FlagThis - #spearphishing

The North Korea-linked threat group APT37 has been identified as the perpetrator of a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. Genians Security Center researchers analyzed the campaign, dubbed "Operation: ToyBox Story," which involved the use of fake academic forum invites from a South Korean national security think tank to lure victims. The attackers leveraged Dropbox to deliver malicious LNK files, demonstrating an evolution in their attack methodology.

The spear phishing emails were cleverly disguised as invitations and information from a legitimate South Korean national security think tank, referencing real-world events such as "Trump 2.0 Era: Prospects and South Korea’s Response" to enhance credibility. These emails contained Dropbox links leading to compressed ZIP archives, which, upon extraction, harbored malicious shortcut (LNK) files. When a user opens the malicious LNK file, it initiates a multi-stage malware loader chain.

The campaign highlighted APT37's ongoing use of trusted cloud platforms like Dropbox as command and control (C2) infrastructure, a tactic known as "Living off Trusted Sites" (LoTS). This approach allows the attackers to blend malicious traffic with legitimate cloud service activity, complicating detection and response efforts. The malicious LNK files are designed to execute hidden PowerShell commands, which deploy a decoy document while simultaneously creating hidden files and ultimately injecting shellcode directly into memory to install a variant of the RoKRAT malware family. RoKRAT collects system information and allows for further exploitation of the victim's system.


References :

• cyberpress.org: The North Korea-linked threat group APT37 launched a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. The attackers disguised their emails as invitations and information from a South Korean national security think tank, referencing real-world events such as “Trump 2.0 Era: Prospects and South Korea’s Response” to enhance credibility. These
• www.genians.co.kr: Genians Security Center (GSC) researchers analyse APT37's “Operation: ToyBox Story”, in which the group used fake academic forum invites from a South Korean security think tank to lure victims and delivered malicious LNK files via the Dropbox cloud platform.

Classification:

• HashTags: #APT37 #SpearPhishing #Dropbox
• Company: Genians Security Center
• Target: Activist and organizations
• Attacker: APT37
• Product: Dropbox
• Type: Hack
• Severity: Major

A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.

Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion.

Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities.


References :

• The Citizen Lab: Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware
• securityonline.info: Weaponized Uyghur Language Software: Citizen Lab Uncovers Targeted Malware Campaign
• techcrunch.com: Citizen Lab says exiled Uyghur leaders targeted with Windows spyware
• securityonline.info: Researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the
• The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
• thecyberexpress.com: Text Editor Used in Targeted Uyghur Spying
• The Register - Software: Open source text editor poisoned with malware to target Uyghur users
• The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
• Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
• citizenlab.ca: 🚩 Trojanized UyghurEdit++ Text Editor Used to Target Uyghur Diaspora With Windows Surveillance Malware
• The Cyber Express: Trojanized Text Editor Software Used in Targeted Uyghur Spy Campaign
• hackread.com: China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…
• Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
• www.scworld.com: Uyghur leaders subjected to malware attack

Classification:

• HashTags: #Uyghur #Malware #China
• Company: China
• Target: Uyghur activists
• Attacker: China-linked
• Product: UyghurEdit++
• Type: Espionage
• Severity: Major

Russian state-sponsored espionage group Midnight Blizzard, also known as APT29 or Cozy Bear, is conducting a spear-phishing campaign targeting European diplomatic organizations. Check Point Research has been observing this sophisticated operation, which began in January 2025 and employs advanced techniques to target government officials and diplomats across Europe. The threat actors are impersonating a major European foreign affairs ministry to send deceptive emails inviting targets to wine-tasting events. This campaign, leveraging custom malware, aims to compromise diplomatic entities, including embassies of non-European countries.

The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29.

Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack.


References :

• Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
• BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
• bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
• blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
• cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
• research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
• Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
• The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
• iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
• cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
• www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
• www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
• Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
• Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
• securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
• securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
• www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
• Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
• The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
• hackread.com: Midnight Blizzard (APT29/Cozy Bear) targets European embassies and Ministries of Foreign Affairs with sophisticated phishing emails disguised as…
• ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
• ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
• hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
• thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
• www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
• Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
• Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
• securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
• eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
• www.esecurityplanet.com: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
• Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
• ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com
• ciso2ciso.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
• Talkback Resources: Russia-linked group APT29 used a phishing campaign with fake wine tasting invitations to target European embassies and Ministries of Foreign Affairs, deploying GrapeLoader and WineLoader malware to gather sensitive information and conduct cyber spying operations.

Classification:

• HashTags: #MidnightBlizzard #APT29 #SpearPhishing
• Target: European diplomatic organizations
• Attacker: Midnight Blizzard
• Malware: Grapeloader, Wineloader
• Type: Espionage
• Severity: Medium