CyberSecurity news

FlagThis - #apt29

ross.kelly@futurenet.com (Ross@Latest from ITPro in News //

Marks (and) Spencer Confirms Cyber Security Incident

Marks & Spencer (M&S), a major British retailer, has confirmed that it is currently managing a cybersecurity incident. This confirmation follows several days of reported service disruptions affecting store operations and customer experiences. The company issued a statement acknowledging the incident and apologized to customers for any inconvenience caused. M&S has implemented operational changes to protect the business and its customers during this time.

Customer impact includes disruptions to contactless payments, online orders, and the Click & Collect service. Some customers reported issues as far back as Saturday through social media platform X, ranging from returns being unavailable to Click & Collect orders being delayed or unavailable. While M&S stated that stores remain open, the website and app are operating normally, and contactless payments are working again, the company is working hard to resolve the remaining technical issues. M&S claims it serves 32 million customers every year.

In response to the cyber incident, Marks & Spencer has engaged external cybersecurity experts to investigate the matter and strengthen its network security. The company has also notified the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). While the exact nature of the cyberattack and the extent of any potential data breach have not been fully disclosed, M&S has assured customers that it is taking the situation seriously and will provide updates as appropriate. Customer trust is incredibly important to the company and if the situation changes an update will be provided as appropriate.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • CyberInsider: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • techcrunch.com: The company said it was necessary to make operational changes to protect the business.
  • www.itpro.com: Retail giant Marks & Spencer (M&S) has revealed it has been dealing with a “cyber incident†in recent days and apologized to customers amid disruption complaints.
  • The Register - Security: Retailer tight-lipped on details as digital hiccup disrupts customer orders UK high street mainstay Marks & Spencer told the London Stock Exchange this afternoon it has been managing a "cyber incident" for "the past few days."…
  • cyberinsider.com: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • Zack Whittaker: New, by me: Marks & Spencer has confirmed a cyber incident, as customers report disruption and outages. The U.K.-headquartered retail giant said it made operational changes to "protect" the business, and has notified data protection authorities.
  • The DefendOps Diaries: The Defend Ops Diaries article on Marks & Spencer Cyberattack: A Wake-Up Call for Retail Cybersecurity
  • securityaffairs.com: Marks & Spencer (M&S) is managing a cyber incident
  • techcrunch.com: TechCrunch article on Marks & Spencer confirms cybersecurity incident amid ongoing disruption
  • BleepingComputer: Marks & Spencer confirms a cyberattack as customers face delayed orders
  • ComputerWeekly.com: Cyber attack downs systems at Marks & Spencer
  • www.cybersecurity-insiders.com: Mark & Spencer hit by Cyber Attack on Easter
  • hackread.com: M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services
  • www.scworld.com: Marks & Spencer disrupted by cyberattack
  • thecyberexpress.com: UK retail giant Marks & Spencer has confirmed it is managing a cybersecurity incident, following several days of service disruption that affected store operations and customer experiences.
  • Tech Monitor: Marks & Spencer hit by cyberattack, services disrupted
  • The Record: In a statement filed to London’s stock exchange on Tuesday afternoon, retailer Marks & Spencer said it made “some minor, temporary changes to our store operations†as soon as it became aware of the incident.
  • bsky.app: Marks & Spencer (M&S) has disclosed that it is responding to a cyberattack over the past few days that has impacted operations, including its Click and Collect service. https://www.bleepingcomputer.com/news/security/marks-spencer-confirms-a-cyberattack-as-customers-face-delayed-orders/
  • hackread.com: Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and…
  • techinformed.com: TechInformed report on M&S cyber attack impacting click and collect.
  • www.cybersecurity-insiders.com: Mark & Spencer hit by Cyber Attack on Easter
  • TechInformed: M&S cyber attack impacts click and collect and contactless payments
  • The Register - Security: M&S takes systems offline as 'cyber incident' lingers
  • ComputerWeekly.com: M&S systems remain offline days after cyber incident
  • BleepingComputer: Marks & Spencer pauses online orders after cyberattack
  • The Register - Security: M&S suspends all online orders as 'cyber incident' issues worsen
  • bsky.app: M&S stops online orders following cyber attack. Fall-out from this cyber attack is getting worse not better 4 days after customers were alerted to an attack.
  • bsky.app: Bsky social network post about Marks & Spencer pausing online sales after cyberattack
  • ComputerWeekly.com: M&S systems remain offline days after cyber incident
  • www.itpro.com: M&S suspends online sales as 'cyber incident' continues
  • cyberinsider.com: Marks & Spencer Suspends Online Orders Amid Ongoing Cyber Incident
  • The DefendOps Diaries: Marks & Spencer Cyberattack: Operational Disruptions and Strategic Responses
  • CyberInsider: Marks & Spencer Suspends Online Orders Amid Ongoing Cyber Incident
  • bsky.app: Marks & Spencer has paused online orders for customers.
  • go.theregister.com: One step forward and one step back as earlier hopes of progress dashed by latest update Marks & Spencer has paused online orders for customers via its website and app as the UK retailer continues to wrestle with an ongoing "cyber incident."
  • Check Point Research: For the latest discoveries in cyber research for the week of 28th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments.
  • www.bleepingcomputer.com: Marks & Spencer pauses online orders after cyberattack
  • bsky.app: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider"
  • BleepingComputer: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider" BleepingComputer has learned from multiple sources.
  • BleepingComputer: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider"
  • www.bleepingcomputer.com: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as Scattered Spider BleepingComputer has learned from multiple sources.
  • Help Net Security: The “cyber incident†that British multinational retailer Marks & Spencer has been struggling with for over a week is a ransomware attack, multiple sources have asserted.
  • DataBreaches.Net: Multiple sources inform them that the outages at UK retail giant Marks & Spencer are the result of a ransomware attack by the group known as Scattered Spider.
  • bsky.app: Cyber security website @bleepingcomputer.com now reporting that the M&S hackers could be from Scattered Spider. This infamous hacking crew is behind a string of attacks in the last 2 years and its members include English-speaking teenagers. https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
  • ComputerWeekly.com: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer.
  • hackread.com: The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe…
  • Tech Monitor: Cyber incident at Marks & Spencer suspected to involve Scattered Spider hackers
Classification:
  • HashTags: #cyberattack #DataBreach #retail
  • Company: Marks & Spencer
  • Target: Marks & Spencer
  • Product: Retail Services
  • Feature: Service Disruption
  • Type: Hack
  • Severity: Medium
@research.checkpoint.com //

