The Reveal Platform
Intel Name: Apt-c-36 (blind eagle) activity in march 2025
Date of Scan: March 19, 2025
Impact: Medium
Summary: In March 2025, activity from APT-C-36, also known as Blind Eagle, was detected following similar tactics used in previous campaigns. The group, believed to be a South American threat actor, initiates attacks with .url files that download an initial downloader from a WebDAV server. This downloader then contacts a C2 server and retrieves a final payload, typically the Remcos RAT, from an actively updated Github repository. A shared SSH key was also found in the group’s infrastructure, indicating its continued presence and evolving techniques.
