APT-C-36 (Blind Eagle) Activity in March 2025

URL/Domain

https://github.com/fresas2025/fresa/raw/refs/heads/main/agropecuario.exe

https://github.com/fresas2025/fresa/raw/refs/heads/main/CON3.exe

https://github.com/fresas2025/fresa/raw/refs/heads/main/DesignsCornwall.exe

https://github.com/fresas2025/fresa/raw/refs/heads/main/frutas.exe

https://github.com/fresas2025/fresa/raw/refs/heads/main/salmon.exe

usuariofebrero25.dedyn.io

activistascol25.myonlineportal.net

Camino003.duia.eu

asdasdsf.con-ip.com

computador12.ddns-ip.net

venitocamelo25.ddns-ip.net

IP Address 

62.60.226.112

191.88.252.140

191.88.252.140

177.255.84.37

Hash

47569431f421ff3ecf20a7898515ef4af78c27f3d53303a57f7c4f4225787191

5335603a304e42c6fef4d2fe76cbb92cf1b136d2ec9bea5a648fc002f392f2b1

5590b65c4114fc8bb0eecad6cfe83b5efb1c667e57507a2c699812e282563f13

82788e1057e5d1634e5aa3d33b15b44899635a93c7da02ec96f6c793031b4dd1

a08f11d4a8fd48e6f2dd5a3b1ea281e579f3f04293e67da8adb2ccd7b74acedb

cec6dceccc5b3937ab34de1bdd3c66cfa58875459fc5174194c89b5c4fa133d6

f7cc357c11576175e97990254bbb03e9764879a47e6dfd1ffcf06fb1dd192aad

2ab78e5d801c37d36d0941f74105bbb49917a89761b104527acc594faf95dc3a

4deec3644eb9b38695579cd49eed7628d750d49b8c3ea59ce3e4989a823813bf

65d4f56e2813800de90ba1a3cbf13054fa238f233fc7b9db6a8caf1f2f987a90

ab9e926e4df55e4791b87167c7af7d58817e9b69b55cbaa8b54ce1ed3b032736

dd3706144ba3f88dd1606e7d06e6b0ecc4b848108a5eb6c5612b8912da3bc6c2

157f03405b2658baa1ee8f76f4801403ffdeb217df37d8d95e867787608de6e3

346530ea86a7fb02e7184736ed67363d736ba4fab6ab70f79129a962e61dd8fa

61fb41b9fcf85698908bd772155e7a3e27c8cc33e1ed233b67a3a3063f522b63

7234b5f14e83326a2f3db2c5180624c8c30da0495020caa4c80e5d03f14ebb56

83cc9395582825c673c7738afbb9f53a95b83aeb21365ad42703bcedf1ded219

bf4ce102f2685d5c2e1096de43ea95c8eeaebb7378486ed02541226f1c1ada83

e9df6fc0cd0fb856bd15a378653b76b33e9620735474daec01a413a205cf0832

Filename

file://\\62.60.226.112@80\file\590_9883.exe

file://\\62.60.226.112@80\file\2430_1471.exe

file://\\62.60.226.112@80\file\877_6120.exe

file://\\62.60.226.112@80\file\932_6199.exe

file://\\62.60.226.112@80\file\2744_6673.exe

file://\\62.60.226.112@80\file\4917_8531.exe

file://\\62.60.226.112@80\file\7309_9071.exe

Detection Query 1

userdomainname like "https://github.com/fresas2025/fresa/raw/refs/heads/main/salmon.exe" or url like "https://github.com/fresas2025/fresa/raw/refs/heads/main/salmon.exe" or userdomainname like "computador12.ddns-ip.net" or url like "computador12.ddns-ip.net" or userdomainname like "activistascol25.myonlineportal.net" or url like "activistascol25.myonlineportal.net" or userdomainname like "venitocamelo25.ddns-ip.net" or url like "venitocamelo25.ddns-ip.net" or userdomainname like "https://github.com/fresas2025/fresa/raw/refs/heads/main/agropecuario.exe" or url like "https://github.com/fresas2025/fresa/raw/refs/heads/main/agropecuario.exe" or userdomainname like "https://github.com/fresas2025/fresa/raw/refs/heads/main/CON3.exe" or url like "https://github.com/fresas2025/fresa/raw/refs/heads/main/CON3.exe" or userdomainname like "https://github.com/fresas2025/fresa/raw/refs/heads/main/DesignsCornwall.exe" or url like "https://github.com/fresas2025/fresa/raw/refs/heads/main/DesignsCornwall.exe" or userdomainname like "https://github.com/fresas2025/fresa/raw/refs/heads/main/frutas.exe" or url like "https://github.com/fresas2025/fresa/raw/refs/heads/main/frutas.exe" or userdomainname like "usuariofebrero25.dedyn.io" or url like "usuariofebrero25.dedyn.io" or userdomainname like "Camino003.duia.eu" or url like "Camino003.duia.eu" or userdomainname like "asdasdsf.con-ip.com" or url like "asdasdsf.con-ip.com"

