Blind Eagle Strikes Again: How the APT Group is Exploiting NTLM Flaws and GitHub for Cyber Attacks

The South American-based APT group Blind Eagle (APT-C-36), also known as AguilaCiega, has resurfaced with a highly targeted attack campaign against Colombian institutions and government agencies. Using a combination of NTLM vulnerability exploits, remote access trojans (RATs), and GitHub-based malware distribution, the group has infected over 1,600 victims in its latest campaign.

A Growing Threat to Colombian Institutions

Blind Eagle has been active since at least 2018, with a focus on high-value targets in Colombia and Ecuador. The group's latest campaign, running since November 2024, showcases advanced evasion tactics and rapid adaptation to security patches.

According to Check Point, the group's tactics include:

• Spear-phishing emails to gain initial access.
• Exploiting CVE-2024-43451, a now-patched NTLMv2 hash disclosure vulnerability.
• Using a packer-as-a-service (PaaS) called HeartCrypt to obfuscate payloads.
• Leveraging Bitbucket and GitHub for malware distribution, expanding beyond previous use of Google Drive and Dropbox.

How the Attack Works

?? Step 1: Spear-Phishing & Initial Access Blind Eagle lures victims with phishing emails containing malicious .URL files. When clicked, these files trigger a WebDAV request, notifying attackers that the victim has interacted with the file—even if the NTLMv2 hash itself is not exposed.

?? Step 2: Payload Execution via GitHub Once the victim interacts with the file, a malicious PureCrypter variant executes and deploys Remcos RAT—a known remote access trojan used for surveillance and data exfiltration. The malware was previously hosted on Bitbucket and GitHub, which enabled it to bypass traditional security measures.

?? Step 3: Persistence & Data Theft The attackers gain long-term access by using Remcos RAT, AsyncRAT, NjRAT, and Quasar RAT, allowing them to control infected systems remotely.

Exploiting NTLM Flaws for Rapid Infiltration

Blind Eagle's use of CVE-2024-43451 is particularly alarming. This Microsoft Windows vulnerability was patched in November 2024, but within six days, the group had already integrated a variant of the exploit into its attack arsenal.

"While this variant does not actually expose the NTLMv2 hash, it notifies the threat actors that the file was downloaded by the same unusual user-file interactions," Check Point researchers noted.

Even on patched systems, manually clicking the .URL file still results in the download and execution of the next-stage payload, proving how quickly threat actors can adapt and weaponize newly disclosed vulnerabilities.

Operational Error Exposes Blind Eagle’s Footprint

In an unexpected twist, investigators uncovered a crucial operational error in Blind Eagle’s GitHub repository. A commit history analysis revealed a file containing account-password pairs linked to 1,634 unique email addresses.

?? The leaked "Ver Datos del Formulario.html" file (later deleted on February 25, 2025) contained:

• Usernames & passwords
• Email credentials
• ATM PINs
• Data from Colombian government agencies, businesses, and educational institutions

The discovery also confirmed that Blind Eagle operates within a UTC-5 timezone, aligning with several South American nations.

How Organizations Can Defend Against Blind Eagle

The effectiveness of Blind Eagle's campaign stems from its ability to weaponize legitimate platforms like Google Drive, Dropbox, Bitbucket, and GitHub, making detection more difficult. Organizations must take the following measures:

? Apply the latest patches—Ensure all systems are protected against CVE-2024-43451 and other known vulnerabilities.

? Educate employees on phishing awareness—Users should be wary of .URL files in unsolicited emails.

? Monitor file-sharing platforms—Organizations should track and restrict access to Google Drive, Dropbox, Bitbucket, and GitHub for downloading executables.

? Deploy threat intelligence tools—Security teams should actively track RAT activity linked to Remcos, Quasar, AsyncRAT, and NjRAT.

? Use strong authentication—Implement multi-factor authentication (MFA) to prevent account compromise.

Conclusion

Blind Eagle continues to evolve its tactics, incorporating new vulnerabilities and stealthy distribution methods to remain effective. The rapid exploitation of CVE-2024-43451, combined with GitHub-based malware deployment, underscores the need for organizations to stay ahead of emerging threats.

As cybercriminals refine their techniques, proactive security measures and continuous monitoring remain the best defense against advanced persistent threats (APTs) like Blind Eagle.