CyberSecurity news
FlagThis - #malware
|
Ashish Khaitan@The Cyber Express
//
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.
The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network. To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities. Recommended read:
References :
Jacob Santos@feeds.trendmicro.com
//
The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.
The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts. Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide. Recommended read:
References :
@socket.dev
//
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.
The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands. The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community. Recommended read:
References :
@securityonline.info
//
Recorded Future's Insikt Group has released a report detailing the discovery of two new malware families, TerraStealerV2 and TerraLogger, both linked to the notorious Golden Chickens threat actor, also known as Venom Spider. Golden Chickens is a financially motivated group known for providing a Malware-as-a-Service (MaaS) platform, offering cybercriminals a suite of malicious tools. The newly identified malware strains add to their existing arsenal, which includes tools like VenomLNK, TerraLoader, and TerraCrypt, which have been implicated in past attacks against major organizations. The report, published on May 1, 2025, highlights the evolving tactics of this sophisticated threat actor.
TerraStealerV2 is designed to steal browser credentials, target cryptocurrency wallets, and pilfer browser extensions. This stealer malware is delivered through various file types, including LNK, MSI, DLL, and EXE files, and utilizes legitimate Windows tools like regsvr32.exe and mshta.exe to bypass endpoint detection. While TerraStealerV2 lacks the ability to decrypt credentials protected by Chrome’s Application Bound Encryption (ABE), a security measure introduced in mid-2024, it can still exfiltrate unprotected data. It copies cryptocurrency wallet directories and uploads them to Telegram bots and wetransfers[.]io, a lookalike domain hosted behind Cloudflare, showcasing the malware's data theft capabilities. TerraLogger represents the first keylogging capability developed by Golden Chickens. This standalone keylogger records keystrokes locally using a low-level keyboard hook and stores them in plaintext files within the C:\ProgramData directory. While TerraLogger currently lacks command-and-control or data exfiltration logic, its modular design suggests it is either under development or intended to be used in conjunction with other components of the Golden Chickens toolkit. Experts suggest the group continues to refine its delivery methods by combining VenomLNK attacks with Windows-native tools, indicating a persistent effort to evolve and enhance their malicious operations. Recommended read:
References :
@www.recordedfuture.com
//
References:
The Hacker News
, www.recordedfuture.com
A new malware loader called MintsLoader is being used to distribute a remote access trojan (RAT) known as GhostWeaver. According to a report by Recorded Future's Insikt Group, MintsLoader employs a multi-stage infection chain that involves obfuscated JavaScript and PowerShell scripts. This loader is designed to evade sandbox environments and virtual machines, making it more difficult to detect and analyze. It also utilizes a domain generation algorithm (DGA) to create daily-changing command-and-control (C2) domains, adding another layer of complexity to the attack.
MintsLoader has been observed in phishing and drive-by download campaigns since early 2023. It is known to deliver various follow-on payloads, including StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client. Threat actors are using MintsLoader in e-crime services like SocGholish and LandUpdate808, targeting the industrial, legal, and energy sectors through phishing emails and fake browser update prompts. Recent attacks have also incorporated the ClickFix social engineering tactic to trick users into executing malicious code. GhostWeaver, the RAT distributed by MintsLoader, is designed to maintain persistent communication with its C2 server, which is secured through TLS encryption using an obfuscated, self-signed X.509 certificate. GhostWeaver can also deploy MintsLoader as an additional payload. The loader's primary strengths lie in its evasion techniques and DGA implementation, which allow it to bypass security measures and complicate detection efforts. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem, revealing three malicious Go modules designed to wipe Linux systems. These modules, named github.com/truthfulpharm/prototransform, github.com/blankloggia/go-mcp, and github.com/steelpoor/tlsproxy, contain obfuscated code that fetches next-stage payloads capable of irrevocably overwriting a Linux system's primary disk, rendering it unbootable. The attack, discovered in April 2025, highlights the dangers of direct dependency imports from public repositories and the effectiveness of code obfuscation in evading detection.
