BURSTSince 2018, the advanced persistent threat group APT-C-36, commonly known as Blind Eagle, has emerged as a formidable cyber adversary targeting critical sectors across Latin America.
This sophisticated threat actor has demonstrated persistent focus on Colombian organizations, launching coordinated attacks against government institutions, financial organizations, and critical infrastructure through carefully orchestrated phishing campaigns and deployment of Remote Access Trojans (RATs).
The group’s operational methodology centers on social engineering tactics, primarily utilizing phishing emails containing malicious URL links to initiate compromise sequences.
Blind Eagle has shown remarkable adaptability in its attack vectors, particularly in exploiting vulnerabilities such as CVE-2024-43451, a Microsoft Windows flaw that enables disclosure of NTLMv2 password hashes through minimal user interaction with malicious files.
Despite Microsoft’s November 2024 patch release, the threat actors have continued leveraging the minimal interaction mechanism, evolving their techniques to maintain operational effectiveness.
Recent intelligence gathered since November 2024 reveals an ongoing campaign where Blind Eagle actors have refined their delivery mechanisms.
When targeted recipients click malicious URLs, the attack sequence triggers a WebDAV request over HTTP port 80, utilizing the distinctive user agent string ‘Microsoft-WebDAV-MiniRedir/10.0.19044’.
WebDAV, a protocol enabling file and directory transmission over the internet, becomes the conduit for next-stage payload delivery and malware execution on compromised systems.
Darktrace analysts identified a significant Blind Eagle operation in late February 2025 on a Colombian customer network, where the threat actors demonstrated their ability to complete a full attack cycle within five hours.
The analysis revealed the compromised device connecting to the external IP address 62[.]60[.]226[.]112, geolocated in Germany, before downloading the executable payload ‘hxxp://62[.]60[.]226[.]112/file/3601_2042.exe’.
Command and Control Infrastructure Analysis
The attack’s command and control architecture reveals sophisticated operational security measures.
.webp)
Following initial compromise, the infected device established communications with dynamic DNS endpoints, specifically ’21ene.ip-ddns[.]com’ and ‘diciembrenotasenclub[.]longmusic[.]com’, utilizing TCP port 1512 for command execution.
Dynamic DNS services provide threat actors with resilient infrastructure by automatically updating DNS records when IP addresses change, enabling persistent access despite network defenses.
The investigation uncovered data exfiltration activities totaling 65.6 MiB across both endpoints, with 60 MiB transferred to the primary command server and 5.6 MiB to the secondary infrastructure, demonstrating the group’s systematic approach to data theft from compromised environments.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post APT-C-36 Hackers Attacking Government Institutions, Financial Organizations, and Critical Infrastructure appeared first on Cyber Security News.