CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
APT29, a Russian state-sponsored hacking group also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The group is using deceptive emails disguised as invitations to wine-tasting events to entice recipients into downloading a malicious ZIP file. This archive, often named "wine.zip," contains a legitimate PowerPoint executable alongside malicious DLL files designed to compromise the victim's system. These campaigns appear to focus primarily on Ministries of Foreign Affairs, as well as other countries' embassies in Europe, with indications suggesting that diplomats based in the Middle East may also be targets.
The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems.
GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com.
ImgSrc: blogger.googleu
References :
The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems.
GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com.
ImgSrc: blogger.googleu
Share:
References :
- Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
- BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
- bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
- blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
- cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
- research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
- Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
- iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
- cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
- www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
- Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
- Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
- securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
- securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
- www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
- Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
- The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
- ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
- www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
- Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
- Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
- ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
- securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
- eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
- www.esecurityplanet.com: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
- Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
- ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com
Classification:
- HashTags: #APT29 #PhishingCampaign #GrapeLoader
- Company: Check Point
- Target: European diplomats
- Attacker: APT29
- Product: GrapeLoader
- Feature: phishing emails
- Malware: GrapeLoader
- Type: Malware
- Severity: Major