Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a sophisticated initial-stage downloader, launched by the notorious Russian-linked hacking group APT29, known alternatively as Midnight Blizzard or Cozy Bear.
This campaign, identified since January 2025, primarily focuses on European governments and diplomatic entities.
APT29, recognized for its sophisticated cyber operations against high-profile organizations, has pivoted back to its known approach of using themed phishing emails to initiate infections.
Approximately one year after their last campaign involving WINELOADER, the group has adopted GRAPELOADER, a tool designed for environment fingerprinting, establishing persistence, and payload delivery, to infiltrate systems of diplomats and government officials in Europe.
The campaign begins with carefully crafted phishing emails masquerading as invitations from the Ministry of Foreign Affairs of a European country, enticing recipients to join exclusive wine-tasting events.
These emails are sent from domains bakenhof[.]com
and silry[.]com
, with subjects like “Wine Event,” “Wine Testing Event,” and “For Ambassador’s Calendar.”
According to the Report, the emails contain a link leading to the download of an archive named ‘wine.zip,’ initiating the infection process.
GRAPELOADER:
ppcore.dll
) inside the ‘wine.zip’ archive, alongside a legitimate PowerPoint executable (wine.exe
) for DLL side-loading, and a bloated DLL (AppvIsvSubsystems64.dll
) as a required dependency.wine.exe
automatically upon system startup, copying files to %APPDATA%\Local\POWERPNT\
.hxxps://ophibre[.]com/blog.php
using an HTTPS POST request, submitting collected environment information, including UserName, ComputerName, and others. The request uses a User-Agent string mimicking a legitimate browser.WINELOADER:
A new variant of WINELOADER (vmtools.dll
) was discovered in close proximity to GRAPELOADER infections, indicating its use in later stages of the attack. Key characteristics include:
hxxps://bravecup[.]com/view.php
, using a deliberate mismatch between the Windows version and the browser User-Agent string for further obfuscation.The similarities in TTPs, from the themed phishing emails to the use of DLL side-loading, fingerprinting, and the structural resemblances between GRAPELOADER and WINELOADER, strongly indicate that this campaign is another part of APT29’s strategy to compromise sensitive targets.
The shift to GRAPELOADER as an initial stager further demonstrates their adaptability in evading detection and analysis tools.
Check Point’s Threat Emulation and Harmony Endpoint solutions provide comprehensive protection against these threats by recognizing and neutralizing the attack vectors described, effectively safeguarding against these sophisticated attacks.
The cybersecurity community continues to monitor APT29’s operations, urging organizations, especially those in diplomacy, to maintain robust security practices to mitigate such advanced persistent threats.
File/Domain | SHA256 Hash |
---|---|
wine.zip | 653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358 |
wine.exe | 420d20cddfaada4e96824a9184ac695800764961bad7654a6a6c3fe9b1b74b9a |
AppvIsvSubsystems64.dll | d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164, 24c079b24851a5cc8f61565176bbf1157b9d5559c642e31139ab8d76bbb320f8 |
vmtools.dll | adfe0ef4ef181c4b19437100153e9fe7aed119f5049e5489a36692757460b9f8 |
Domain | bakenhof[.]com, silry[.]com, ophibre[.]com, bravecup[.]com |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Hackers are leveraging a sophisticated social engineering technique dubbed "ClickFix" to trick Windows users into…
A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry of…
Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat actor…
A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active exploit,…
Major ransomware campaign targeting UK retailers has escalated as hackers provided BBC News with evidence…
Target application included a username field restricted by a frontend regex filter (/^[a-zA-Z0-9]{1,20}$/), designed to…