Darktrace analysts identified a significant Blind Eagle operation in late February 2025 on a Colombian customer network, where the threat actors demonstrated their ability to complete a full attack cycle within five hours. This sophisticated threat actor has demonstrated persistent focus on Colombian organizations, launching coordinated attacks against government institutions, financial organizations, and critical infrastructure through carefully orchestrated phishing campaigns and deployment of Remote Access Trojans (RATs). Since 2018, the advanced persistent threat group APT-C-36, commonly known as Blind Eagle, has emerged as a formidable cyber adversary targeting critical sectors across Latin America. Blind Eagle has shown remarkable adaptability in its attack vectors, particularly in exploiting vulnerabilities such as CVE-2024-43451, a Microsoft Windows flaw that enables disclosure of NTLMv2 password hashes through minimal user interaction with malicious files. Dynamic DNS services provide threat actors with resilient infrastructure by automatically updating DNS records when IP addresses change, enabling persistent access despite network defenses. Despite Microsoft’s November 2024 patch release, the threat actors have continued leveraging the minimal interaction mechanism, evolving their techniques to maintain operational effectiveness. Following initial compromise, the infected device established communications with dynamic DNS endpoints, specifically ’21ene.ip-ddns[.]com’ and ‘diciembrenotasenclub[.]longmusic[.]com’, utilizing TCP port 1512 for command execution. The investigation uncovered data exfiltration activities totaling 65.6 MiB across both endpoints, with 60 MiB transferred to the primary command server and 5.6 MiB to the secondary infrastructure, demonstrating the group’s systematic approach to data theft from compromised environments. Recent intelligence gathered since November 2024 reveals an ongoing campaign where Blind Eagle actors have refined their delivery mechanisms. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The group’s operational methodology centers on social engineering tactics, primarily utilizing phishing emails containing malicious URL links to initiate compromise sequences. WebDAV, a protocol enabling file and directory transmission over the internet, becomes the conduit for next-stage payload delivery and malware execution on compromised systems. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 27 Jun 2025 06:10:54 +0000