The malicious modules are designed to specifically target Linux environments. Upon execution, they retrieve a destructive shell script from a remote server using wget. This script, known as "done.sh," employs the Unix utility 'dd' to overwrite the entire primary disk ("/dev/sda") with zeroes. This process effectively eliminates the file system, operating system, and all user data, leaving affected systems crippled and data unrecoverable. According to Socket researcher Kush Pandya, this destructive method ensures no data recovery tool or forensic process can restore the data, emphasizing the extreme danger posed by modern supply-chain attacks. This incident underscores the escalating risks present in open-source supply chains and the potential for seemingly trusted code to become devastating threats. The impact of such an attack includes complete data loss, prolonged operational downtime, and severe financial and reputational damage for affected organizations. Security experts recommend thorough dependency audits, the implementation of automated code scanning tools, and continuous monitoring solutions to detect obfuscated or suspicious behaviors in third-party packages as crucial mitigation steps. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
The Hive0117 group, linked to DarkWatchman, is reportedly targeting Russian critical infrastructure in a broad cyber campaign. According to F6 Threat Intelligence, the group is conducting a large-scale phishing campaign aimed at Russian companies across various industries, including media, tourism, finance, insurance, manufacturing, retail, energy, telecommunications, transport, and biotechnology. The attacks, which have been ongoing since February 2022, involve mass mailings disguised as legitimate organizations, using registered infrastructure for managing domains and often reusing domains.
The malicious emails contain password-protected archives which, when opened, trigger a chain reaction leading to system infection by a modified version of the DarkWatchman VPO. This variant is designed to operate stealthily and evade detection by traditional security tools. Analysis reveals that the domains used in these attacks share registration data with domains previously used by the group in 2023, indicating a persistent and evolving threat. The DarkWatchman malware itself is a JavaScript-based remote access trojan capable of keylogging, collecting system information, and deploying secondary payloads. The financially motivated Hive0117 group has previously targeted users in Lithuania, Estonia, and Russia in sectors like telecom, electronics, and industry. Past campaigns have also used courier delivery-themed lures to target Russian banks, retailers, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms. The DarkWatchman malware's fileless nature, use of JavaScript and a C#-based keylogger, and ability to remove traces of its existence highlight its sophisticated capabilities, posing a significant risk to targeted organizations. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.
A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses. The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services. Recommended read:
References :
@unit42.paloaltonetworks.com
//
References:
Virus Bulletin
, securityonline.info
,
Researchers at Palo Alto Networks’ Unit 42 have discovered a new malware strain called Gremlin Stealer, actively being developed and sold on Telegram. The malware, written in C#, has been active since March 2025 and is designed to steal sensitive information from compromised systems. It is advertised on a Telegram channel named CoderSharp, where its authors actively promote its features and capabilities.
Gremlin Stealer targets a wide range of software to extract data from browsers, the clipboard, and the local disk. This includes sensitive data like credit card details, browser cookies, crypto wallet information, and VPN credentials. The malware has the ability to bypass Chrome cookie V20 protection, a feature designed to prevent unauthorized cookie extraction. It also actively scours the local file system and Windows Registry for crypto wallet data, targeting wallets for Litecoin, Bitcoin, Monero, and others. Once the data is stolen, Gremlin Stealer uploads the information to a web server for publication. The group behind the malware claims to have uploaded vast amounts of data from victims' machines to their server at 207.244.199[.]46. This server is a configurable portal that comes with the sale of the malware. The Gremlin Stealer website currently displays 14 files, described as ZIP archives of stolen data from victims' machines, with options to delete or download the archives. Recommended read:
References :
@www.welivesecurity.com
//
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.
The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor. ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations. Recommended read:
References :
@securityonline.info
//
A new malware campaign is targeting WordPress websites by using a plugin disguised as a security tool. The malicious plugin, often named 'WP-antymalwary-bot.php', provides attackers with administrator access to compromised sites, all while remaining hidden from the WordPress admin dashboard. The Wordfence Threat Intelligence team discovered this threat in late January 2025 during a site cleanup, revealing the plugin's ability to maintain access, execute remote code, and inject malicious JavaScript. Other names associated with the plugin include addons.php, wpconsole.php, and wp-performance-booster.php, underscoring the campaign's wide reach and adaptability.
The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site. Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.
Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion. Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Jeffrey Bowie, the CEO of cybersecurity firm Veritaco, has been arrested and charged with two counts of violating Oklahoma's Computer Crimes Act. The charges stem from an incident on August 6, 2024, where Bowie allegedly installed malware on employee computers at St. Anthony Hospital in Oklahoma City. Security footage captured Bowie accessing multiple offices within the hospital before installing the malicious software, which was designed to capture screenshots every 20 minutes and transmit them to an external IP address.
