Monday, May 5, 2025
HomeAPTAPT29 Hackers Use GRAPELOADER in New Attack Against European Diplomats

APT29 Hackers Use GRAPELOADER in New Attack Against European Diplomats

Published on

SIEM as a Service

Follow Us on Google News

Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a sophisticated initial-stage downloader, launched by the notorious Russian-linked hacking group APT29, known alternatively as Midnight Blizzard or Cozy Bear.

This campaign, identified since January 2025, primarily focuses on European governments and diplomatic entities.

Campaign Overview

APT29, recognized for its sophisticated cyber operations against high-profile organizations, has pivoted back to its known approach of using themed phishing emails to initiate infections.

- Advertisement - Google News

Approximately one year after their last campaign involving WINELOADER, the group has adopted GRAPELOADER, a tool designed for environment fingerprinting, establishing persistence, and payload delivery, to infiltrate systems of diplomats and government officials in Europe.

GRAPELOADER
 High-level overview of GRAPELOADER infections.

The campaign begins with carefully crafted phishing emails masquerading as invitations from the Ministry of Foreign Affairs of a European country, enticing recipients to join exclusive wine-tasting events.

These emails are sent from domains bakenhof[.]com and silry[.]com, with subjects like “Wine Event,” “Wine Testing Event,” and “For Ambassador’s Calendar.”

According to the Report, the emails contain a link leading to the download of an archive named ‘wine.zip,’ initiating the infection process.

Technical Analysis

GRAPELOADER:

  • Delivery Method: GRAPELOADER is embedded within a 64-bit DLL (ppcore.dll) inside the ‘wine.zip’ archive, alongside a legitimate PowerPoint executable (wine.exe) for DLL side-loading, and a bloated DLL (AppvIsvSubsystems64.dll) as a required dependency.
  • Persistence: It secures persistence by modifying the Windows registry’s Run key to execute wine.exe automatically upon system startup, copying files to %APPDATA%\Local\POWERPNT\.
  • C2 Communication: GRAPELOADER communicates with its C2 server at hxxps://ophibre[.]com/blog.php using an HTTPS POST request, submitting collected environment information, including UserName, ComputerName, and others. The request uses a User-Agent string mimicking a legitimate browser.
GRAPELOADER
GRAPELOADER – C2 communication.
  • Shellcode Execution & Evasion: GRAPELOADER employs an evasion technique where it allocates memory, changes its protection to PAGE_NOACCESS, and then starts a new thread to execute shellcode without writing it to disk, thus evading detection by AV/EDR solutions.

WINELOADER:

A new variant of WINELOADER (vmtools.dll) was discovered in close proximity to GRAPELOADER infections, indicating its use in later stages of the attack. Key characteristics include:

  • Unpacking Routine: Similar to previous versions, WINELOADER uses an unpacking routine, decrypting its core module with RC4 and using the same algorithm for string decryption and C2 communication.
  • C2 Communication: WINELOADER sends an encrypted structure containing system information to the C2 server at hxxps://bravecup[.]com/view.php, using a deliberate mismatch between the Windows version and the browser User-Agent string for further obfuscation.
  • Evolving Techniques: The new WINELOADER variant showcases enhancements in string decryption, anti-analysis techniques, and persistence, suggesting continuous evolution in APT29’s toolkit.

The similarities in TTPs, from the themed phishing emails to the use of DLL side-loading, fingerprinting, and the structural resemblances between GRAPELOADER and WINELOADER, strongly indicate that this campaign is another part of APT29’s strategy to compromise sensitive targets.

The shift to GRAPELOADER as an initial stager further demonstrates their adaptability in evading detection and analysis tools.

Check Point’s Threat Emulation and Harmony Endpoint solutions provide comprehensive protection against these threats by recognizing and neutralizing the attack vectors described, effectively safeguarding against these sophisticated attacks.

    The cybersecurity community continues to monitor APT29’s operations, urging organizations, especially those in diplomacy, to maintain robust security practices to mitigate such advanced persistent threats.

    Indicators of Compromise (IOCs):

    File/DomainSHA256 Hash
    wine.zip653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358
    wine.exe420d20cddfaada4e96824a9184ac695800764961bad7654a6a6c3fe9b1b74b9a
    AppvIsvSubsystems64.dlld931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164, 24c079b24851a5cc8f61565176bbf1157b9d5559c642e31139ab8d76bbb320f8
    vmtools.dlladfe0ef4ef181c4b19437100153e9fe7aed119f5049e5489a36692757460b9f8
    Domainbakenhof[.]com, silry[.]com, ophibre[.]com, bravecup[.]com

    Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

    Aman Mishra
    Aman Mishra
    Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

    Latest articles

    NCSC Warns of Ransomware Attacks Targeting UK Organisations

    National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber...

    Claude AI Abused in Influence-as-a-Service Operations and Campaigns

    Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

    Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

    As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

    TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

    Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

    Resilience at Scale

    Why Application Security is Non-Negotiable

    The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

    Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

    Discussion points


    Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
    Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
    Ensuring 100% application availability through platforms architected for failure resilience.
    Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

    More like this

    NCSC Warns of Ransomware Attacks Targeting UK Organisations

    National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber...

    Claude AI Abused in Influence-as-a-Service Operations and Campaigns

    Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

    Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

    As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...