Blind Eagle Hackers Leveraging Google Drive, Dropbox & GitHub To Bypass Security Defenses

After infection, Remcos can capture user credentials by logging keystrokes and stealing stored passwords, modify and delete files to sabotage systems or encrypt data for ransom, establish persistence through scheduled tasks and registry modifications to survive reboots, and exfiltrate sensitive information to command-and-control servers operated by Blind Eagle. A series of ongoing, targeted cyber campaigns by Blind Eagle (APT-C-36), one of Latin America’s most dangerous threat actors primarily targeting Colombia’s justice system, government institutions, and private organizations were recently unveiled by Check Point Research (CPR). This demonstrates how cyber criminals are becoming more agile, innovative, and prepared, requiring security teams to accelerate their patch management strategies and implement AI-driven threat prevention solutions to detect emerging threats before they can take hold. Organizations must respond by implementing comprehensive security strategies that include real-time endpoint protection, enhanced email security, and continuous monitoring of network traffic, particularly connections to legitimate cloud services that could be exploited as malware delivery channels. By leveraging trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to host and distribute malware, the group makes it significantly more difficult for security tools to detect and flag their malicious activity. What makes these attacks particularly concerning is Blind Eagle’s strategic use of legitimate cloud-based services to bypass traditional security measures. Their approach requires minimal user interaction to trigger malware execution, making traditional security awareness less effective as a defensive measure. By leveraging trusted platforms and minimizing required user interaction, these attacks bypass traditional security measures with alarming efficiency. The group has demonstrated remarkable adaptability, incorporating new attack techniques just six days after Microsoft patched CVE-2024-43451, showing how attackers can turn security updates into weapons against their targets. The sophisticated tactics employed by Blind Eagle represent a significant evolution in cyber threat methodologies. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Rather than waiting for zero-day vulnerabilities, threat actors are now closely monitoring security patches, analyzing them, and developing similar techniques that can bypass newly implemented defenses. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Unlike traditional malware that requires a user to open an attachment or enable macros, these .url files act passively, reporting back to attackers even before they are explicitly executed. Once executed, the final payload deployed is Remcos RAT (Remote Access Trojan), a sophisticated malware that grants attackers complete control over an infected machine. This allows Blind Eagle to identify and prioritize potential victims before deploying the full malware payload. The attack methodology employed by Blind Eagle demonstrates sophisticated understanding of both technical vulnerabilities and human behavior. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. These specially crafted shortcut files contain references to attacker-controlled WebDAV servers, enabling both passive victim tracking and active malware delivery. The speed at which Blind Eagle weaponized a newly patched vulnerability raises important questions about the evolving threat landscape. These platforms are typically considered safe by security systems, creating a perfect cover for malicious operations. This method also enables the group to quickly update their malware payloads without reconfiguring their attack infrastructure, providing operational flexibility that enhances their effectiveness. The most innovative aspect of Blind Eagle’s current campaign is their weaponization of .url files as a tracking and delivery mechanism.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 16:35:05 +0000


Cyber News related to Blind Eagle Hackers Leveraging Google Drive, Dropbox & GitHub To Bypass Security Defenses

