Malware Campaign By Blind Eagle Group

Blind Eagle group has reflected some grim situation in terms of attack sophistication as they infected more than 1,600 with its malware. Malware Campaign relies on phishing emails containing malicious attachments or URLs to deliver remote access trojans (RATs) such as NjRAT, AsyncRAT, and Remcos. This proves the agility at which Blind eagle is progressing in its mission and upgrading themselves with new attack methodology.

URL manipulation attack; An agile attack methodology

URL manipulation attack techniques emerged in mid-2000s and cyber criminals started relying on this attack module by deceiving and scamming computer users. The common method of communication being email as preferred communication channel, cyberattacks started to emerge as well.

Cyber attackers now started to exploit email based communication by manipulating URLs to deceive users and trick them into visiting malicious websites. URL manipulation-based email attacks have continued to remain a strong email attack mechanism

Malware Campaign of Blind Eagle

The recent incident of Blind Eagle was made possible that infected more than 1,600 with its malware. by changing more than 10 command-and-control (C&C) servers as part of these attacks within 2month period. End of January, 2025 Blind Eagle was seen distributing malicious URL files using potentially compromised Google Drive accounts.

As per Checkpoint this infectious chain included the in-memory execution of a variant of PureCrypter, which harvested system and user information and downloaded the Remcos RAT from a GitHub repository. In December, two Bitbucket repositories were used to host the RAT.

The security defect can be triggered by simple user interactions with the URL file containing the malicious code, such as a right-click, drag-and-drop, or deletion operation. Successful exploitation could lead to an attacker retrieving a user’s NTLMv2 hash.

More research by CheckPoint found around one week after Microsoft announced patches for CVE-2024-43451, Blind Eagle expanded its arsenal with a variant of the exploit for this vulnerability.

The group recently expanded its arsenal with additional commodity malware, including a variant of PureCryptor. The PureCrypter downloader to deliver different types of malware to government entities in the Asia-Pacific and North America regions, Menlo Labs warns.

Cyber attacks growing Sophisticated; Are we ready

Blind Eagle group has reflected some grim situation in terms of attack sophistication and as researchers witnessed throughout the attack chain. The .NET RAT collects detailed information about the victim’s system, including username, operating system version, installed antivirus, and machine specifications.

Between December 2024 and February 2025, Blind Eagle conducted multiple campaigns identified by internal codenames such as “socialismo,” “miami,” “PARAISO,” “marte,” and “saturno”.

These campaigns utilized a consistent attack chain: malicious .url files delivered via email (often through compromised Google Drive accounts) would download a HeartCrypt-packed malware.

These malicious campaign highlight the necessity to invest more in developing human and technological resources that includes cyber skilling and investing in making cyber-ready professionals. By establishing cyber security centers of excellence, adopting best practices and fostering collaboration and information sharing among different agencies and sectors, such threat can be minimized.

Advanced cyberattacks now leverage AI and machine learning, demanding equally sophisticated defense strategies. Stricter data protection laws worldwide require cybersecurity expertise to ensure compliance is followed at enterprise level.

Identifying Malicious Phishing URLs

Phishing URLs quickly deceive people and they land up in being victims of fraud. People are not habituated to pay sufficient attention to URLs, the soft target. The reason can be many either due to a lack of knowledge or careless behavior and cyber criminals can easily deceive people.
In this present scenario as we are in first quarter of 2025, and witnessing more and more growing sophistication in cyber crime, paying attention by raising public awareness by preventing siphoning of data through the duplication of trustworthy websites will become essential.

Analysis of malicious URLs and Datasets ;Importance of Threat Intelligence
One of the ways is developing a clustering solution for accurately detecting malicious URLs based on keyword analysis.
Threat intelligence feeds provide information gathered from a wide variety of sources and includes indicators of compromise, open-source feeds and information between organizations if possible.

Threat intelligence feeds contain suspicious domains, list of known malware hashes, IP addresses associated with malicious activity, threat signatures, etc. For feeds to be actionable, they have to be integrated into security applications so that threat information can be correlated with internal application traffic data like firewall and DNS logs. This allows network administrators to identify and mitigate potential cyber-attacks.

Impact is Severe on Colombian Govt & Private Sectors

The impact of Blind Eagle’s campaigns has been substantial, particularly on Colombian governmental organizations. The group has been specifically targeting various Colombian justice system entities, including courts handling criminal cases, labor disputes, and security measures.

The malicious file names mimic official legal communications, such as notifications of hearings, judicial complaints, and protective orders, exploiting the trust in governmental communications to increase the likelihood of victim interaction.

Generative AI has given leverage to scammers to generate a list of look-alike domains. There are multiple techniques scammers adopt when crafting typical URL based attacks.

This includes using algorithms to add or strip a dash (- or _), adding or stripping characters, adding a TLD (top-level domain) before a tld, or using the wrong tld, replacing vowels, etc.

Now how Organizations deal with URL based attacks rests upon them. There are ways attackers use URLs; including shorteners and watering hole attacks.

URL shorteners used to wrap a malicious URL using a third-party URL shortening service to make it look more legitimate. Cyber criminals are one step ahead as they wrap a URL several times in order to avoid detection.

Another one is watering hole technique that targets an organization or a group of users known to visit a specific website often. In order to avoid detection attackers compromise a website using a known vulnerability, utilize links from this website to perform credential to install malware on a user’s device.

Read more on our website on Security Advisory’s and blogs

Sources: 1,600 Victims Hit by South American APT’s Malware – SecurityWeek

Blind Eagle Targets Organizations with Weaponized .URL Files to Steal User Hashes

Analyzing Malicious URLs using a Threat Intelligence System