detect and defend against.

Organizations in Colombia and other countries facing similar threats are urged to adopt stricter security policies, disable NTLM authentication where possible, and closely monitor network activity for unusual WebDAV requests that may indicate the presence of malicious files.

What Undercode Says:

Blind Eagle’s cyber campaigns demonstrate a troubling trend in the evolving landscape of cyber threats. Their ability to bypass traditional security measures by using widely trusted platforms like Google Drive, Dropbox, Bitbucket, and GitHub showcases a new level of sophistication. What makes Blind Eagle particularly dangerous is not just the scale of their attacks, but also their ability to exploit security gaps quickly after vulnerabilities are disclosed and patched. In the case of CVE-2024-43451, they were able to adapt their techniques within days of the patch, showing an advanced knowledge of post-patch exploitation strategies.

The use of WebDAV requests in this context is an interesting development. Unlike many other attack vectors that require direct interaction with the malicious code, WebDAV allows Blind Eagle to passively monitor file interactions, enabling them to confirm a successful download without immediate user action. This makes it harder for victims to detect and mitigate the threat in its early stages.

Blind Eagle’s targeting of specific sectors, such as Colombian judicial institutions and government bodies, suggests that their attacks are not just financially motivated but could also be politically driven. The exposure of sensitive data, including credentials and ATM PINs, further highlights the group’s ability to compromise critical personal and governmental data.

The group’s use of legitimate cloud services for hosting malware payloads raises significant concerns about the current state of cybersecurity. These platforms, which are generally trusted, make it easier for attackers to bypass network defenses, as they appear to be benign or even necessary for normal operations. This shift in attack strategies indicates that future cybersecurity measures may need to focus on scrutinizing the integrity of third-party cloud services, which are increasingly being leveraged for malicious purposes.

As Blind Eagle’s campaigns continue to evolve, it will be crucial for organizations to implement multi-layered security measures. This should include strong endpoint protection, network monitoring for unusual behavior, and user education on the risks of downloading files from untrusted sources. The success of these attacks also underscores the need for ongoing vigilance and quick adaptation to emerging cyber threats.

Fact Checker Results:

  • CVE-2024-43451 Patch: Microsoft’s patch release was on November 12, 2024, which directly addresses the vulnerability.
  • Attack Methods: Blind Eagle has been distributing .url files that leverage WebDAV requests to inform attackers of successful downloads and initiate further malicious payloads.
  • Impact on Colombia: The group has targeted over 1600 victims in a significant campaign in December 2024 and 9,000 more in a “Parasio” attack in one week.

References:

Reported By: https://www.infosecurity-magazine.com/news/blind-eagle-targets-colombian-gov/
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp
💬 TelegramFeatured Image