Detection Query 2

dstipaddress IN ("62.60.226.112","191.88.252.140","191.88.252.140","177.255.84.37") or ipaddress IN ("62.60.226.112","191.88.252.140","191.88.252.140","177.255.84.37") or publicipaddress IN ("62.60.226.112","191.88.252.140","191.88.252.140","177.255.84.37") or srcipaddress IN ("62.60.226.112","191.88.252.140","191.88.252.140","177.255.84.37")

Detection Query 3

sha256hash IN ("e9df6fc0cd0fb856bd15a378653b76b33e9620735474daec01a413a205cf0832","dd3706144ba3f88dd1606e7d06e6b0ecc4b848108a5eb6c5612b8912da3bc6c2","2ab78e5d801c37d36d0941f74105bbb49917a89761b104527acc594faf95dc3a","346530ea86a7fb02e7184736ed67363d736ba4fab6ab70f79129a962e61dd8fa","65d4f56e2813800de90ba1a3cbf13054fa238f233fc7b9db6a8caf1f2f987a90","61fb41b9fcf85698908bd772155e7a3e27c8cc33e1ed233b67a3a3063f522b63","4deec3644eb9b38695579cd49eed7628d750d49b8c3ea59ce3e4989a823813bf","bf4ce102f2685d5c2e1096de43ea95c8eeaebb7378486ed02541226f1c1ada83","157f03405b2658baa1ee8f76f4801403ffdeb217df37d8d95e867787608de6e3","47569431f421ff3ecf20a7898515ef4af78c27f3d53303a57f7c4f4225787191","5335603a304e42c6fef4d2fe76cbb92cf1b136d2ec9bea5a648fc002f392f2b1","5590b65c4114fc8bb0eecad6cfe83b5efb1c667e57507a2c699812e282563f13","82788e1057e5d1634e5aa3d33b15b44899635a93c7da02ec96f6c793031b4dd1","a08f11d4a8fd48e6f2dd5a3b1ea281e579f3f04293e67da8adb2ccd7b74acedb","cec6dceccc5b3937ab34de1bdd3c66cfa58875459fc5174194c89b5c4fa133d6","f7cc357c11576175e97990254bbb03e9764879a47e6dfd1ffcf06fb1dd192aad","ab9e926e4df55e4791b87167c7af7d58817e9b69b55cbaa8b54ce1ed3b032736","7234b5f14e83326a2f3db2c5180624c8c30da0495020caa4c80e5d03f14ebb56","83cc9395582825c673c7738afbb9f53a95b83aeb21365ad42703bcedf1ded219")

Detection Query 3

filename IN ("//\\62.60.226.112@80\file\590_9883.exe","//\\62.60.226.112@80\file\2430_1471.exe","//\\62.60.226.112@80\file\877_6120.exe","//\\62.60.226.112@80\file\932_6199.exe","//\\62.60.226.112@80\file\2744_6673.exe","//\\62.60.226.112@80\file\4917_8531.exe","//\\62.60.226.112@80\file\7309_9071.exe") OR objectname IN ("//\\62.60.226.112@80\file\590_9883.exe","//\\62.60.226.112@80\file\2430_1471.exe","//\\62.60.226.112@80\file\877_6120.exe","//\\62.60.226.112@80\file\932_6199.exe","//\\62.60.226.112@80\file\2744_6673.exe","//\\62.60.226.112@80\file\4917_8531.exe","//\\62.60.226.112@80\file\7309_9071.exe")