Blind Eagle Phishing Campaign

Since 2018, APT-C-36, known as Blind Eagle, has targeted Latin American organizations, especially in Colombia, using phishing campaigns and exploiting vulnerabilities like CVE-2024-43451. In a recent campaign detected by Darktrace in 2025, Blind Eagle used WebDAV-based payload delivery and dynamic DNS for command-and-control, leading to data exfiltration from a Colombian customer. #BlindEagle #APT-C-36 #CVE-2024-43451 #WebDAV #Remcos

Keypoints

Blind Eagle (APT-C-36) has focused on attacks against Latin American, particularly Colombian, government, financial, and critical infrastructure sectors since 2018.
The group uses phishing emails with malicious URLs that download payloads triggered by minimal user interaction, exploiting CVE-2024-43451.
WebDAV protocol is employed in the attack chain to download and execute malware while evading detection through hidden C2 traffic.
Darktrace observed a 2025 compromise involving unusual HTTP connections to a rare German IP and dynamic DNS endpoints linked to Blind Eagle and Remcos RAT.
The attack included download of executables and large data exfiltration via suspicious endpoints over new TCP ports.
Lack of autonomous response on the victim’s network allowed the attack to escalate until manually contained by the security team.
The campaign highlights the importance of anomaly-based detection and autonomous containment in defending against adaptive and persistent threat actors like Blind Eagle.

MITRE Techniques

[T1189] Drive-by Compromise – Used as an initial access vector through malicious URLs delivered in phishing emails (‘phishing emails to deliver malicious URL links’).
[T1190] Exploit Public-Facing Application – Exploitation of CVE-2024-43451 in Microsoft Windows for initial compromise (‘exploiting CVE-2024-43451, a vulnerability in Microsoft Windows’).
[T0862] Supply Chain Compromise – Mentioned as a possible initial access vector in ICS environments within the mapping.
[T0865] Spearphishing Attachment – Attack starts with phishing emails targeting specific recipients (‘attacks carried out by Blind Eagle actors typically start with a phishing email’).
[T1105] Ingress Tool Transfer – Downloading stages of the attack payload via WebDAV (‘next stage payload is then downloaded via another WebDAV request’).
[T1095] Non-Application Layer Protocol – Use of WebDAV protocol over HTTP port 80 for malware delivery and C2 communication (‘using the user agent Microsoft-WebDAV-MiniRedir/10.0.19044’).
[T1571] Non-Standard Port – Communication over unusual TCP port 1512 to malicious endpoint (‘device was then observed connected to an endpoint … over the new TCP port 1512’).
[T1568.002] Domain Generation Algorithms – Use of dynamic DNS service for command and control infrastructure (‘dynamic DNS endpoint… linked with previous likely Blind Eagle compromises’).
[T0869] Standard Application Layer Protocol – Use of WebDAV in ICS environment for command and control (‘usage of the aforementioned transmission protocol WebDAV’).
[T0849] Masquerading – Use of legitimate-looking user agents to evade detection (‘Microsoft-WebDAV-MiniRedir/10.0.19045’ user agent to hide malicious traffic).
[T1041] Exfiltration Over C2 Channel – Data exfiltrated over C2 channels to malicious endpoints (‘device was also observed uploading data to…’).
[T1567.002] Exfiltration to Cloud Storage – Data exfiltration observed to cloud-like services or dynamic DNS endpoints.

Indicators of Compromise

[IP Address] Unusual external IP linked to Blind Eagle activity – 62[.]60[.]226[.]112 (German geolocation)
[File Hash/Name] Malicious executable downloaded – hxxp://62[.]60[.]226[.]112/file/3601_2042.exe
[Domain] Dynamic DNS domain used for C2 communications – 21ene.ip-ddns[.]com
[Domain] Malicious hostname associated with data exfiltration – diciembrenotasenclub[.]longmusic[.]com
[User Agent] Legitimate-looking WebDAV user agent used to mask malicious traffic – Microsoft-WebDAV-MiniRedir/10.0.19044, Microsoft-WebDAV-MiniRedir/10.0.19045