CyberSecurity news

FlagThis - #apt29

@The DefendOps Diaries //

Marks (and) Spencer Cyber Incident

Marks & Spencer (M&S) has confirmed it is currently dealing with a cybersecurity incident that has caused disruption to its UK retail operations. The retail giant said it has been managing this incident for the past few days, leading to operational changes aimed at protecting customers and the business. These changes have resulted in some disruption, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect. The company has apologized to customers for any inconvenience experienced due to the disruptions.

M&S said that despite the ongoing cyber incident, its stores remain open, and its website and app are operating normally. It is working diligently to resolve technical issues and address delays affecting customer orders. In response to customer queries on social media platforms like X, Marks & Spencer acknowledged working to resolve technical issues in its stores. The company is also collaborating with external cybersecurity experts to investigate the incident and has notified data protection authorities, including the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO).

While M&S has confirmed the cybersecurity incident and taken steps to mitigate its impact, specific details regarding the nature of the attack and potential compromise of customer data remain unclear. The company has been tight-lipped on divulging extra information, however it has mentioned it is coordinating with relevant agencies such as the NCSC. The retailer said that if the situation changes an update will be provided as appropriate. Marks & Spencer claims to serve 32 million customers every year.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • CyberInsider: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • techcrunch.com: The company said it was necessary to make operational changes to protect the business.
  • www.itpro.com: Retail giant Marks & Spencer (M&S) has revealed it has been dealing with a “cyber incident†in recent days and apologized to customers amid disruption complaints.
  • The Register - Security: Marks & Spencer has been managing a "cyber incident" for "the past few days".
  • cyberinsider.com: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • Zack Whittaker: New, by me: Marks & Spencer has confirmed a cyber incident, as customers report disruption and outages. The U.K.-headquartered retail giant said it made operational changes to "protect" the business, and has notified data protection authorities.
  • The DefendOps Diaries: Marks & Spencer cyberattack highlights retail vulnerabilities and the need for robust cybersecurity measures.
Classification:
  • HashTags: #Cybersecurity #RetailSecurity #Cyberattack
  • Company: Marks & Spencer
  • Target: Marks & Spencer Online Services
  • Attacker: APT29
  • Product: Online services
  • Feature: payment systems
  • Type: Hack
  • Severity: Medium
info@thehackernews.com (The@The Hacker News //

APT29 Leverages Wine Tasting Phishing for GrapeLoader

APT29, a Russian state-sponsored hacking group also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The group is using deceptive emails disguised as invitations to wine-tasting events to entice recipients into downloading a malicious ZIP file. This archive, often named "wine.zip," contains a legitimate PowerPoint executable alongside malicious DLL files designed to compromise the victim's system. These campaigns appear to focus primarily on Ministries of Foreign Affairs, as well as other countries' embassies in Europe, with indications suggesting that diplomats based in the Middle East may also be targets.

The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems.

GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
  • BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
  • bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
  • blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
  • cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
  • research.checkpoint.com: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
  • cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
  • www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
  • Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
  • Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
  • securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
  • securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
  • : The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
  • Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
  • The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
  • www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
  • Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
  • Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • www.esecurityplanet.com: Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com
  • ciso2ciso.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • Talkback Resources: Russia-linked group APT29 used a phishing campaign with fake wine tasting invitations to target European embassies and Ministries of Foreign Affairs, deploying GrapeLoader and WineLoader malware to gather sensitive information and conduct cyber spying operations.
  • Blog: Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a sophisticated phishing campaign targeting European diplomatic entities. The attackers are using deceptive emails that mimic invitations to wine-tasting events, enticing recipients to download a malicious ZIP file named "wine.zip."
Classification:
  • HashTags: #APT29 #PhishingCampaign #GrapeLoader
  • Company: Check Point
  • Target: European diplomats
  • Attacker: APT29
  • Product: GrapeLoader
  • Feature: phishing emails
  • Malware: GrapeLoader
  • Type: Malware
  • Severity: Major
@www.bleepingcomputer.com //

HPE Data Breach from Russian State-Sponsored Hackers

Hewlett Packard Enterprise (HPE) is notifying employees about a data breach that occurred in May 2023. The cyberattack, orchestrated by Russian state-sponsored hackers, targeted HPE's Office 365 email environment. The breach resulted in the theft of employee data, prompting HPE to alert affected individuals.

HPE began sending breach notification letters in January 2025, according to filings with Attorney General offices in New Hampshire and Massachusetts. The investigation determined that personal information, including driver's licenses, credit card numbers, and Social Security numbers, may have been subject to unauthorized access.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • BleepingComputer: Hewlett Packard Enterprise (HPE) is notifying employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers in a May 2023 cyberattack.
  • www.the420.in: Hewlett Packard Notifies Employees of Data Breach by Russian Hackers
  • www.bleepingcomputer.com: HPE notifies employees of data breach after Russian Office 365 hack
  • The420.in: Hewlett Packard Notifies Employees of Data Breach by Russian Hackers
  • bsky.app: Hewlett Packard Enterprise (HPE) is notifying employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers in a May 2023 cyberattack.
  • Vulnerability-Lookup: Hewlett Packard Enterprise (HPE) is notifying employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers
  • techcrunch.com: TechCrunch reports on HPE beginning to notify data breach victims after a Russian government hack.
  • Anonymous ???????? :af:: Hewlett Packard Enterprise (HPE) is notifying employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers in a May 2023 cyberattack.
  • www.scworld.com: HPE employees alerted of Midnight Blizzard hack
  • securityaffairs.com: HPE is notifying individuals affected by a December 2023 attack
  • securebulletin.com: Hewlett Packard Enterprise (HPE) is notifying employees whose data was stolen.
  • ciso2ciso.com: HPE Says Personal Information Stolen in 2023 Russian Hack – Source: www.securityweek.com
Classification:
  • HashTags: #HPE #APT29
  • Company: HPE
  • Target: HPE employees
  • Attacker: Midnight Blizzard (Cozy Bear/APT29)
  • Product: Office 365
  • Feature: Office 365 email
  • Type: DataBreach
  • Severity: Major

Posts

Blogs

Research Tools