CyberSecurity news
FlagThis
@research.checkpoint.com
//
Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The threat actors are using deceptive emails disguised as invitations to wine-tasting events, enticing recipients to download a malicious ZIP file. The ZIP file contains a PowerPoint executable ("wine.exe") and two hidden DLL files, one of which is a malware loader dubbed GRAPELOADER. This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe.
GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Once executed, GRAPELOADER establishes persistence by modifying the Windows registry, collects basic system information such as the username and computer name, and communicates with a command-and-control (C2) server to fetch additional malicious payloads. The malware copies the contents of the malicious zip archive to a new location on the disk, achieves persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots.
In addition to GRAPELOADER, a new variant of WINELOADER, a modular backdoor previously used by APT29, has been discovered and is likely being used in later stages of the attack. GRAPELOADER employs advanced techniques to avoid detection, such as masking strings in its code and only decrypting them briefly in memory before erasing them. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.
References :
GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Once executed, GRAPELOADER establishes persistence by modifying the Windows registry, collects basic system information such as the username and computer name, and communicates with a command-and-control (C2) server to fetch additional malicious payloads. The malware copies the contents of the malicious zip archive to a new location on the disk, achieves persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots.
In addition to GRAPELOADER, a new variant of WINELOADER, a modular backdoor previously used by APT29, has been discovered and is likely being used in later stages of the attack. GRAPELOADER employs advanced techniques to avoid detection, such as masking strings in its code and only decrypting them briefly in memory before erasing them. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.
Share:
References :
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
- ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
- research.checkpoint.com: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
- Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
- www.esecurityplanet.com: Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
- The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
- Blog: Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a sophisticated phishing campaign targeting European diplomatic entities. The attackers are using deceptive emails that mimic invitations to wine-tasting events, enticing recipients to download a malicious ZIP file named wine.zip.
- Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
- Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
Classification:
- HashTags: #APT29 #CyberEspionage #GrapeLoader
- Company: Check Point
- Target: European Diplomats
- Attacker: APT29
- Product: GrapeLoader
- Feature: Phishing
- Malware: GrapeLoader
- Type: Espionage
- Severity: Major