CyberSecurity news

FlagThis - #phishingcampaign

info@thehackernews.com (The@The Hacker News //

APT29 Leverages Wine Tasting Phishing for GrapeLoader - APT29, a Russian state-sponsored hacking group, targets European diplomatic entities with a sophisticated phishing campaign using GrapeLoader malware via deceptive wine-tasting invitations.
APT29, a Russian state-sponsored hacking group also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The group is using deceptive emails disguised as invitations to wine-tasting events to entice recipients into downloading a malicious ZIP file. This archive, often named "wine.zip," contains a legitimate PowerPoint executable alongside malicious DLL files designed to compromise the victim's system. These campaigns appear to focus primarily on Ministries of Foreign Affairs, as well as other countries' embassies in Europe, with indications suggesting that diplomats based in the Middle East may also be targets.

The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems.

GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com.

Recommended read:
References :
  • Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
  • BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
  • bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
  • blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
  • cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
  • research.checkpoint.com: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
  • cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
  • www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
  • Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
  • Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
  • securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
  • securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
  • www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
  • Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
  • The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
  • www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
  • Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
  • Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • www.esecurityplanet.com: Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com
  • ciso2ciso.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • Talkback Resources: Russia-linked group APT29 used a phishing campaign with fake wine tasting invitations to target European embassies and Ministries of Foreign Affairs, deploying GrapeLoader and WineLoader malware to gather sensitive information and conduct cyber spying operations.
  • Blog: Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a sophisticated phishing campaign targeting European diplomatic entities. The attackers are using deceptive emails that mimic invitations to wine-tasting events, enticing recipients to download a malicious ZIP file named wine.zip.
info@thehackernews.com (The@The Hacker News //

PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks - A new phishing campaign, PoisonSeed, targets CRM platforms and bulk email service providers to facilitate cryptocurrency-related scams, compromising credentials and cryptocurrency wallets.
A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.

PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack.

Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise.

Recommended read:
References :
  • Cyber Security News: The campaign targets individuals and organizations outside the cryptocurrency industry.
  • gbhackers.com: PoisonSeed uses advanced phishing techniques.
  • www.bleepingcomputer.com: Threat actors are leveraging compromised credentials.
  • securityonline.info: SecurityOnline.info - PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • Cyber Security News: A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
  • securityonline.info: Threat actors target email providers to provide infrastructure for cryptocurrency spam operations.
  • Security Risk Advisors: PoisonSeed Actors Hijack Bulk Email Services to Execute Cryptocurrency Seed Phrase Attacks
info@thehackernews.com (The@The Hacker News //

PoisonSeed Phishing Targets Crypto Wallets - PoisonSeed is a phishing campaign compromising corporate email marketing accounts to distribute crypto seed phrases, draining cryptocurrency wallets and targeting individuals with access to CRM systems and bulk email services.
The PoisonSeed phishing campaign represents a new and evolving cyber threat, targeting individuals with access to critical systems like Customer Relationship Management (CRM) platforms and bulk email services. This large-scale operation compromises corporate email marketing accounts to distribute emails containing crypto seed phrases, ultimately used to drain cryptocurrency wallets. Attackers focus on high-value targets, employing detailed reconnaissance to ensure their phishing emails reach the most impactful individuals. By mimicking legitimate services through carefully crafted emails and fake login pages, PoisonSeed exemplifies the evolving nature of phishing threats, deceiving victims into believing they are from legitimate sources.

PoisonSeed's attack methodology is distinguished by its sophisticated approach, targeting individuals with access to CRM systems and bulk email platforms. The first stage involves meticulous target identification, focusing on those with access to CRM systems and bulk email platforms, as these targets provide significant leverage for further attacks. The reconnaissance process includes analyzing the email services used by companies and identifying employees in relevant positions. Once targets are identified, the attackers craft professional phishing emails designed to deceive recipients, sending them from spoofed addresses to enhance their authenticity, often containing links to fake login pages hosted on carefully named domains.

The phishing pages deployed by PoisonSeed are designed to capture sensitive information, particularly cryptocurrency wallet seed phrases. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. Compromised accounts are then used to send bulk phishing emails, employing urgent lures, such as notifications about "restricted sending privileges" or fake wallet migration notices. Domains such as mail-chimpservices[.]com have been used to deceive MailChimp users, showcasing the campaign's attention to detail.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • www.bleepingcomputer.com: PoisonSeed phishing campaign distributing emails with wallet seed phrases.
  • bsky.app: PoisonSeed phishing campaign behind emails with wallet seed phrases
  • Cyber Security News: PoisonSeed Launches Supply Chain Phishing Attacks on CRM and Bulk Email Services
  • gbhackers.com: PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack
  • securityonline.info: PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • securityonline.info: Silent Push Threat Analysts have uncovered a sophisticated campaign targeting enterprise organizations, VIP individuals, and cryptocurrency holders, dubbed “PoisonSeed.â€
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • www.silentpush.com: Silent Push blog about PoisonSeed campaign.
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • Security Risk Advisors: #PoisonSeed campaign compromises email providers to launch crypto seed phrase poisoning attacks. Targets include #Mailchimp #SendGrid and #Coinbase users.
@cyberalerts.io //

ClickFix Attack Deploys Havoc C2 via SharePoint - A ClickFix phishing campaign tricks victims into deploying the Havok framework, using SharePoint and the Microsoft Graph API to hide malicious communications within trusted Microsoft services.
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.

The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host.

Recommended read:
References :
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • thehackernews.com: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites
  • BleepingComputer: BleepingComputer post about a new ClickFix phishing campaign.
  • Anonymous ???????? :af:: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Talkback Resources: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites [social] [mal]
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Virus Bulletin: Virus Bulletin covers campaign combining ClickFix & multi-stage malware to deploy a modified Havoc Demon Agent.
  • Email Security - Blog: Cyber security researchers have discovered a new and sophisticated cyber attack campaign that’s predicated on social engineering and remote access tool use.
@securityonline.info //

Hackers Abuse Webflow CDN Using CAPTCHA Trick - A phishing campaign abuses the Webflow CDN, using fake PDF documents with CAPTCHAs to steal credit card data and commit financial fraud by targeting users searching for documents online.
A sophisticated phishing campaign is underway, abusing the Webflow content delivery network (CDN) to steal credit card data and commit financial fraud. Attackers are hosting fake PDF documents on Webflow, embedded with CAPTCHA images and a real Cloudflare Turnstile CAPTCHA, to deceive users and evade detection by static scanners. This scheme targets individuals searching for documents on search engines, redirecting them to malicious PDFs.

These PDF files mimic a CAPTCHA challenge, prompting users to click and complete a genuine Cloudflare CAPTCHA, creating a false sense of security. Upon completion, victims are redirected to a page requesting personal and credit card details to "download" the supposed document. After entering their credit card details, users receive an error message, and repeated submissions lead to an HTTP 500 error page, while the attackers already have their information.

Recommended read:
References :
  • Talkback Resources: Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners [social]
  • The Hacker News: The Hacker News article about hackers using CAPTCHA trick on Webflow CDN.
  • securityonline.info: Sophisticated Phishing Campaign Abuses Webflow CDN to Steal Credit Card Data
  • securityonline.info: SecurityOnline.info article about phishing campaign abusing Webflow CDN.

Posts

Blogs

Research Tools