APT29 Targets Diplomats with Wine-Tasting Phishing Attacks

Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The threat actors are using deceptive emails disguised as invitations to wine-tasting events, enticing recipients to download a malicious ZIP file. The ZIP file contains a PowerPoint executable ("wine.exe") and two hidden DLL files, one of which is a malware loader dubbed GRAPELOADER. This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe.

GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Once executed, GRAPELOADER establishes persistence by modifying the Windows registry, collects basic system information such as the username and computer name, and communicates with a command-and-control (C2) server to fetch additional malicious payloads. The malware copies the contents of the malicious zip archive to a new location on the disk, achieves persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots.

In addition to GRAPELOADER, a new variant of WINELOADER, a modular backdoor previously used by APT29, has been discovered and is likely being used in later stages of the attack. GRAPELOADER employs advanced techniques to avoid detection, such as masking strings in its code and only decrypting them briefly in memory before erasing them. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • research.checkpoint.com: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • www.esecurityplanet.com: Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • Blog: Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a sophisticated phishing campaign targeting European diplomatic entities. The attackers are using deceptive emails that mimic invitations to wine-tasting events, enticing recipients to download a malicious ZIP file named wine.zip.
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
Classification:
  • HashTags: #APT29 #CyberEspionage #GrapeLoader
  • Company: Check Point
  • Target: European Diplomats
  • Attacker: APT29
  • Product: GrapeLoader
  • Feature: Phishing
  • Malware: GrapeLoader
  • Type: Espionage
  • Severity: Major
@research.checkpoint.com //

Midnight Blizzard Targets European Diplomats with New Malware

Russian state-sponsored espionage group Midnight Blizzard, also known as APT29 or Cozy Bear, is conducting a spear-phishing campaign targeting European diplomatic organizations. Check Point Research has been observing this sophisticated operation, which began in January 2025 and employs advanced techniques to target government officials and diplomats across Europe. The threat actors are impersonating a major European foreign affairs ministry to send deceptive emails inviting targets to wine-tasting events. This campaign, leveraging custom malware, aims to compromise diplomatic entities, including embassies of non-European countries.

The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29.

Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
  • BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
  • bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
  • blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
  • cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
  • research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
  • Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
  • cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
  • www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
  • Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
  • Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
  • securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
  • securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
  • www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
  • Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
  • The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
  • hackread.com: Midnight Blizzard (APT29/Cozy Bear) targets European embassies and Ministries of Foreign Affairs with sophisticated phishing emails disguised as…
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
  • www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
  • Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
  • Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • www.esecurityplanet.com: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com
  • ciso2ciso.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • Talkback Resources: Russia-linked group APT29 used a phishing campaign with fake wine tasting invitations to target European embassies and Ministries of Foreign Affairs, deploying GrapeLoader and WineLoader malware to gather sensitive information and conduct cyber spying operations.
Classification:
  • HashTags: #MidnightBlizzard #APT29 #SpearPhishing
  • Target: European diplomatic organizations
  • Attacker: Midnight Blizzard
  • Malware: Grapeloader, Wineloader
  • Type: Espionage
  • Severity: Medium

Posts

Blogs

Research Tools