Following the discovery of the unauthorized installation by a vigilant hospital employee, St. Anthony Hospital conducted a forensic review confirming the presence of malware. When confronted, Bowie claimed he needed to use the computer for a family member undergoing surgery, but authorities found his explanation unconvincing. SSM Health, the hospital's parent organization, issued a statement assuring the public that immediate action was taken and that no patient information was compromised due to the security measures in place. The hospital has since increased monitoring and employee training to further protect their systems. Bowie's arrest has sent shockwaves through the cybersecurity community, particularly given his position as the head of a firm specializing in protecting businesses from cyber threats. Veritaco, described on Bowie's LinkedIn profile as a company focused on "cybersecurity, digital forensics, and private intelligence," employed between two and ten individuals. The incident underscores the potential for insider threats, even from individuals entrusted with security responsibilities, and has led to renewed calls for robust internal controls and employee vigilance. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.
The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion. Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme. Recommended read:
References :
@www.silentpush.com
//
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.
The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities. The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group. Recommended read:
References :
@cyberpress.org
//
A new variant of the Lumma Stealer malware has been identified, showing significant advancements in its stealth and persistence. Researchers at the Trellix Advanced Research Center analyzed the new variant, discovering features such as code flow obfuscation and dynamic API resolution that help it evade detection. Lumma Stealer, originally introduced in 2022, has rapidly evolved and poses a serious threat to personal and organizational data by targeting sensitive information stored on infected systems.
Lumma Stealer, also known as LummaC2, has gained popularity in underground forums with over a thousand active subscribers as of March 2025. The malware uses deceptive methods such as fake CAPTCHA pages, mimicking Google reCAPTCHA or Cloudflare challenges, to trick users into executing malicious commands. These fraudulent pages are often hosted on compromised websites offering pirated content or cryptocurrency services, enticing unsuspecting users to initiate the infection chain. The malware's infection chain is complex and difficult to detect. It involves downloading a .zip file, extracting the malware, and establishing persistence through the Windows Registry's Run key. More advanced attacks hide the malware within seemingly harmless .mp3 or .png files, triggered via the mshta.exe HTML application engine, deploying layers of encryption, anti-debugging techniques, and detection evasion mechanisms. The stealer targets sensitive data, including cryptocurrency wallet credentials, 2FA codes, browser-stored passwords, and financial information, which it transmits to attacker-controlled domains. Recommended read:
References :
@securityonline.info
//
Cybercriminals are exploiting a legitimate Microsoft utility called mavinject.exe to inject malicious Dynamic Link Libraries (DLLs) into unsuspecting systems. This technique allows attackers to bypass security measures and execute sophisticated malicious payloads while appearing to be a benign process. Mavinject.exe is a command-line utility designed for Application Virtualization (App-V) environments, intended for injecting DLLs into specific processes. Because it's signed by Microsoft and has been a default component of Windows since version 1607, it is typically whitelisted by security solutions.
The exploitation of mavinject.exe involves using key Windows APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. These APIs allow attackers to retrieve a handle to the target process, allocate memory within it, write the DLL path to the allocated memory, and create a new thread to load and execute the malicious DLL. By leveraging mavinject.exe, threat actors can achieve external code execution while circumventing detection, as the utility is considered a trusted application. This technique is categorized as Signed Binary Proxy Execution. Several Advanced Persistent Threat (APT) groups have been observed using mavinject.exe in real-world attacks. Earth Preta (Mustang Panda), a Chinese government-supported APT group, has used it to inject malicious DLLs, like backdoors, into legitimate processes such as waitfor.exe after initial access through phishing emails. The Lazarus Group has also employed mavinject.exe to inject malware into explorer.exe. Security measures recommended include monitoring mavinject.exe execution with specific arguments and API calls and, when not using App-V, blocking the utility altogether. Recommended read:
References :
@research.checkpoint.com
//
Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The threat actors are using deceptive emails disguised as invitations to wine-tasting events, enticing recipients to download a malicious ZIP file. The ZIP file contains a PowerPoint executable ("wine.exe") and two hidden DLL files, one of which is a malware loader dubbed GRAPELOADER. This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe.
GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Once executed, GRAPELOADER establishes persistence by modifying the Windows registry, collects basic system information such as the username and computer name, and communicates with a command-and-control (C2) server to fetch additional malicious payloads. The malware copies the contents of the malicious zip archive to a new location on the disk, achieves persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots. In addition to GRAPELOADER, a new variant of WINELOADER, a modular backdoor previously used by APT29, has been discovered and is likely being used in later stages of the attack. GRAPELOADER employs advanced techniques to avoid detection, such as masking strings in its code and only decrypting them briefly in memory before erasing them. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account. Recommended read:
References :
|