Blind Eagle Hackers Leveraging Google Drive, Dropbox & GitHub To Bypass Security Defenses - After infection, Remcos can capture user credentials by logging keystrokes and stealing stored passwords, modify and delete files to sabotage systems or encrypt data for ransom, establish persistence through scheduled tasks and registry modifications ...
1 week ago Cybersecuritynews.com CVE-2024-43451 APT-C-36
CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago
Google shares "fix" for deleted Google Drive files - Google says it identified and fixed a bug causing customer files added to Google Drive after April-May 2023 to disappear. The fix isn't working for all affected users. Once recovery is complete, you'll see a new folder on your desktop with the ...
1 year ago Bleepingcomputer.com
North Korean Hackers Using Dropbox & PowerShell Scripts To Infiltrate Organizations - Dubbed ‘DEEP#DRIVE’ by researchers at Securonix, the operation leverages phishing lures, obfuscated PowerShell scripts, and Dropbox’s infrastructure to bypass security defenses and exfiltrate sensitive data. A coordinated cyber ...
1 month ago Cybersecuritynews.com Kimsuky
Google Cloud Next 2024: New Data Center Chip Joins Ecosystem - Google Cloud announced a new enterprise subscription for Chrome and a bevy of generative AI add-ons for Google Workspace during the Cloud Next '24 conference, held in Las Vegas from April 9 - 11. Overall, Google Cloud is putting its Gemini generative ...
11 months ago Techrepublic.com
Falcon Cloud Security Supports Google Cloud Run to Strengthen Serverless Application Security - We're thrilled to share that the CrowdStrike Falcon® sensor now fully supports Google Cloud Run, bringing advanced security capabilities to your serverless applications. While we announced this at Google Cloud Next in April 2024, this blog goes ...
8 months ago Crowdstrike.com
Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
1 year ago Darkreading.com Hunters
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
1 year ago Securityboulevard.com
Versions 14 and 13 of Android are Vulnerable to New Lock Screen Bypass Exploits - Using Android 14 and 13 smartphones, a newly discovered bug allowing the user to bypass the lock screen can compromise sensitive information from Google accounts stored in users' Google accounts, according to security researcher Jose Rodriguez. It ...
1 year ago Cysecurity.news
North Korea-Linked Group Levels Multistage Cyberattack on South Korea - North Korea-linked threat group Kimsuky has adopted a longer, eight-stage attack chain that abuses legitimate cloud services and employs evasive malware to conduct cyber espionage and financial crimes against South Korean entities. NET applications - ...
1 year ago Darkreading.com Kimsuky
Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users - Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU's Digital Markets ...
1 year ago Cysecurity.news
APT Hackers Abusing GitHub - Hackers use GitHub to access and manipulate source code repositories. GitHub hosts open-source projects, and unauthorized access allows hackers to inject malicious code, steal sensitive information, and exploit vulnerabilities in software development ...
1 year ago Cybersecuritynews.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com
GitHub, PyTorch and More Organizations Found Vulnerable to Self-Hosted Runner Attacks - Last July, we published an article exploring the dangers of vulnerable self-hosted runners and how they can lead to severe software supply chain attacks. GitHub itself was found vulnerable, as well as various notable organizations, such as PyTorch, ...
1 year ago Securityboulevard.com
Google Fi User Data Breached Through T-Mobile Hack - According to Google Fi's email sent to its customers on Monday, a limited amount of their customer data was exposed in T-Mobile's breach after suspicious activity was noted in a system that contained Google Fi's customer data. Google Fi, Google's ...
2 years ago Hackread.com
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) - Software Name Software Slug 012 Ps Multi Languages 012-ps-multi-languages ABC APP CREATOR abcapp-creator Absolute Reviews absolute-reviews Accordion accordions Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads quick-adsense-reloaded Advanced File ...
5 months ago Wordfence.com Slug
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
2 years ago Hackread.com
CyberProof Announces Strategic Partnership With Google Cloud - PRESS RELEASE. ALISO VIEJO, Calif. and BENGALURU, India, May 6, 2024 /PRNewswire/ - CyberProof, a UST company, has announced an extended partnership with Google Cloud focused on leveraging Google Chronicle Security Operations and other Google Cloud ...
10 months ago Darkreading.com
GitHub Security Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom - GitHub revealed on Monday that unknown hackers managed to steal encrypted code signing certificates related to some versions of GitHub Desktop for Mac and Atom apps. As a precaution, the company is revoking the exposed certificates. Versions 1.63.0 ...
2 years ago Thehackernews.com
GitHub code-signing certificates stolen - Another day, another access-token-based database breach. This time, the victim is Microsoft's GitHub business. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised ...
2 years ago Nakedsecurity.sophos.com
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
1 year ago Feeds.dzone.com
Cybersecurity jobs available right now: October 2, 2024 - Help Net Security - As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to ...
5 months ago Helpnetsecurity.com
ACRStealer Malware Exploiting Google Docs as C2 To Steal Login Credentials - A newly identified malware variant dubbed ACRStealer has been observed leveraging Google Docs as a command-and-control (C2) server to bypass traditional security defenses and harvest sensitive login credentials. Enterprise security teams are advised ...
3 weeks ago Cybersecuritynews.com
CVE-2007-0228 - The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) ...
7 years ago
CVE-2021-32638 - Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token ...
2 years ago

Latest Cyber News


Cyber Trends (last 7 days)